Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp3540867imm; Sun, 13 May 2018 13:57:37 -0700 (PDT) X-Google-Smtp-Source: AB8JxZq6ShCtyIFRs/Y2bfeZKQGrWfHvS/31U2I6NZjrUPPAxSjKDZzI4dn/phWbpQMnS5yJcgcw X-Received: by 2002:a17:902:b78a:: with SMTP id e10-v6mr7175762pls.260.1526245057733; Sun, 13 May 2018 13:57:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526245057; cv=none; d=google.com; s=arc-20160816; b=rshP6PS2vr793x0jPKDt/JgXgpMjAFgf8WHIHAaA4f4DlVuY4sQ/E5CfNVl6+U9pMA yax3MfHyS8HzwIup6zszkSWXrw3rwNEVm6UNMgzKnP/Xkb5Wmmr2EvuqtjQ19qWxDlFt QRsF4kQl6gjMxMWUBEwLdRs9Y+hoE3KFRQgzVrIavdTFie7Htuv4+PW0acRe+sgU0ioc FZPQeXAAsPcx4fxTUHNKbvuGo8fyUJ6pydcpiKD44bWzcY9ZOEJbRzmDcvxjs5ZIbFGV P4Ky7TE4D2P0DdswK14nwaAILhnInciDdRksnnobYqyjP5P3ss8UtV0ZD14Rd6mj2wxA gEpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=ZiPLAwMtX8Xd5GMEeGTeBIfTNp0jIR13EZ4iN3BffRs=; b=D+OVFFZ294rdU0n+/L7bIZAImXIoGeDKZ3kdADAxC4RROl36hUa3NVa9DRXr6ZE5Q8 yVCG0MItXPGs1omh+tsX0INw2HeMCL/3PM6x7MEMojt4AwLBI3po9lAO6Gnjgn0YEyci xNOzut+YNHwMrgq7ARLMZFMQCd3M/y6AwGGAiNv4NQjsNWCF+k51EakkVK74wRrYFvwz cnopgPxt/9a78V/wZr9QNTsCz9KziY7F/slnYBuZ+W9JDlDft+0E1fI5cIxD4xaSEDTq 8DNUoJnDPOBqgJ0QiRgE62RafTux/FtLWQw3aY9CxRFyFoscW6qMSwBkHZWo+7T+zUx5 rs1A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d123-v6si6389920pgc.445.2018.05.13.13.57.22; Sun, 13 May 2018 13:57:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751882AbeEMU5M (ORCPT + 99 others); Sun, 13 May 2018 16:57:12 -0400 Received: from mail.stustanet.de ([141.84.69.5]:58241 "EHLO mail.stusta.mhn.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751362AbeEMU5L (ORCPT ); Sun, 13 May 2018 16:57:11 -0400 X-Greylist: delayed 519 seconds by postgrey-1.27 at vger.kernel.org; Sun, 13 May 2018 16:57:11 EDT Received: from [127.0.0.1] (localhost [127.0.0.1]) by mail.stusta.mhn.de (Postfix) with ESMTPSA id 40kbWx0sMWz1G0; Sun, 13 May 2018 22:48:28 +0200 (CEST) Date: Sun, 13 May 2018 23:48:28 +0300 From: Adrian Bunk To: Ben Hutchings Cc: Debian release team , Debian kernel maintainers , krb5@packages.debian.org, libbsd@packages.debian.org, systemd@packages.debian.org, Michael Kerrisk , Theodore Ts'o , linux-kernel@vger.kernel.org Subject: Re: Fixing Linux getrandom() in stable Message-ID: <20180513204828.GI10643@localhost> References: <75577b3d2efd01aaf563f1a1400a2c655556b258.camel@decadent.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <75577b3d2efd01aaf563f1a1400a2c655556b258.camel@decadent.org.uk> User-Agent: Mutt/1.9.3 (2018-01-21) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 09, 2018 at 11:46:00PM +0100, Ben Hutchings wrote: >... > # Security flaw and initial fix > > Recently it was discovered that getrandom() could return successfully > before the RNG was really ready to produce unpredictable data. This > issue was designated as CVE-2018-1108, and was fixed in Linux 4.17-rc2 > and various stable updates. > > We fixed CVE-2018-1108 with an update to stretch last week > (DSA-4188-1). The kernel versions in wheezy and jessie do not provide > getrandom(). > > # Regression > > The version of glibc in stretch does not provide access to getrandom(), > but some packages in stable use syscall() to call it anyway, including: > > * krb5: k5_get_os_entropy() > * libbsd: arc4_random_buf(). This is used by many other packages > including libICE, and so indirectly by gnome-session. > > Following DSA-4188-1, it turned out that the RNG did not become ready > on some systems until several minutes after boot, causing severe > regressions for GNOME/gdm (#897631, #897632) and Kerberos (#897599, > #897917). We therefore reverted the fix in yesterday's update > (DSA-4196-1). > > # Options for a new fix > > It is unlikely that any further fix will be forthcoming on the kernel > side, so I believe that we need to do one of: > > 1. Add entropy to the kernel during boot; either: > a. Improve systemd-random-seed > b. Recommend use of haveged I don't see any solution above that both always works and never results in new CVEs. As an example, what happens if I debootstrap and deploy the resulting filesytem to a large number of identical embedded systems without entropy sources? As far as I can see, any solution above would either give me boot hangs or might result in nasty security issues due to the same (known) entropy being fed to /dev/random on many machines. Similar problems for cases like live CDs and installers. > 2. For each affected userland package, either: > a. Revert to using /dev/urandom I wonder whether the current issue is just the tip of the iceberg, and usage of /dev/urandom is a gazillion CVEs waiting to be reported. In that case the CVE-2018-1108 fix only revealed a long existing vulnerability in some packages that already switched to getrandom(). /dev/urandom is documented in a very misleading way, quoting random(4): When read during early boot time, /dev/urandom may return data prior to the entropy pool being initialized. If this is of concern in your application, use getrandom(2) or /dev/random instead. What is the worst case for "early boot time" here? "always"? Due to the gdm bugs mentioned above we know that there are real-life situations where gdm currently uses "random" data that might be predictable. grep tells me: daemon/gdm-x-session.c: auth_entry.data = gdm_generate_random_bytes (auth_entry.data_length, &error); daemon/gdm-display-access-file.c: *cookie = gdm_generate_random_bytes (GDM_DISPLAY_ACCESS_COOKIE_SIZE, Repeat the same for every package that uses /dev/urandom. > b. Tolerate a longer wait for getrandom() to return I suspect there might be no guaranteed upper bound for the waiting time. >... > The libbsd maintainer (Guillem Jover) favours option 2a. > > One of the krb5 maintainers (Benjamin Kaduk) favours option 2b, and > also proposed that systemd could provide a wait-for-rng-ready unit to > support this. I don't see any general solution that is both correct and easy. The proper way forward might be to deprecate /dev/urandom and add a third option GRND_UNSAFE_RANDOM to getrandom() that is documented to never block but might return predictable data in some cases. It would then be up to the application to decide whether predictable data is acceptable, and what to do in entropy-starved situations. Regarding the suggested wait-for-rng-ready systemd unit for others to wait on, this only makes sense for cases where "do not start at all" is the best handling for a "no entropy" situation. > Ben. cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed