Received: by 10.192.165.156 with SMTP id m28csp719533imm;
        Fri, 13 Apr 2018 06:45:06 -0700 (PDT)
X-Google-Smtp-Source: AIpwx48hC2CAPDkT1KI7hsCE8td2M42pviZTew9DkngpKzShdFWPFac4toV17bfenb8mV7ll/OZY
X-Received: by 10.98.180.24 with SMTP id h24mr11610051pfn.213.1523627106875;
        Fri, 13 Apr 2018 06:45:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523627106; cv=none;
        d=google.com; s=arc-20160816;
        b=ZU6GMUv9Sg7kCHr9It2GM5zJenWxs6O55vw/PH88JeyMKnX3hIcq/fu43bRBOcQefc
         QVCYMmwatN+dfiHe3ZJxDXRV+oOujLzhIGSi778OoSjl5q95AZ4JHJLWA+545PtRb058
         XyM7b/lWhtzTh/QGZpmfUVC4WcdEfgcByNi4nnokSzobjAEbijgIbX4VzpSMpCjv+KyU
         NLhZRT71RGrUzZQHVhu0Y/qAHcwTY7s70hPPws/JC9ZxbsYyqlnQQyJJ3imN98zSmD/u
         cOljDAMnDdoK5x7GrPYSVrRXY+kJainxbALimV3p6i8SW7rZD7jjwORm5Rmrw7YGHISh
         dX3A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:mail-followup-to
         :message-id:subject:cc:to:from:date:dkim-signature
         :arc-authentication-results;
        bh=ow0j43R8NZF7dcP71GgxWSBs2Lg1MC72IUSt6PGItzE=;
        b=LTYcxXm9vJOpjr4arMDJZDmrIdKxUBXJDZ8efWA5HAO8F3+U3+6mpv+GITqZjrPOII
         gmUAhveV8Oa305LaamPB8yTWRV6ey7WfbRjkFz1oJaDsuOlgROPg6O6NaS6fNTbMtNSA
         HXnQ4P7Fu+ew3fo/BM02y5WlaSOo3AQTo144kkTqj8b1AE/8ie2440KT8xkGZzYJKBm5
         J/AjI5qXTgwLbaYlbI4H3tm90Wv37KIN4vSfqx5hxm25civFlOZFZa8qhZyc0wV4K3cy
         U/p1dvOe5N6rrRdTfrUVtMNKT8o/Npnvhi9G0HEZ7bJFKGoGJNqlg5bK4W9afzLZVYYH
         xMjw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=xQbFpuUR;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l7si4099620pgu.518.2018.04.13.06.44.49;
        Fri, 13 Apr 2018 06:45:06 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=xQbFpuUR;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753734AbeDMMxT (ORCPT <rfc822;patchstalker@gmail.com>
        + 99 others); Fri, 13 Apr 2018 08:53:19 -0400
Received: from imap.thunk.org ([74.207.234.97]:38528 "EHLO imap.thunk.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1750940AbeDMMxR (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 13 Apr 2018 08:53:17 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org;
         s=ef5046eb; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:
        Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID:
        Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
        :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
        List-Post:List-Owner:List-Archive;
        bh=ow0j43R8NZF7dcP71GgxWSBs2Lg1MC72IUSt6PGItzE=; b=xQbFpuURAIlRba0t4ULWnGkw7V
        saFIMjO4E+VUbRoAXpxXG9Kv38k7s44UEdBYWx+42MSunGNgnS/vL3sEPK8ANH6q33gRnXuwJ2Cgi
        +NnXNAEyw8twItFxjBirZVpuDcts3rDgPVgydHnJMx6EXbeYxeZ9ivOfAjQEAOInzSZ4=;
Received: from root (helo=callcc.thunk.org)
        by imap.thunk.org with local-esmtp (Exim 4.89)
        (envelope-from <tytso@thunk.org>)
        id 1f6yCY-0003mA-H9; Fri, 13 Apr 2018 12:53:14 +0000
Received: by callcc.thunk.org (Postfix, from userid 15806)
        id 757287A2DDF; Fri, 13 Apr 2018 08:53:13 -0400 (EDT)
Date:   Fri, 13 Apr 2018 08:53:13 -0400
From:   "Theodore Y. Ts'o" <tytso@mit.edu>
To:     Stephan Mueller <smueller@chronox.de>
Cc:     linux-crypto@vger.kernel.org,
        Linux Kernel Developers List <linux-kernel@vger.kernel.org>,
        stable@kernel.org
Subject: Re: [PATCH 1/5] random: fix crng_ready() test
Message-ID: <20180413125313.GA2633@thunk.org>
Mail-Followup-To: "Theodore Y. Ts'o" <tytso@mit.edu>,
        Stephan Mueller <smueller@chronox.de>, linux-crypto@vger.kernel.org,
        Linux Kernel Developers List <linux-kernel@vger.kernel.org>,
        stable@kernel.org
References: <20180413013046.404-1-tytso@mit.edu>
 <1699469.KmO53oa8XU@tauon.chronox.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1699469.KmO53oa8XU@tauon.chronox.de>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: tytso@thunk.org
X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Apr 13, 2018 at 07:38:30AM +0200, Stephan Mueller wrote:
> > The crng_init variable has three states:
> > 
> > 0: The CRNG is not initialized at all
> > 1: The CRNG has a small amount of entropy, hopefully good enough for
> >    early-boot, non-cryptographical use cases
> > 2: The CRNG is fully initialized and we are sure it is safe for
> >    cryptographic use cases.
> > 
> > The crng_ready() function should only return true once we are in the
> > last state.
> > 
> Do I see that correctly that getrandom(2) will now unblock after the 
> input_pool has obtained 128 bits of entropy? Similarly for 
> get_random_bytes_wait.

Correct.

> As this seems to be the only real use case for crng_ready (apart from 
> logging), what is the purpose of crng_init == 1?

Immediately after boot (crng_init state 0), we funnel the harvested
entropy from add_interrupt_entropy() directly to the CRNG pool.  The
goal is to get at least some amount of entropy into the CRNG is it's
not blatently predictable.  When we have accomplished this, by mixing
in 2 * CHACHA20_KEY_SIZE bytes of input from add_input_randomness, we
enter state crng_init state 1.

In crng_init state 1, we start funnelling the harvested entropy to the
input_pool.  Once we have accumulated 128 bits of entropy in the input
pool, we then reseed the CRNG from the input_pool, and we consider the
CRNG to be fully intialized.

During crng_init state 1, the CRNG is basically in a "good enough for
government work" state.  It's going to get used by things like initial
TCP sequence numbers, and UUID's by udev, et. al, but I wouldn't want
to use it for anything that has strong cryptographic use cases.

It would be preferable if nothing in the kernel and early systemd
startup used get_random_bytes() or /dev/urandom or getrandom(2) w/
GRND_NONBLOCK.  Unfortunately, (a) there is a lot of legacy code which
still uses /dev/urandom and not getrandom(2) and (b) in some cases,
such as initialization of the Stack Canary, the kernel simply can't
wait for the CRNG to be fully initialized.  Or if the kernel needs
enough of the networking stack to mount an NFS root file system, for
example.

This was always the original design intent, but I screwed up and no
one noticed until Jann reached out to be and said, "Hey.... this
doesn't seem to make much sense".

Regards,

					- Ted