Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp3666241imm; Sun, 13 May 2018 17:32:20 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrhBA/vRQ0+N6THVGpJbeOuN2wjX3oGWsjap1bUt65IkVxobIGOwZjFcq+VSjML+ay8Tg5l X-Received: by 2002:a65:53ca:: with SMTP id z10-v6mr4384391pgr.413.1526257940505; Sun, 13 May 2018 17:32:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526257940; cv=none; d=google.com; s=arc-20160816; b=qolDoUIPITFC3JzkOWruAqK30lOcpAKOcW3Yc8bMk7b83eY25OTJ1KQNT6I8kWchdz +4HVozdtIg0e2Lu7zEHJ6VVeD4qcMPM0B9ryFKaSSsPM+PyZS0X/CitwA2x9eundUHBi qV+RNCKki4EuVkiw86qklsZIZE1Phbhk4EtkLMCn5a32yC/USl4EyuTdRizPPED9UHS0 bD+iBYBmm+QfqFODD1+JKQQE3OmfZ95OBDv5am0GKUrN+KGuYKVhucFNlTrBS7AZcm8c wbAaO4MBRRdDzko9C9sqLZQlggiIDs5IuWLvReixxEvyhpGpbR0i72ecebnp1geLDVu1 +6gQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:mail-followup-to:message-id:subject:cc:to:from:date :dkim-signature:arc-authentication-results; bh=xHTgUyv6Pu2eZx8fptUvUGwhXPiWotO1mqjtuPe5pFQ=; b=v8WBGfIHhGZ6+qSF6H3fCyfFXdaBsRCDOdIbJQDDcnk1i3inL0U54ApZH5Z8/N38cW p0eenYFND0Yf4elRQGzKxI8N8JX0Wk1sJMPJ3O3Fp3+YAkW8/UWdE4RWEDjMPKspOZT4 BO/QiQ7xgqPHY+rV/rT8rO5qM2TNjb+lgxWeWF48KP81M9WUYjXnS5OtYv6oQZFoW/CI QL1MgPd52ioMVO4NDQ3brU480WDi0asmA4CUy2qwjQmChsf2uoeGQdmbHfcbe5r6fBAf Aea3OpeUUMdheta7Ik2rVse/BJViTVh7JZJy1PxTcZA16Xmmf4bZ/n6nEERwbneZoMQb agow== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=fV8Pfrzp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n29-v6si6553524pgc.4.2018.05.13.17.32.05; Sun, 13 May 2018 17:32:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=fV8Pfrzp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751884AbeENAbz (ORCPT + 99 others); Sun, 13 May 2018 20:31:55 -0400 Received: from imap.thunk.org ([74.207.234.97]:48654 "EHLO imap.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751037AbeENAbx (ORCPT ); Sun, 13 May 2018 20:31:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org; s=ef5046eb; h=In-Reply-To:Content-Transfer-Encoding:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=xHTgUyv6Pu2eZx8fptUvUGwhXPiWotO1mqjtuPe5pFQ=; b=fV8PfrzpnisT9H606cd1K3OYJ5 DHcMSzmahjYLFlGyExIU0qBZN1gk5jAJSNwMNXDgxGL8Q9EX7uP+4XiYjLT0eC9qAfV5FpJec67BA rl+1ehKAe60cOUQE246V5uD5OaP5PMZ7QqCmocHZdeKxfRuCui2w4p+sBUDE8t2VMqkY=; Received: from root (helo=callcc.thunk.org) by imap.thunk.org with local-esmtp (Exim 4.89) (envelope-from ) id 1fI1Nr-0005rm-Bh; Mon, 14 May 2018 00:30:35 +0000 Received: by callcc.thunk.org (Postfix, from userid 15806) id 447B27A5987; Sun, 13 May 2018 20:30:34 -0400 (EDT) Date: Sun, 13 May 2018 20:30:34 -0400 From: "Theodore Y. Ts'o" To: Thorsten Glaser Cc: Adrian Bunk , Ben Hutchings , Debian release team , Debian kernel maintainers , krb5@packages.debian.org, libbsd@packages.debian.org, systemd@packages.debian.org, Michael Kerrisk , linux-kernel@vger.kernel.org Subject: Re: Fixing Linux getrandom() in stable Message-ID: <20180514003034.GI14763@thunk.org> Mail-Followup-To: "Theodore Y. Ts'o" , Thorsten Glaser , Adrian Bunk , Ben Hutchings , Debian release team , Debian kernel maintainers , krb5@packages.debian.org, libbsd@packages.debian.org, systemd@packages.debian.org, Michael Kerrisk , linux-kernel@vger.kernel.org References: <75577b3d2efd01aaf563f1a1400a2c655556b258.camel@decadent.org.uk> <20180513204828.GI10643@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.9.5 (2018-04-13) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org (Quoting somewhat out of order) On Sun, May 13, 2018 at 09:23:39PM +0000, Thorsten Glaser wrote: > > It’s also no solution for the arc4random API… seems like a cultural > clash (BSD expectations vs. what Linux can actually deliver). It's instructive to look how OpenBSD solves this problem. OpenBSD supports a much smaller set of architectures than linux, and a very small set of bootloaders (which are part of the OpenBSD sources). So what OpenBSD is make the bootloader responsible for reading in the random seed file from persistent storage. Therefore OpenBSD doesn't wait for the RNG to be initialized, because it assumes that this never happens. (Hand-waving what happens during the install, but presumably harvesting entropy from the CD installer is not a problem, and OpenBSD doesn't support debootstrap. :-) So the first thing is that we *really* should get folks working on adding support to the x86 boot protocol so that in addition to passing a pointer to the loaded kernel, the inital ramdisk, and the boot command line, there should also be a pointer passed to the kernel containing a pointer to X bytes of seed entropy. This begs the question of how do we trust that the bootloader as actually gotten an effective source of seed entropy. Unlike OpenBSD, there are at least five or six different bootloaders which implement the x86 boot loader protocol for Linux (probably more), and can we