Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp3737870imm; Sun, 13 May 2018 19:12:27 -0700 (PDT) X-Google-Smtp-Source: AB8JxZruktmYVfbBTlLEDLNAHgUCeOFge8SHF8o1nJt20Q0MPu+J96tw+S7jHTbU8x31FKf0izDQ X-Received: by 2002:a17:902:7283:: with SMTP id d3-v6mr7896828pll.192.1526263947541; Sun, 13 May 2018 19:12:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526263947; cv=none; d=google.com; s=arc-20160816; b=xRG5c3hhvPpJW2tkhiVmMGmX2dsTSzfAU8g3UU28QJpoWt39t0XntmPhNtzKc0JLkV 2VzLj/dM5emrJ1SOnPTrmZF1CMiRfr8SlxXDaCGa0RFapiRxxVADmwpRF7GLGyconLxR 3kXJAiWs+jyhEJ62gXXnqOhWaLIArVzlIP1bJjx0VkDw5ypVrakIL2jMtX9ED31suenF 3HhBiIP7p6kYmaOZD9KeFMnKt0gbIUGs+W4GmFQc0bKhkvWOmaVbM693v+7S8xIBddML cunJ0ZwPABX3SrwYzO+QS1AytJiORvw/pqUgkrYz9ZwGaFf7O1AJ9oIwOFDSu5rP2C1J nX7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:references:in-reply-to:date :cc:to:from:subject:message-id:arc-authentication-results; bh=e3Tj+fxQpJZRhKwbAheznK49TS567Wqeit9JJD0AYYU=; b=tElIEEH/NeuOvhSK+wP9XYhxtc5jNsozuWwjPjiO3dIpAaIO5nzc5z6MepcMiqiazE 5gD8OdH8cVIQ4VFtKvjn8ioxJc0FQdYAsaZAkhfzMt8gw/1q/+ujDyLXeoU9OlvRx3qK uR/uSDPmK/SFCCQdwEu0j6mzZ3CYQpvVAXgPgqSbKasGeannER22SwWfnpVQWybxK3gk ymFArRZJgGvRxoZpg8Tzljkbw5lxiVN4ztuI4Rxgne9V8hYWue+IwRTa5nisIZ5P2FHl hFjGzLeREDJe7IdhwhQVL4tfmjqkLzPc7n39tLf9G1/KaPD+683JBJpeA1H89H6Xxa86 yEEg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y64-v6si9231883pfj.239.2018.05.13.19.12.00; Sun, 13 May 2018 19:12:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752017AbeENCLu (ORCPT + 99 others); Sun, 13 May 2018 22:11:50 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35786 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751219AbeENCLt (ORCPT ); Sun, 13 May 2018 22:11:49 -0400 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1fI2xg-0006lp-Gj; Mon, 14 May 2018 03:11:40 +0100 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1fI2xb-0006wF-Ao; Mon, 14 May 2018 03:11:35 +0100 Message-ID: <71fc1f9e921f2a755e79563903ddf676de128478.camel@decadent.org.uk> Subject: Re: Fixing Linux getrandom() in stable From: Ben Hutchings To: Adrian Bunk Cc: Debian release team , Debian kernel maintainers , krb5@packages.debian.org, libbsd@packages.debian.org, systemd@packages.debian.org, Michael Kerrisk , Theodore Ts'o , linux-kernel@vger.kernel.org Date: Mon, 14 May 2018 03:11:30 +0100 In-Reply-To: <20180513204828.GI10643@localhost> References: <75577b3d2efd01aaf563f1a1400a2c655556b258.camel@decadent.org.uk> <20180513204828.GI10643@localhost> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-fPt2BSZn9gfbAMq4dtff" X-Mailer: Evolution 3.28.1-2 Mime-Version: 1.0 X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --=-fPt2BSZn9gfbAMq4dtff Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sun, 2018-05-13 at 23:48 +0300, Adrian Bunk wrote: > On Wed, May 09, 2018 at 11:46:00PM +0100, Ben Hutchings wrote: [...] > > # Options for a new fix > >=20 > > It is unlikely that any further fix will be forthcoming on the kernel > > side, so I believe that we need to do one of: > >=20 > > 1. Add entropy to the kernel during boot; either: > > a. Improve systemd-random-seed > > b. Recommend use of haveged >=20 > I don't see any solution above that both always works and never results > in new CVEs. Indeed. > As an example, what happens if I debootstrap and deploy the resulting > filesytem to a large number of identical embedded systems without > entropy sources? Then it is your fault when they turn into a botnet. :-) Availability of randomness must be considered in the design of embedded systems. [...] > /dev/urandom is documented in a very misleading way, quoting random(4): > When read during early