Received: by 10.192.165.148 with SMTP id m20csp3218980imm; Sun, 29 Apr 2018 17:22:49 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpQ8eRfRWUJ7tIx6bPIrnSDW46RuWRZvABhNl7ENsy+7t3CN7bgKQi4nF6qVfwCMR3CTU+7 X-Received: by 2002:a17:902:20eb:: with SMTP id v40-v6mr10439018plg.277.1525047769771; Sun, 29 Apr 2018 17:22:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525047769; cv=none; d=google.com; s=arc-20160816; b=Z44zymhkOgSVyYPHMuPFjBanOS6XIb14Nldv73LtKuJZfJcnVhmFgrLKo8BY7G4zKY BgmVhRJ+Gx2cy2FPWMWLr0JgjBgtH6X82vIsn/UbGdI7GLZ7ysf+5lE0mOArsVrdMfMO Y069z6le2dah7OLGteatPXFXvAUWRZSMWXUuyHOjTueTQfLL6J0Zewefu1p38zTxdL6z r7YIpPmkrrGJ1FUBF595M7dAakojroA0+TvtC6np+GPktgKr6lic433/k1BqXMN/KPjc QoFTbZJFESqkX8tC79Wpl1rrxUdarY1mF3JgzJ/eH+ygtgMxHcncus+kqFYmkygkzs9B aBrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:to:from:date:dkim-signature :arc-authentication-results; bh=Z2Fe4nfRC09slj3ZzpQrsNN5a+D5NFEkwrODPacWFG0=; b=vW3CY2h298WDmfeJ2nvxmNfNCTlOwdTVHJveKGhvWcgn743p3rG7wB14/8NC/qOeRc I54bF0a9S137XtSyGJQKFXRpNTTmKL/GA90gVRgdh/VM6jCQuUAFP/tBiCc0QEOAViXn m25/4QsrwRt06tWIXYobIJdJzZDFSGLXH/MvxULnnh3brxwcr25dnzxZRsJfKGMW6uXD KGhMR9r1Jc+WaYJBlX+FrvT90vsK6KDwu/g8LNYiE0qFRQqGckBKpc4InfOtH9AJp+FZ E0+k+QpwklyS7mAw/3xps+BNj4/asMgUlC7MZUNV06uA8676KLy0PsgB9uT+yPcPU+VS ZwGw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=SBM9TgeJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r22-v6si6522002pls.591.2018.04.29.17.22.34; Sun, 29 Apr 2018 17:22:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=SBM9TgeJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754519AbeD3AVJ (ORCPT + 99 others); Sun, 29 Apr 2018 20:21:09 -0400 Received: from imap.thunk.org ([74.207.234.97]:43552 "EHLO imap.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754359AbeD3AVI (ORCPT ); Sun, 29 Apr 2018 20:21:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org; s=ef5046eb; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Subject:To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Z2Fe4nfRC09slj3ZzpQrsNN5a+D5NFEkwrODPacWFG0=; b=SBM9TgeJv6mjkNo6IBsdy42ai5 Zg9cwLa1a0hJlRMy3PgqnCVeoZaQM+ZYYN+L9wEjnjA7aBjYZdpPadvBuG1l0Sjq5qNUUv2VZc+o1 ubL97IjucVBWWIpz8gAiTLgZuwo+smC5iM4jz9JNeODWvyqNvoli1Z871tAOtbCiqytQ=; Received: from root (helo=callcc.thunk.org) by imap.thunk.org with local-esmtp (Exim 4.89) (envelope-from ) id 1fCwYx-0006Kz-UX; Mon, 30 Apr 2018 00:21:04 +0000 Received: by callcc.thunk.org (Postfix, from userid 15806) id 230247A0158; Sun, 29 Apr 2018 20:21:03 -0400 (EDT) Date: Sun, 29 Apr 2018 20:21:03 -0400 From: "Theodore Y. Ts'o" To: Dave Jones , Paul Menzel , linux-kernel@vger.kernel.org Subject: Re: Linux messages full of `random: get_random_u32 called from` Message-ID: <20180430002102.GT5965@thunk.org> Mail-Followup-To: "Theodore Y. Ts'o" , Dave Jones , Paul Menzel , linux-kernel@vger.kernel.org References: <42c1b84b-ab1f-5577-6304-e0985a637cf9@molgen.mpg.de> <20180424135621.GD4189@thunk.org> <20180429230202.rcsjtnp2jhbqyag2@codemonkey.org.uk> <20180429230728.whjg3fpeunxuvkyn@codemonkey.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180429230728.whjg3fpeunxuvkyn@codemonkey.org.uk> User-Agent: Mutt/1.9.5 (2018-04-13) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Apr 29, 2018 at 07:07:29PM -0400, Dave Jones wrote: > > Why do we continue to print this stuff out when crng_init=1 though ? > > answering my own question, I think.. This is a tristate, and we need it > to be >1 to be quiet, which doesn't happen until.. > > > [ 165.806247] random: crng init done > > this point. Right. What happens is that we divert the first 64 bits of entropy credits directly into the crng state, without initializing the input_pool. So when we hit crng_init=1, the crng has only 64 bits of entropy (conservatively speaking); furthermore, since we aren't doing catastrophic reseeding, if something is continuously reading from /dev/urandom or get_random_bytes() during that time, then the attacker could be able to detremine which one of the 32 states the entropy pool was when the entropy count was 5, and then 5 bits later, poll the output of the pool again, and guess which of the 32 states the pool was in, etc., and effectively keep up with the entropy as it trickles in. This is the reasoning behind catastrophic reseeding; we wait until we have 128 bits of entropy in the input pool, and then we reseed the pool all at once. Why do we have the crng_init=1 state? Because it provides some basic protection for super-early users of the entropy pool. It's essentially a bandaid, and we could improve the time to get to fully initialize by about 33% if we left the pool totally unititalized and only focused on filling the input pool. But given that on many distributions, ssh still insists on initializing long-term public keys at first boot from /dev/urandom, instead of *waiting* until the first time someone attempts to ssh into box, or waiting until getrandom(2) doesn't block --- without hanging the boot --- we have the crng_init=1 hack essentially as a palliative. I view this as working around broken user space. But userspace has been broken for a long time, and users tend to blame the kernel, not userspace.... - Ted