trust that they are all implemented correctly? And of course, this is an x86-only solution. What about all of the other architectures supported by Debian? Still, the vast majority of Debian users are using x86, so solving that problems helps most of our users, and we shouldn't let the perfect be the enemy of the good. Also note that the bootloader has depend on userspace to refresh the seed entropy, both in early boot (in case the syscrashes), and at shutdown (so the entropy captured while the system is running can be saved as seed entropy). And this is trickier in Linux because the bootloader lives in a different source tree, and is maintained by different people from the systemd and/or initscripts people, and for that matter the bootloader doesn't know which distribution it is booting. (This is one of places where having a single source tree ala the *BSD's has its advantages. And this is where perhaps Debian as a distribution can solve this problem by coordinating action across multiple Debian packages.) > >Due to the gdm bugs mentioned above we know that there are real-life > >situations where gdm currently uses "random" data that might be > >predictable. When does gdm need true cryptographic randomness? We should take a step back and take look at the big picture. The only uses I can think of involving using XDMCP or some other Remote Desktop Protocol. But that protocol was invented in the days pre-SSH, and it is about as secure as telnet --- which is to say, not at all. So picking a randomly generated password for networked X or MIT Magic Cookie is something where I'd argue if you're worried about the quality of /dev/urandom, you're not worried about the your biggest security vulnerability. (Think bank vault doors attached to Papier mâché walls....) The util-linux-ng package made a similar calculation in v2.32 (interestingly, *before* the changes to address CVE-2018-1108 were made): commit a9cf659e0508c1f56813a7d74c64f67bbc962538 Author: Carlo Caione Date: Mon Mar 19 10:31:07 2018 +0000 lib/randutils: Do not block on getrandom() In Endless we have hit a problem when using 'sfdisk' on the really first boot to automatically expand the rootfs partition. On this platform 'sfdisk' is blocking on getrandom() because not enough random bytes are available. This is an ARM platform without a hwrng. We fix this passing GRND_NONBLOCK to getrandom(). 'sfdisk' will use the best entropy it has available and fallback only as necessary. Signed-off-by: Carlo Caione commit edc1c90cb972fdca1f66be5a8e2b0706bd2a4949 Author: Karel Zak Date: Tue Mar 20 14:17:24 2018 +0100 lib/randutils: don't break on EAGAIN, use usleep() .... Note that we do not use random numbers for security sensitive things like keys or so. It's used for random based UUIDs etc. Addresses: https://github.com/karelzak/util-linux/pull/603 Signed-off-by: Karel Zak > >> b. Tolerate a longer wait for getrandom() to return > > > >I suspect there might be no guaranteed upper bound for the waiting time. > > On a discless system with no hardware sources (possibly no network) > and no keyboard interaction? Infinite. > > Of course, if early userspace could reliably update a file, then the > file’s content could be estimated as good enough and be credited to > the RNG, at least for non-identical/readonly-/shared-media systems. ... and ultimately, this is the problem. Having an initialized RNG is ultimately, a system design issue that has to be considered holistically. If you have special hardware that you trust, it's easy. Or in a VM environment, where you have to implicitly trust the host *anyway* you could just use Virtio-rng and be done with it. Or it might depend on your workload. The security requirements of a information kiosk system will be quite different from a Kerberos KDC server. Or it might depend on who you are. If you're Intel or the US government, maybe you're willing to trust RDRAND, either because you know that it's secure because you've laid eyes on the internal CPU chip designs (or perhaps, maybe, you put the back door in yourself, and you've decided you don't need to worry about own goals :-). The *point* is that we can't really make a turn-key solution which will work for everyone. For as much we have the desire for a "Universal OS", something that works for all hardware, all users, and all workloads, is probably just not attainable here. (It never was a complete solution, BTW; even before the patches to address CVE-2018-1108, there were already hardware systems where you couldn't count on the RNG being initialized in time and getrandom(2) would block. It's just that they were few in number, and they tended to very niche systems for the tiniest of IOT devices, where you wouldn't be using gdm, or for that matter, systemd, because they simply wouldn't fit.) - Ted