Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp3569480imm; Sun, 13 May 2018 14:46:51 -0700 (PDT) X-Google-Smtp-Source: AB8JxZr18ZvlCiLRK5/2erMuBUXqah4Gp59ivq5XiolpIv48AoY2BRE4ZwgIMeiO58ogX1mvyivD X-Received: by 2002:a62:1fc8:: with SMTP id l69-v6mr7737816pfj.49.1526248011071; Sun, 13 May 2018 14:46:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526248011; cv=none; d=google.com; s=arc-20160816; b=XfNUiXRxqrNKLG3WeYOx6DKHkKDi4TBH7L6mBjA7ukEmm82NHChPonXNu0Fk4Q2U6Q XNOaH94tbDM0AvtPteR6R3IAPB73q/4Xyj+9czsmhAlOC/UvuLjBW0MlxEpxpSb6SOen 9I9wmaBRTKgZqD+wRrPhUkEJUagnIXmDIN0t3NhMqewY8GFBpuduhnjqW4Bd7YSpOGmA H9JToiOa85hWLl/O0YnTTapynvi/f0Km484zk8mKk9+7ZKqqXpba+NsUCv9fLWsANlUZ 29hDnqixv5T4/FeMuh6pis1Ri6Ne/XEsm3fFRE1xU+oJP3bXupQLLljL1D1EiNVeA2uh 2kgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :content-language:references:message-id:in-reply-to:subject:cc:to :from:date:arc-authentication-results; bh=z+DwSq19yxN+zNsqnuutd4jb6J5XlgHazENPFThQQ1M=; b=Ybw2xFvZgS7Ug8C6r89YZPamfiCytdjOakRFC13KVA12f9tk9RgymXmb16yo/Jx0Ys 9WdO+oNOEISMlbJRzKwYvgylouz6cmFap2pgDEzgtizWjCmsFcpHWDo4IPO4DCCZiy48 zmpiecHt6QcRWKYYgiquPZc3srQ9bSYVjl/7t+o77Sw7031QJOkiqZDr1CSpks4oRz4y +H/XKqwZx/YHtyYL0Vo48cnHEAvaMbLa5wezSDpxf+b4ncqn53QjDmWYqBVJq+yiSRFW VUEjzoVnZ96OwNFQtaphrjz9plwYYjgMVYTdc9h/QLd6qwr1ZUy5lOvw8DwqpR0NGRSi n2zg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x30-v6si645186pge.264.2018.05.13.14.46.34; Sun, 13 May 2018 14:46:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751901AbeEMVqY convert rfc822-to-8bit (ORCPT + 99 others); Sun, 13 May 2018 17:46:24 -0400 Received: from static-87-79-237-121.netcologne.de ([87.79.237.121]:14806 "EHLO herc.mirbsd.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751099AbeEMVqX (ORCPT ); Sun, 13 May 2018 17:46:23 -0400 X-Greylist: delayed 727 seconds by postgrey-1.27 at vger.kernel.org; Sun, 13 May 2018 17:46:22 EDT Received: from herc.mirbsd.org (tg@herc.mirbsd.org [192.168.0.82]) by herc.mirbsd.org (8.14.9/8.14.5) with ESMTP id w4DLNeOW019680 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 13 May 2018 21:23:42 GMT Date: Sun, 13 May 2018 21:23:39 +0000 (UTC) From: Thorsten Glaser X-X-Sender: tg@herc.mirbsd.org To: Adrian Bunk cc: Ben Hutchings , Debian release team , Debian kernel maintainers , krb5@packages.debian.org, libbsd@packages.debian.org, systemd@packages.debian.org, Michael Kerrisk , "Theodore Ts'o" , linux-kernel@vger.kernel.org Subject: Re: Fixing Linux getrandom() in stable In-Reply-To: <20180513204828.GI10643@localhost> Message-ID: References: <75577b3d2efd01aaf563f1a1400a2c655556b258.camel@decadent.org.uk> <20180513204828.GI10643@localhost> Content-Language: de-DE-1901, en-GB X-Message-Flag: Your mailer is broken. Get an update at http://www.washington.edu/pine/getpine/pcpine.html for free. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=utf-8 Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Adrian Bunk dixit: >As an example, what happens if I debootstrap and deploy the resulting >filesytem to a large number of identical embedded systems without >entropy sources? Just get into a habit of not doing so, for example by modifying the image during each writing process. Having the bootloader inject entropy into the kernel would of course help (something OpenBSD actually did, which I’d dreamt of only until). Reuse is only problematic then if the system actually booted, i.e. an early userspace thing reading and immediately writing to a file will stave off the remaining issues. >As far as I can see, any solution above would either give me boot hangs >or might result in nasty security issues due to the same (known) entropy >being fed to /dev/random on many machines. > >Similar problems for cases like live CDs and installers. And CPUs, and architectures, without usable boot entropy. For the “CD image” case, though, adding stuff like the MAC addresses of the onboard NICs and the current time would at least shuffle the existing (albeit known) entropy around enough for it to begin to differ. A web service for getting random bits sounds like an idea, until you get to the privacy implications of that (as well as reliability). But if it’s inhouse, it’s doable. >I wonder whether the current issue is just the tip of the iceberg, >and usage of /dev/urandom is a gazillion CVEs waiting to be reported. Did you see the fallback code for Linux in OpenBSD’s code for libbsd? It’s… like trying to find randomly-looking things on an 1990s Unix. This is best fixed in the kernel and earlier, plus an extra read/write in early userspace. Of course, embedding some entropy into the kernel image itself will make the reproducible-builds people entirely unhappy… (this one *is* implemented in MirBSD, complete with a tool to update it). >Due to the gdm bugs mentioned above we know that there are real-life >situations where gdm currently uses "random" data that might be >predictable. The question is which uses actually need entropy estimated good enough? >> b. Tolerate a longer wait for getrandom() to return > >I suspect there might be no guaranteed upper bound for the waiting time. On a discless system with no hardware sources (possibly no network) and no keyboard interaction? Infinite. Of course, if early userspace could reliably update a file, then the file’s content could be estimated as good enough and be credited to the RNG, at least for non-identical/readonly-/shared-media systems. >never block but might return predictable data in some cases. “What level of predictability?” >It would then be up to the application to decide whether predictable >data is acceptable, and what to do in entropy-starved situations. I guess most application authors have no answer for you here. It’s also no solution for the arc4random API… seems like a cultural clash (BSD expectations vs. what Linux can actually deliver). bye, //mirabilos -- “Having a smoking section in a restaurant is like having a peeing section in a swimming pool.” -- Edward Burr