boot time, /dev/urandom may return data prior t= o > the entropy pool being initialized. If this is of concern in you= r > application, use getrandom(2) or /dev/random instead. >=20 > What is the worst case for "early boot time" here? "always"? No, I don't think so. > Due to the gdm bugs mentioned above we know that there are real-life=20 > situations where gdm currently uses "random" data that might be=20 > predictable. >=20 > grep tells me: > daemon/gdm-x-session.c: auth_entry.data =3D gdm_generate_random_by= tes (auth_entry.data_length, &error); > daemon/gdm-display-access-file.c: *cookie =3D gdm_generate_random_= bytes (GDM_DISPLAY_ACCESS_COOKIE_SIZE, >=20 > Repeat the same for every package that uses /dev/urandom. This is certain undesirable, but it's exploitable only by local users.=20 (If you let the X server listen to the network, all authentication cookies are sent in the clear so you've already lost. If you use ssh X forwarding, it generates a new authentication cookie for use with the X proxy on the remote machine.) >=20 > > b. Tolerate a longer wait for getrandom() to return >=20 > I suspect there might be no guaranteed upper bound for the waiting time. Interrupt timing feeds into the RNG, and as long as there's at least one interrupt per second then I think the RNG will reach the fully initialised state after a few minutes. I just started a VM with a serial console and only a shell running as pid 1, which is about as idle a system as I can imagine, and it was seeing more than one interrupt per second. However, other architectures (e.g. s390x) might achieve greater idleness. > > ... > > The libbsd maintainer (Guillem Jover) favours option 2a. > >=20 > > One of the krb5 maintainers (Benjamin Kaduk) favours option 2b, and > > also proposed that systemd could provide a wait-for-rng-ready unit to > > support this. >=20 > I don't see any general solution that is both correct and easy. Indeed. > The proper way forward might be to deprecate /dev/urandom and add a=20 > third option GRND_UNSAFE_RANDOM to getrandom() that is documented to=20 > never block but might return predictable data in some cases. This doesn't solve anything for us. (It does help with the original problem of device nodes possibly being absent from a minimal container or chroot.) > It would then be up to the application to decide whether predictable > data is acceptable, and what to do in entropy-starved situations. >=20 > Regarding the suggested wait-for-rng-ready systemd unit for others to=20 > wait on, this only makes sense for cases where "do not start at all" > is the best handling for a "no entropy" situation. Yes. Ben. > > Ben. >=20 > cu > Adrian >=20 --=20 Ben Hutchings For every action, there is an equal and opposite criticism. - Harrison --=-fPt2BSZn9gfbAMq4dtff Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAlr48FIACgkQ57/I7JWG EQnPMQ//TTpdjIIzbRUJIMzMAyyrV9h9LkHvffK6oUsA4TfcJNNjkqbztRE2OkW1 iMNBZ+KZrQk8CL1nmFjY6EKHilf/zvWjReCDAmAgg+G7bDyB7A+QmziP0nHzdzLj rtCgpjyRYuoT8QqxJwr3cXjeCee0wtCE+sDhCBsT9yAAmiQUzmXpoWWT3Zhr1FnM 6wL18JP6/wd6P+3uVkjwifuCCXfDLk9hOFGzF63zpGtKJbAn8yDO+FRkpjcydrYH OyZgbWYw3bBrV7Wf+1CsDeBbpl2vt3UpJViX0T/3SogA2NUiLJpZrIyvA99KgZhv 60qrS0HK2/goU/RYZLqszkZvfrFyu8CT7hFMJRzw/ye9hKxEZB0xjsdKkT1KfKdz gm4hsgDIWrS1eyxx38t6Qq2eTxFxBV5TZywiB8Hl3PCPbaobpYtqRH4+ehCPOkXm wfiGGWq4xp4hXYWgoGLrD4KxcDi0OzEMLqz+gIuXpMjPUAhpzwMNdm/a3ULqeyzp g0LLF2Vr9uhzKOJ8zPtZ1juexie9GdFWdKcaKCvng2bssc54nU5EcwJuznqaA1ls Red+OAk1yL7jM2s1Y3H8iGbfyY7vKxxV0ZPpqzsds1VvEgzqM6o3dcPn8kL3VzxA TLFEve8wZwV7mz9UufHi7GT9FbD/FCNv8r6ZibFvj72xJNiLgzk= =s6+y -----END PGP SIGNATURE----- --=-fPt2BSZn9gfbAMq4dtff--