Received: by 10.192.165.156 with SMTP id m28csp303256imm; Tue, 17 Apr 2018 10:22:13 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+A8GCDlan7DOqIxCdOEeRz8BUA6IBVBOVHVWbkKj5wnFMEqn0hZNOk2wxFJGlUwx7b3u7+ X-Received: by 2002:a17:902:529:: with SMTP id 38-v6mr2892328plf.64.1523985733435; Tue, 17 Apr 2018 10:22:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523985733; cv=none; d=google.com; s=arc-20160816; b=qAvLewKHRom15sY0c93ViytU4v11/TwYVyP9TnqTys2HNoU9sOZSuQmo4PPBdcc2Gh aRapIoPvvPkZl584MT6jBEnDg7IAjFrCp2ya3AWnYqdVKDWk9BbdCLfymr5cSEWL7EMK cPJLShJtr7Y/+wZzIFqaUZpExQyrZvaq+P7lItIr3GBZRUubmYEdZpaiiCeH6Vw0np0H VLGUMlWg7gn2NGNp7EunPY0WCDoLzir+qE15jyw6CQfAwZHvKw5U5EFsaO+rV7oruFBK nLBCsuv9iORshugHMtjdjS43QMUv8td2cwMW2F6UCnPRv+Ft9AWG/0XOwyyesQEjmVA9 X3Gg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature :arc-authentication-results; bh=fuq0XDjE14fK1I4cBTKbNNIjE8EZLXkmaeUQ3PntCRE=; b=uFIMuoLH31uotg+HpNI0GmfU0VZgix4+Qntr2Txbvu7RpNcp66oIBjWsS2gPFAVu7h G3D99rl0sGvqIRIava3SIE7HVIpEJdsL5JewpPzqshaMfsBXQYNLR8QagDpe2nuP2DMH 9pRplNGEN2LOn1KUKgP1xSdOJxUho7r2UH/fHMbAMGyzfSQ8oG4stNDmtd9NIMaEDtSA HxrT3XmN9j53hPIKVwoMC18Em4a+VBt/OrYl3v43QPG7oJNc7KkYQOfK/0FQ0CfYqxif vaS1+z9AQzx2kHmPY7H8Yrv1vG/ZaDry1pnm9VJ/lLbBtmVw0N4SFZW2p/8a7l/2vkxd bYWg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=i3ayOoMB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y6si12676973pfe.248.2018.04.17.10.21.57; Tue, 17 Apr 2018 10:22:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=i3ayOoMB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752560AbeDQPQ4 (ORCPT + 99 others); Tue, 17 Apr 2018 11:16:56 -0400 Received: from imap.thunk.org ([74.207.234.97]:51052 "EHLO imap.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751193AbeDQPQz (ORCPT ); Tue, 17 Apr 2018 11:16:55 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org; s=ef5046eb; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=fuq0XDjE14fK1I4cBTKbNNIjE8EZLXkmaeUQ3PntCRE=; b=i3ayOoMBb4mw/GFA7Bn3zf3+l4 DdCbUkT3UMIx9aq0YDULZKi2R+LCnCfDNd37CMNvOGBZ0Et1V1c9PEJYgxlNDcfU2YA/hlCS7M52J WgyFBYjEiEqyjihDXvrSMUgEecDKEh3zekMw1nxp6eL+MerfKQSPZu+WZgVwCCs1SDhk=; Received: from root (helo=callcc.thunk.org) by imap.thunk.org with local-esmtp (Exim 4.89) (envelope-from ) id 1f8SLk-0001jx-2d; Tue, 17 Apr 2018 15:16:52 +0000 Received: by callcc.thunk.org (Postfix, from userid 15806) id CA6D07A0236; Tue, 17 Apr 2018 11:16:50 -0400 (EDT) Date: Tue, 17 Apr 2018 11:16:50 -0400 From: "Theodore Y. Ts'o" To: James Bottomley Cc: Matthew Wilcox , Alexey Dobriyan , linux-kernel@vger.kernel.org, linux-mm@kvack.org Subject: Re: repeatable boot randomness inside KVM guest Message-ID: <20180417151650.GA16738@thunk.org> Mail-Followup-To: "Theodore Y. Ts'o" , James Bottomley , Matthew Wilcox , Alexey Dobriyan , linux-kernel@vger.kernel.org, linux-mm@kvack.org References: <20180414195921.GA10437@avx2> <20180414224419.GA21830@thunk.org> <20180415004134.GB15294@bombadil.infradead.org> <1523956414.3250.5.camel@HansenPartnership.com> <20180417114728.GA21954@bombadil.infradead.org> <1523966232.3250.15.camel@HansenPartnership.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1523966232.3250.15.camel@HansenPartnership.com> User-Agent: Mutt/1.9.4 (2018-02-28) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 17, 2018 at 12:57:12PM +0100, James Bottomley wrote: > > You don't have to compromise the bootloader to influence this, you > merely have to trick it into providing the random number you wanted. > The bigger you make the attack surface (the more inputs) the more > likelihood of finding a trick that works. There is a large class of devices where the bootloader can be considered trusted. For example, all modern Chrome and Android devices have signed bootloaders by default. And if you are using an Amazon or Chrome VM, you are generally started it with a known, trusted boot image. The reason why it's useful to have the bootloader get the entropy is because it may device-specific access and be able to leverage whatever infrastructure was used to load the kernel and/or intialramfs to also load the equivalent of /var/lib/systemd/random-seed (or /var/lib/urandom, et. al) --- and do this early enough that we can have truely secure randomness for those kernel faciliteis that need access to real randomness to initialize the stack canary, or initializing the slab cache. There are other ways that this could be done, of course. If the UEFI boot services are still available, you might be able to ask the UEFI services to give you randomness. And yes, the hardware might be backdoored to the fare-the-well by the MSS (for devices manufactured in China) or by an NSA Tailored Access Operations intercepting a computer shipment in transit. But my vision was that this wouldn't necessarily bump the entropy accounting or mark the CRNG as fully intialized. (If you work for the NSA and you're sure you won't do an own-goal, you could enable a kernel boot option which marks the CRNG initialized from entropy coming from UEFI or RDRAND or a TPM. But I don't think it should be the default.) The only goal was to get enough uncertainty so we can secure early kernel users of entropy for security features such as kernel ASLR, the kernel stack canary, SLAB freelist randomization, etc. And by the way --- if you think it is easy / possible to get secure random numbers easily from either a TPMv1 or TPMv2 w/o any early boot services (e.g., no interrupts, no DMA, no page tables, no memory allocation) that would be really good to know. Cheers, > No, entropy mixing ensures that all you do with bad entropy is degrade > the quality, but if the quality degrades to zero (as it might at boot > when you've no other entropy sources so you feed in 100% bad entropy), > then the random sequences become predictable. Actually, if you have good entropy mixing, you can mix super-bad entropy --- e.g., completely known by the attacker, and it won't make the entropy pool any worse. It can only help. It does require that the entropy mixing algorithm should be reversible, so that mixing in even a fully known sequence will not cause uncertainty to be lost. The input_pool in the random driver is designed in such a way, which is why /dev/[u]random is world-writable. Anyone can contribute potential uncertainty into the pool. Regardless of whether they have zero, partial, or full knowledge of the internal random state, they won't have any more certainty of the pool after they mix in their contribution. And an attacker which does not know the contribution, and who might have partial knowledge of the pool, will less knowledge about the internal state afterwards. Cheers, - Ted