Received: by 10.192.165.156 with SMTP id m28csp178242imm; Tue, 17 Apr 2018 08:22:15 -0700 (PDT) X-Google-Smtp-Source: AIpwx48sKGlqWYOqf5KhVsp0yhAE++AKgM/XSs/OguQzvaoauLdntHrnp9qZ3W4vuACgYxfcYzjj X-Received: by 2002:a17:902:b2c8:: with SMTP id x8-v6mr2424107plw.83.1523978535636; Tue, 17 Apr 2018 08:22:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523978535; cv=none; d=google.com; s=arc-20160816; b=lpXX2uEAAisdYj0V2qHzs1OJxzBl3hr3scNZhfNMMFk9m4xgLNALz8oV1hF8j6nTLF p2sGP2UXcGKibiQR+DjlpDCK9KMXGXhtBy6h7aXtb9JO6oI70M7crm55gcR7pEhKFlEy ulGxb2bLYRekFFLXkWurBpZFGeOQLkZsbtxartQE4liN/TU6lxjUYe3jP2jq8uYre9bx xNXhA38hsY21D7Qm1c0VFB1EjvpgwKJpre8RHW25KVnZocOVSVrrJTIQasIUsGnfpZlL kg1+e+HbU8hk2p4/6p86VN568I8UNxq52jGpKoHn5OPU+49nBFq6HlxbvUgv8lBfOMjw asUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature:arc-authentication-results; bh=/4eYqmpMqjelCqOXkl11o9Cpy7CITUS9EO7oN7plA+I=; b=M91M64YuISgNKwni6slurx75pe74JINjuPGZmw4zAeWmBIpeiWqZEjREaMIkZIdOA4 LTpFD0VsLaKwUNtGEfVQ6xNYgca+Nb/2RgCnASD/2rm0z0Q+SkrHow/JbiVpinEDgAgR 953BHeKSesgLqWap6R9joBY9q5+gpp/Yd+yvveHawxIUzPLgpQLr1q+4Iq+4w8FhYH28 pWBhkZ6HXCQo4bGcx7SPqnAMIqUeeAQt4LDuZhbZyNecWfnuOAFqwOgmKx7LbxwacFYS 3uwlJsAP4Kj5NIHoeg+QS+zXegJEcCpddBlxX0vjaK5B2D0MrSu8lzLSLeG71nu01c+T 3oiA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=J7euztRN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c2-v6si14476521pli.0.2018.04.17.08.22.00; Tue, 17 Apr 2018 08:22:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=J7euztRN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752632AbeDQPUt (ORCPT + 99 others); Tue, 17 Apr 2018 11:20:49 -0400 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:52674 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751836AbeDQPUs (ORCPT ); Tue, 17 Apr 2018 11:20:48 -0400 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 1444D8EE264; Tue, 17 Apr 2018 08:20:48 -0700 (PDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ji2NbUCQazOg; Tue, 17 Apr 2018 08:20:47 -0700 (PDT) Received: from [10.1.129.202] (unknown [141.170.9.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 630B98EE0E2; Tue, 17 Apr 2018 08:20:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1523978447; bh=ucfuSB+gN3vqIIeJh3rt0PiVkf0iaDuDS+uldSSoS9g=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=J7euztRNJ0/k/lNftzSQGvyTT03YiVC51FoSddMUCIIwdCzexiwDq2PUuAvzY1QTX HaPT2sODlAIEXV1VumR6oGSTfgRc8OH8/aW5SpJTept/eBcnsfx/KCKIEN34sFFGfO pRhAwl0gYQQOIQ+k0DD3EuCOOXWKBbuwa2Stbg/4= Message-ID: <1523978443.3310.3.camel@HansenPartnership.com> Subject: Re: repeatable boot randomness inside KVM guest From: James Bottomley To: Matthew Wilcox Cc: "Theodore Y. Ts'o" , Alexey Dobriyan , linux-kernel@vger.kernel.org, linux-mm@kvack.org Date: Tue, 17 Apr 2018 16:20:43 +0100 In-Reply-To: <20180417140722.GC21954@bombadil.infradead.org> References: <20180414195921.GA10437@avx2> <20180414224419.GA21830@thunk.org> <20180415004134.GB15294@bombadil.infradead.org> <1523956414.3250.5.camel@HansenPartnership.com> <20180417114728.GA21954@bombadil.infradead.org> <1523966232.3250.15.camel@HansenPartnership.com> <20180417140722.GC21954@bombadil.infradead.org> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2018-04-17 at 07:07 -0700, Matthew Wilcox wrote: > On Tue, Apr 17, 2018 at 12:57:12PM +0100, James Bottomley wrote: > > On Tue, 2018-04-17 at 04:47 -0700, Matthew Wilcox wrote: > > > On Tue, Apr 17, 2018 at 10:13:34AM +0100, James Bottomley wrote: > > > > On Sat, 2018-04-14 at 17:41 -0700, Matthew Wilcox wrote: > > > > > On Sat, Apr 14, 2018 at 06:44:19PM -0400, Theodore Y. Ts'o > > > > > wrote: > > > > > > What needs to happen is freelist should get randomized much > > > > > > later in the boot sequence.  Doing it later will require > > > > > > locking; I don't know enough about the slab/slub code to > > > > > > know whether the slab_mutex would be sufficient, or some > > > > > > other lock might need to be added. > > > > > > > > > > Could we have the bootloader pass in some initial randomness? > > > > > > > > Where would the bootloader get it from (securely) that the > > > > kernel can't? > > > > > > In this particular case, qemu is booting the kernel, so it can > > > apply to /dev/random for some entropy. > > > > Well, yes, but wouldn't qemu virtualize /dev/random anyway so the > > guest  kernel can get it from the HWRNG provided by qemu? > > The part of Ted's mail that I snipped explained that virtio-rng > relies on being able to kmalloc memory, so by definition it can't > provide entropy before kmalloc is initialised. That sounds fixable ... > > > I thought our model was that if somebody had compromised the > > > bootloader, all bets were off. > > > > You don't have to compromise the bootloader to influence this, you > > merely have to trick it into providing the random number you > > wanted.  The bigger you make the attack surface (the more inputs) > > the more likelihood of finding a trick that works. > > > > >   And also that we were free to mix in as many untrustworthy > > > bytes of alleged entropy into the random pool as we liked. > > > > No, entropy mixing ensures that all you do with bad entropy is > > degrade the quality, but if the quality degrades to zero (as it > > might at boot when you've no other entropy sources so you feed in > > 100% bad entropy), then the random sequences become predictable. > > I don't understand that.  If I estimate that I have 'k' bytes of > entropy in my pool, and then I mix in 'n' entirely predictable bytes, > I should still have k bytes of entropy in the pool.  If I withdraw k > bytes from the pool, then yes the future output from the pool may be > entirely predictable, but I have to know what those k bytes were. If that were true, why are we debating this? I thought the problem was the alleged random sequences for slub placement were repeating on subsequent VM boots meaning there's effectively no entropy in the pool and we need to add some. James