Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp5078330imm; Fri, 18 May 2018 16:23:25 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpI5/RZaScswDlIQzlL9Set0R9fJQDMtYYPUmDfsXoT0zYIgIDjjszR+JWOHQ/s0BoCdlSw X-Received: by 2002:a65:648a:: with SMTP id e10-v6mr9001651pgv.34.1526685805015; Fri, 18 May 2018 16:23:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526685804; cv=none; d=google.com; s=arc-20160816; b=pGa+fVUK2Vui8X3e1ET0JgS9b+2AoiNryIg2hnGaL+8U08AZa3buwL9+caCI4LpbrF shHx4ohwW3IHANgaLg8LWq2Kv/WfFjozC1lRLKXM0fMmb6eTnHPEzkRzB0poL4jbjPex fhoXSJWz0Pasl27ZIedWFIaUsvf38XvgmoUJt4cq8CBSaDZzl8+TX6dq1GxKfW1j3h82 eoPRDNIRG0sHu7W0AAt1O59miCYYLlRxosDJeIf1VpquOYx9H1T3oeoGp87YNZUaTUUj ekcBSfwVmRBP/XGC1erT9/lVLvl9viyUhKZ9kDTa2WUtVOGZkNj0cYzYYUms3y/1nmf+ wpQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature :arc-authentication-results; bh=FPs8UJeIkscdnOI/5xBsIaoniwaGRLKVDaz5RzFq/Gs=; b=GLClrxWanYXfE7aj1X7innBcgY4su+Yvi107t+Ubb1KhQzGABqIsIaW7UOQCenKiNk iB3FrzgaGEbGC4STtQH3dZ45xnPvAO0lv0EVhpqILVoAbCuXOcDtvaOWQ8mtQ3v5OFht 77GTBixyh7fdeYrNPuCM5FjQXAhNNFrjtusRgXrLmTKKvr/+TlqPVWVPyYTPRdJyqxVt kf8y1LJd1jPMpnkqyE0HfHtuVsvV0UrEI9vyLrTzENlSXyWlQ6JHNvMUeTCF+s9xUhEb i+NlMQ2YlXSkdIKVwR2VTh8FQrPDEjSg6pfc4ViHUUj42J/FnE9Yh4G6DJUIq7KaA7gs dJlw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=F2BXh9ef; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z14-v6si6727636pgv.514.2018.05.18.16.23.09; Fri, 18 May 2018 16:23:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=F2BXh9ef; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752112AbeERXXD (ORCPT + 99 others); Fri, 18 May 2018 19:23:03 -0400 Received: from imap.thunk.org ([74.207.234.97]:48110 "EHLO imap.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751722AbeERXXA (ORCPT ); Fri, 18 May 2018 19:23:00 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org; s=ef5046eb; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=FPs8UJeIkscdnOI/5xBsIaoniwaGRLKVDaz5RzFq/Gs=; b=F2BXh9efIhtaE1r7cXoET0Q37c 5n+ebg+c17MnwP5z1coPmR/1fWra2H3ic22en07a518kGDBp6qNH40iTH/cLkiLz1seoRrEMjg/Pf esMuZATChHwaEn39QkW74QbDcn2NCTqYwsJvh531W+Kg3NMzOpYagt4QA5BEuZmYZcPY=; Received: from root (helo=callcc.thunk.org) by imap.thunk.org with local-esmtp (Exim 4.89) (envelope-from ) id 1fJoi9-0001lw-Ls; Fri, 18 May 2018 23:22:57 +0000 Received: by callcc.thunk.org (Postfix, from userid 15806) id E5F987A5C7F; Fri, 18 May 2018 19:22:56 -0400 (EDT) Date: Fri, 18 May 2018 19:22:56 -0400 From: "Theodore Y. Ts'o" To: Trent Piepho Cc: "jannh@google.com" , "linux-kernel@vger.kernel.org" , "sultanxda@gmail.com" Subject: Re: Linux messages full of `random: get_random_u32 called from` Message-ID: <20180518232256.GA23628@thunk.org> Mail-Followup-To: "Theodore Y. Ts'o" , Trent Piepho , "jannh@google.com" , "linux-kernel@vger.kernel.org" , "sultanxda@gmail.com" References: <20180427201036.GL5965@thunk.org> <1526606822.30073.64.camel@impinj.com> <20180518023209.GD15263@thunk.org> <1526684178.31570.26.camel@impinj.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1526684178.31570.26.camel@impinj.com> User-Agent: Mutt/1.9.5 (2018-04-13) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 18, 2018 at 10:56:18PM +0000, Trent Piepho wrote: > > I feel like "fix" might overstate the result a bit. > > This ends up taking a full second to make each UUID. Having gone to > great effort to make an iMX25 complete userspace startup in 250 ms, a > full second, per UUID, in early startup is pretty appalling. > > Let's look at what we're doing after this fix: > Want non-cryptographic random data for UUID, ask kernel for it. > Kernel has non-cryptographic random data, won't give it to us. > Wait one second for cryptographic random data, which we didn't need. > Give up and create our own random data, which is non-cryptographic and > even worse than what the kernel could have given us from the start. > > util-linux falls back to rand() seeded with the pid, uid, tv_sec, and > tv_usec from gettimeofday(). Pretty bad on an embedded system with no > RTC and worse than what the kernel in crng_init 1 state can give us. So what util-linux's libuuid could do is fall back to using /dev/urandom instead. Whether or not you retry for a second before you fall back to /dev/urandom really depends on how important the second U in UUID ("unique") is to you. If you use lower quality randomness, you can potentially risk getting non-unique UUID's. If you don't worry leaking your computer's identity and the time when the UUID was generated, the application could also use the time-based UUID's. There are privacy implications for doing so, it's not something we can do automatically (or at least I can't recommend it). Also, if you don't have the clock sequence file and/or you don't have a writable root, you might need some randomness anyway to protect against non-monotonically increasing system time. > It would seem to be a fact that there will be users of non- > cryptographic random data in early boot. What is the best practice for > that? To fall back to each user trying "to find randomly-looking > things on an 1990s Unix." That doesn't seem good to me. But what's > the better way? We could add a new flag to getrandom(2), but application authors can just as easily fall back to using /dev/urandom. The real concern I have is application authors that actually *really* need cryptographic randomness, but they're too lazy to figure out a way to defer key generation until the last possible moment. There are other things we can do to add support in the bootloader to read an entropy state file and inject it into the kernel alongside the initrd and boot command line. But that doesn't completely solve the problem; you still have to deal with the "frest from the factory, first time out of box" experience. And if you have trusted random number generation hardware, and are reasonably certain you don't have to worry about a state-sponsored agency from intercepting hardware shipments and gimmicking your hardware, that can be a solution as well. So there are things we can do to improve some of the scenarios. Unfortunately, there is no silver bullet that will address all of them. - Ted