Received: by 10.192.165.156 with SMTP id m28csp719533imm; Fri, 13 Apr 2018 06:45:06 -0700 (PDT) X-Google-Smtp-Source: AIpwx48hC2CAPDkT1KI7hsCE8td2M42pviZTew9DkngpKzShdFWPFac4toV17bfenb8mV7ll/OZY X-Received: by 10.98.180.24 with SMTP id h24mr11610051pfn.213.1523627106875; Fri, 13 Apr 2018 06:45:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523627106; cv=none; d=google.com; s=arc-20160816; b=ZU6GMUv9Sg7kCHr9It2GM5zJenWxs6O55vw/PH88JeyMKnX3hIcq/fu43bRBOcQefc QVCYMmwatN+dfiHe3ZJxDXRV+oOujLzhIGSi778OoSjl5q95AZ4JHJLWA+545PtRb058 XyM7b/lWhtzTh/QGZpmfUVC4WcdEfgcByNi4nnokSzobjAEbijgIbX4VzpSMpCjv+KyU NLhZRT71RGrUzZQHVhu0Y/qAHcwTY7s70hPPws/JC9ZxbsYyqlnQQyJJ3imN98zSmD/u cOljDAMnDdoK5x7GrPYSVrRXY+kJainxbALimV3p6i8SW7rZD7jjwORm5Rmrw7YGHISh dX3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature :arc-authentication-results; bh=ow0j43R8NZF7dcP71GgxWSBs2Lg1MC72IUSt6PGItzE=; b=LTYcxXm9vJOpjr4arMDJZDmrIdKxUBXJDZ8efWA5HAO8F3+U3+6mpv+GITqZjrPOII gmUAhveV8Oa305LaamPB8yTWRV6ey7WfbRjkFz1oJaDsuOlgROPg6O6NaS6fNTbMtNSA HXnQ4P7Fu+ew3fo/BM02y5WlaSOo3AQTo144kkTqj8b1AE/8ie2440KT8xkGZzYJKBm5 J/AjI5qXTgwLbaYlbI4H3tm90Wv37KIN4vSfqx5hxm25civFlOZFZa8qhZyc0wV4K3cy U/p1dvOe5N6rrRdTfrUVtMNKT8o/Npnvhi9G0HEZ7bJFKGoGJNqlg5bK4W9afzLZVYYH xMjw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=xQbFpuUR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l7si4099620pgu.518.2018.04.13.06.44.49; Fri, 13 Apr 2018 06:45:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=xQbFpuUR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753734AbeDMMxT (ORCPT + 99 others); Fri, 13 Apr 2018 08:53:19 -0400 Received: from imap.thunk.org ([74.207.234.97]:38528 "EHLO imap.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750940AbeDMMxR (ORCPT ); Fri, 13 Apr 2018 08:53:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org; s=ef5046eb; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ow0j43R8NZF7dcP71GgxWSBs2Lg1MC72IUSt6PGItzE=; b=xQbFpuURAIlRba0t4ULWnGkw7V saFIMjO4E+VUbRoAXpxXG9Kv38k7s44UEdBYWx+42MSunGNgnS/vL3sEPK8ANH6q33gRnXuwJ2Cgi +NnXNAEyw8twItFxjBirZVpuDcts3rDgPVgydHnJMx6EXbeYxeZ9ivOfAjQEAOInzSZ4=; Received: from root (helo=callcc.thunk.org) by imap.thunk.org with local-esmtp (Exim 4.89) (envelope-from ) id 1f6yCY-0003mA-H9; Fri, 13 Apr 2018 12:53:14 +0000 Received: by callcc.thunk.org (Postfix, from userid 15806) id 757287A2DDF; Fri, 13 Apr 2018 08:53:13 -0400 (EDT) Date: Fri, 13 Apr 2018 08:53:13 -0400 From: "Theodore Y. Ts'o" To: Stephan Mueller Cc: linux-crypto@vger.kernel.org, Linux Kernel Developers List , stable@kernel.org Subject: Re: [PATCH 1/5] random: fix crng_ready() test Message-ID: <20180413125313.GA2633@thunk.org> Mail-Followup-To: "Theodore Y. Ts'o" , Stephan Mueller , linux-crypto@vger.kernel.org, Linux Kernel Developers List , stable@kernel.org References: <20180413013046.404-1-tytso@mit.edu> <1699469.KmO53oa8XU@tauon.chronox.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1699469.KmO53oa8XU@tauon.chronox.de> User-Agent: Mutt/1.9.4 (2018-02-28) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Apr 13, 2018 at 07:38:30AM +0200, Stephan Mueller wrote: > > The crng_init variable has three states: > > > > 0: The CRNG is not initialized at all > > 1: The CRNG has a small amount of entropy, hopefully good enough for > > early-boot, non-cryptographical use cases > > 2: The CRNG is fully initialized and we are sure it is safe for > > cryptographic use cases. > > > > The crng_ready() function should only return true once we are in the > > last state. > > > Do I see that correctly that getrandom(2) will now unblock after the > input_pool has obtained 128 bits of entropy? Similarly for > get_random_bytes_wait. Correct. > As this seems to be the only real use case for crng_ready (apart from > logging), what is the purpose of crng_init == 1? Immediately after boot (crng_init state 0), we funnel the harvested entropy from add_interrupt_entropy() directly to the CRNG pool. The goal is to get at least some amount of entropy into the CRNG is it's not blatently predictable. When we have accomplished this, by mixing in 2 * CHACHA20_KEY_SIZE bytes of input from add_input_randomness, we enter state crng_init state 1. In crng_init state 1, we start funnelling the harvested entropy to the input_pool. Once we have accumulated 128 bits of entropy in the input pool, we then reseed the CRNG from the input_pool, and we consider the CRNG to be fully intialized. During crng_init state 1, the CRNG is basically in a "good enough for government work" state. It's going to get used by things like initial TCP sequence numbers, and UUID's by udev, et. al, but I wouldn't want to use it for anything that has strong cryptographic use cases. It would be preferable if nothing in the kernel and early systemd startup used get_random_bytes() or /dev/urandom or getrandom(2) w/ GRND_NONBLOCK. Unfortunately, (a) there is a lot of legacy code which still uses /dev/urandom and not getrandom(2) and (b) in some cases, such as initialization of the Stack Canary, the kernel simply can't wait for the CRNG to be fully initialized. Or if the kernel needs enough of the networking stack to mount an NFS root file system, for example. This was always the original design intent, but I screwed up and no one noticed until Jann reached out to be and said, "Hey.... this doesn't seem to make much sense". Regards, - Ted