Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp4341311imm; Mon, 14 May 2018 06:16:39 -0700 (PDT) X-Google-Smtp-Source: AB8JxZq+srCwJCSUZoNuaJjKKUfyQ0Tq6Bk67mehSXkFoSDzB37zeF51kIFWHpvYDo0jxvcfqzE4 X-Received: by 2002:a17:902:c24:: with SMTP id 33-v6mr9705467pls.88.1526303799349; Mon, 14 May 2018 06:16:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526303799; cv=none; d=google.com; s=arc-20160816; b=PJkLHyrK/0x+kw5fy6vx2SNLBmJ33mlHxY/Hr+KcWyujqt/tD69fTG9i01V7ixvzK7 6g4uAgG3fhZo4Wa+eg/esLTMAEJXKlkQVYP4dmRfhLSXRQny/V99KyRgOSaEjXcTAtdx Syvtlg35Lr48c9jLzQbU9LztI0vRuIO8yhzmgR5iIWqmIf/TAVwVdgUPsYZlApNWKI+r Qraz1imapWZX9iXmR9XKwquHFv24baeBartO0V9W++ptDi/cbQCzO6SsBZ7M6tR+RT4v HQ7fH4YK13gZ8pvMECFSDXBAWrylzrcMJzeDywx9w/oQ67yUJN4i4YAd2qvNaOY8slf/ nReg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:message-id :in-reply-to:date:references:subject:cc:to:from :arc-authentication-results; bh=lbqY/OBlKpDYyPnC/VjmxWpOaaIj97IVWdpKqNVw6K8=; b=c/KGfG+ZLuoYsETr0ZIVNy648ULNQQAqXmre8FZW7wLPf8M6HSwuXPRWx/EeT2rL3O PRIN1/+StcnPOc3Q/QbcE+zAsEmdFB42pqjW1w3Uf7INi6UNwgsXGRQHpkZh6jRURW9S au20JGkNCZYKX8UUpT1jbPu4ekIYTSbniL0CDFnEGyDkiXw+f4qfCa8eOEBXUPyzPsNk 2+kU+UrUxThz87EnzgLvVkZaDMJBH5hpPrhRhk849y2OfoUNqWEaJL3bCyMR2iHSyCuR B1qRFLU1Y3gJ50hiVE+usqQz0RdXp9R3u2clVQ5O/0QoxVt2hnLGdEl8g8G38FPoYzFL FUGg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x3-v6si9357933plb.478.2018.05.14.06.16.25; Mon, 14 May 2018 06:16:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932469AbeENNPf (ORCPT + 99 others); Mon, 14 May 2018 09:15:35 -0400 Received: from ec2-52-9-186-167.us-west-1.compute.amazonaws.com ([52.9.186.167]:33302 "EHLO mail.suchdamage.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932189AbeENNPd (ORCPT ); Mon, 14 May 2018 09:15:33 -0400 X-Greylist: delayed 570 seconds by postgrey-1.27 at vger.kernel.org; Mon, 14 May 2018 09:15:33 EDT Received: from localhost (localhost [127.0.0.1]) by mail.suchdamage.org (Postfix) with ESMTP id 35ADA29E3A; Mon, 14 May 2018 09:06:03 -0400 (EDT) Received: from mail.suchdamage.org ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ujpboXvvQiQ8; Mon, 14 May 2018 09:06:01 -0400 (EDT) Received: from carter-zimmerman.suchdamage.org (c-174-63-85-75.hsd1.ma.comcast.net [174.63.85.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) (Authenticated sender: hartmans-laptop) by mail.suchdamage.org (Postfix) with ESMTPSA; Mon, 14 May 2018 09:06:01 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id D9792C5CA4; Mon, 14 May 2018 09:05:58 -0400 (EDT) From: Sam Hartman To: Thorsten Glaser Cc: Adrian Bunk , Ben Hutchings , Debian release team , Debian kernel maintainers , krb5@packages.debian.org, libbsd@packages.debian.org, systemd@packages.debian.org, Michael Kerrisk , "Theodore Ts'o" , linux-kernel@vger.kernel.org Subject: Re: Fixing Linux getrandom() in stable References: <75577b3d2efd01aaf563f1a1400a2c655556b258.camel@decadent.org.uk> <20180513204828.GI10643@localhost> Date: Mon, 14 May 2018 09:05:58 -0400 In-Reply-To: (Thorsten Glaser's message of "Sun, 13 May 2018 21:23:39 +0000 (UTC)") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org >>>>> "Thorsten" == Thorsten Glaser writes: Thorsten> Adrian Bunk dixit: >> As an example, what happens if I debootstrap and deploy the >> resulting filesytem to a large number of identical embedded >> systems without entropy sources? Thorsten> Just get into a habit of not doing so, for example by Thorsten> modifying the image during each writing process. I'm sorry, but modifying the image before each write is simply not realistic. My company has found that it's easy to get suppliers to deploy a static image to the storage of appliances we're constructing during the manufacturing process. They do not have tools for modifying the image. We do detect first boot and do things like change filesystem UUIDs. Mixing in any entropy we can obtain during the first boot is relatively easy. However, very quickly, we're going to need to do things like generate ssh keys for management and generate a few other public keys. Similar situations show up in cloud environments. There you can use virtio-rng or similar. However, the fact is that when we design systems, we are constrained by constraints placed by other parts of the process out of our control. Delivering an image that is static and that will be deployed onto multiple systems is something that does happen and it happens because it's the best design tradeoff available. It does have security implications, and in fact may decrease security of random numbers overall. On the other hand, it can increase security of code integrity and tends to be associated with design methodologies that create reproducible environments. So, you can try and sweep static images under the rug, but all you're doing is dsmissing people with real problems they need to solve. It would be much more constructive to acknowledge that people will use static images, discuss the security implications, solve the problems we can solve, and document the residual security implications so our users and the broader community are aware of our limitations. --Sam