Received: by 10.192.165.148 with SMTP id m20csp3139320imm; Sun, 29 Apr 2018 15:09:47 -0700 (PDT) X-Google-Smtp-Source: AB8JxZogrdn/kTyhaEKECnM7BMub2WvfNh24zR/m0vgzDlOuOIiF8bTszC14c+qOJyUYzk+mIJ+X X-Received: by 2002:a17:902:7c0f:: with SMTP id x15-v6mr10112446pll.369.1525039787759; Sun, 29 Apr 2018 15:09:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525039787; cv=none; d=google.com; s=arc-20160816; b=MX9FytpSL+17Hqpp7aoraMMDLBkgKJGwZSZ9DnpATcczB/1GSKQpDiFyw+xAjvBgVX Eovv2a36BWyaQSTN5uEl2jECW0OETWw0tumVvMNr23gZlrRTSTSJsUQ8xQCpXYDz+UDa WjBpzRx6pASMIB5TGohmRizULRqHMr0Hi6q0z7eIjJdwpelQt/d4szdECtQwbqAGo0Fp WlitUh+FvzVtYHKWGl6FXJSfAlLAv5gzq9eoEb6DJLZLDPpMhmk5CTV/uWkjQQ988w5T S9yY65s0pJ7ZDM3Ny/+C4N31ocdJfH0YLkStRUiNgCu8iqDBJK+rqKjFyKnQL4saRBXa /3UA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature :arc-authentication-results; bh=GgE0nTls8EDxDlnPswXI4pvNrOjg4koFcXkBFDEwbfU=; b=gEpFH/t34e9+uWzucIMpH8VhFqjHbYIYtQS3+Zc8E9lxddGqFhl1s/kT3eoSOUL1qG S6/ZMXGJ8+ow4UxV0aYkIxhaNPw7SGoLjkvWoWPHfDgag7iykbEityy65a1Zj8O97SOi EfQLFEEqDaiFGSY1sXc48zMFRhnwSF4RKRpN7WfJgwcmMOycDyS3j9ezKr4uI8hlq3kR ttLL6e2wkDkNOWsaP3HZxuxcBP18FU0TDHLyO0rb/7fL71niAM0uGC4o6WYrjMoLgSun 4VpvB80xv12xWsh4pUu4Pf99cCA6TJo+QCvJV0NiasZ8G6Hy/YCctq3Xg0pr1sIZBOZr y+Mw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=cYtX3meS; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s6-v6si4012543pgp.152.2018.04.29.15.09.20; Sun, 29 Apr 2018 15:09:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=cYtX3meS; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754455AbeD2WFY (ORCPT + 99 others); Sun, 29 Apr 2018 18:05:24 -0400 Received: from imap.thunk.org ([74.207.234.97]:43378 "EHLO imap.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754338AbeD2WFX (ORCPT ); Sun, 29 Apr 2018 18:05:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org; s=ef5046eb; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=GgE0nTls8EDxDlnPswXI4pvNrOjg4koFcXkBFDEwbfU=; b=cYtX3meSVQiEOm9Mf33kJf+pQz Ey22EROwc3EcO7/mQqN/MYqdp1sA+g6INTqohEP43QRl7mVNg3r1BUjW7lzXfBC02mRuZ0Gj9DR45 bp/hlFFnknUHbfO7Cudv+y3cuYAoZjpuxvCGoB5P9B5biPJY7hHxui6fzjzLaaIhRiGc=; Received: from root (helo=callcc.thunk.org) by imap.thunk.org with local-esmtp (Exim 4.89) (envelope-from ) id 1fCuRc-0005U2-Gg; Sun, 29 Apr 2018 22:05:20 +0000 Received: by callcc.thunk.org (Postfix, from userid 15806) id A42FD7A0158; Sun, 29 Apr 2018 18:05:19 -0400 (EDT) Date: Sun, 29 Apr 2018 18:05:19 -0400 From: "Theodore Y. Ts'o" To: Sultan Alsawaf Cc: Pavel Machek , linux-kernel@vger.kernel.org, Jann Horn Subject: Re: Linux messages full of `random: get_random_u32 called from` Message-ID: <20180429220519.GQ5965@thunk.org> Mail-Followup-To: "Theodore Y. Ts'o" , Sultan Alsawaf , Pavel Machek , linux-kernel@vger.kernel.org, Jann Horn References: <20180426192524.GD5965@thunk.org> <2add15cb-2113-0504-a732-81255ea61bf5@gmail.com> <20180426235630.GG5965@thunk.org> <3eb5761e-7b25-4178-0560-fba5eb43ce6a@gmail.com> <20180427201036.GL5965@thunk.org> <20180429143205.GD13475@amd> <20180429170541.lrzwyihrd6d75rql@sultan-box> <20180429184101.GA31156@amd> <20180429202033.ysmc42mj2rrk3h7p@sultan-box> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180429202033.ysmc42mj2rrk3h7p@sultan-box> User-Agent: Mutt/1.9.5 (2018-04-13) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Apr 29, 2018 at 01:20:33PM -0700, Sultan Alsawaf wrote: > On Sun, Apr 29, 2018 at 08:41:01PM +0200, Pavel Machek wrote: > > Umm. No. https://www.youtube.com/watch?v=xneBjc8z0DE > > Okay, but /dev/urandom isn't a solution to this problem because it isn't usable > until crng init is complete, so it suffers from the same init lag as > /dev/random. It's more accurate to say that using /dev/urandom is no worse than before (from a few years ago). There are, alas, plenty of distributions and user space application programmers that basically got lazy using /dev/urandom, and assumed that there would be plenty of entropy during early system startup. When they switched over the getrandom(2), the most egregious examples of this caused pain (and they got fixed), but due to a bug in drivers/char/random.c, if getrandom(2) was called after the entropy pool was "half initialized", it would not block, but proceed. Is that exploitable? Well, Jann and I didn't find an _obvious_ way to exploit the short coming, which is this wasn't treated like an emergency situation ala the embarassing situation we had five years ago[1]. [1] https://factorable.net/paper.html However, it was enough to make us be uncomfortable, which is why I pushed the changes that I did. At least on the devices we had at hand, using the distributions that we typically use, the impact seemed minimal. Unfortuantely, there is no way to know for sure without rolling out change and seeing who screams. In the ideal world, software would not require cryptographic randomness immediately after boot, before the user logs in. And ***really***, as in [1], softwaret should not be generating long-term public keys that are essential to the security of the box a few seconds immediately after the device is first unboxed and plugged in.i What would be useful is if people gave reports that listed exactly what laptop and distributions they are using. Just "a high spec x86 laptop" isn't terribly useful, because *my* brand-new Dell XPS 13 running Debian testing is working just fine. The year, model, make, and CPU type plus what distribution (and distro version number) you are running is useful, so I can assess how wide spread the unhappiness is going to be, and what mitigation steps make sense. What mitigations steps can be taken? If you believe in security-through-complexity (the cache architecture of x86 is *sooooo* complicated no one can understand it, so Jitterentropy / Haveged *must* be secure), or security-through-secrecy (the cache architecture of x86 is only avilable to internal architects inside Intel, so Jitterentropy / Haveged *must* be secure, never mind that the Intel CPU architects who were asked about it were "nervous"), then wiring up CONFIG_JITTERENTROPY or using haveged might be one approach. If you believe that Intel hasn't backdoored RDRAND, then installing rng-tools and running rngd with --enable-drng will enable RDRAND. That seems to be popular with various defense contractors, perhaps on the assumption that if it _was_ backdoored (no one knows for sure), it was probably with the connivance or request of the US government, who doesn't need to worry about spying on itself. Or you can use some kind of open hardware design RNG, such as ChoasKey[2] from Altus Metrum. But that requires using specially ordered hardware plugged into a USB slot, and it's probably not a mass solution. [2] https://altusmetrum.org/ChaosKey/ Personally, I prefer fixing the software to simply not require cryptographic grade entropy before the user has logged in. Because it's better than the alternatives. - Ted