Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3275784yba; Tue, 16 Apr 2019 08:08:48 -0700 (PDT) X-Google-Smtp-Source: APXvYqxoMqmA7Ug9mKlU/I8N4RE8Obf5BYHgCw1MBqLwH9fKnPHAMBAKYdMnVNUpjv7czB3SQlza X-Received: by 2002:a65:62ce:: with SMTP id m14mr63588103pgv.191.1555427328336; Tue, 16 Apr 2019 08:08:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555427328; cv=none; d=google.com; s=arc-20160816; b=raLZOkPBp4Wjna15z6ZpgdJqZFJkUzfYq2tYxtUIYA2u6FdocuOUSnPtlWnMmtDD9C 17CLqGVBdgMe+b+bBLxX01XnBJCQRMp0A1HssYd3BlEWq0FecuLvCVDJ0obaoXAI7QEr g0vd6I7tgk/Y80fJ/ZZnM9FjtcgysFNUERvOL+kWBLka7r0AKoPZmwwLChRg2RMI0QdR 58Tg29Fl79Xh03uUSvf8jMoN+GSpHskU+g7DQGNGJv4VUL/87ITDf1pfIOCGbZ/mGNpV svz1G/bHPPvgqlNwdUHcjMkCaX2X1/sVmy+u89FRRVlFY7ohO9hoLLazHyYNDH0e2YvG evMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date; bh=aCI8N5c/abZCGnVuOe2nx3HDy4DM5qEoOLJ37K2qQDc=; b=FnK74tpCUT16Z7bruh3C8JCs99bV5tFYOjkl7+7OI15Vs/JJu9Lmti/ctr919oP14E 4v/EQ30/gBal46l1XNwmZ1VZJXftFqWbltMkCV1j9sCB7wqk2CNrLA4UlsOBKQxQK+0G aMCxJj2YD6hCp4Bx4N5yBTP0RSqfZBbOp/2mnG0pStGLCCW6e4AJ9gMHReGItw21JqzX CR9LB6+8+nE4Icoqn7omY1iR6H3M2MeIIaGi2kz28lxAk0SgwufZXUT+I6OmNz0eXhHp lY7VWI4ZNoKjHa2bF0t7BTLcMygUH4Atfet0a1+RTrK9PehUjcKzGWCYpQO7zNkj/EkW sgzg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f63si43667994pff.107.2019.04.16.08.08.32; Tue, 16 Apr 2019 08:08:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728028AbfDPPHW (ORCPT + 99 others); Tue, 16 Apr 2019 11:07:22 -0400 Received: from outgoing-auth-1.mit.edu ([18.9.28.11]:52608 "EHLO outgoing.mit.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725796AbfDPPHV (ORCPT ); Tue, 16 Apr 2019 11:07:21 -0400 Received: from callcc.thunk.org (guestnat-104-133-0-109.corp.google.com [104.133.0.109] (may be forged)) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x3GF6nSo015691 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 16 Apr 2019 11:06:49 -0400 Received: by callcc.thunk.org (Postfix, from userid 15806) id BF6BA420497; Tue, 16 Apr 2019 11:06:48 -0400 (EDT) Date: Tue, 16 Apr 2019 11:06:48 -0400 From: "Theodore Ts'o" To: Kees Cook Cc: Daniel Borkmann , Hannes Frederic Sowa , LKML , Ingo Molnar , "Reshetova, Elena" , Alexei Starovoitov Subject: Re: BPF RNG Message-ID: <20190416150648.GA3004@mit.edu> Mail-Followup-To: Theodore Ts'o , Kees Cook , Daniel Borkmann , Hannes Frederic Sowa , LKML , Ingo Molnar , "Reshetova, Elena" , Alexei Starovoitov References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 16, 2019 at 08:55:59AM -0500, Kees Cook wrote: > [correcting Alexei's email address and resending...] > On Tue, Apr 16, 2019 at 8:54 AM Kees Cook wrote: > > > > In looking at prandom_u32() users, I noticed that BPF uses its own > > state variable with bpf_user_rnd_u32(). It appears that this state is > > never reseeded like regular prandom_u32(). (See __prandom_timer().) Is > > this intentional, or should reseeding be happening? It looks like this isn't the only place where prandom's machinery is being used w/o reseeding. See also net/netfilter/nft_meta.c and net/netfilter/nft_numgen.c. That being said, guarantees we give for prandom are extremely weak. The only reason why we reseed for net_rand_state was they wanted something sorta-kinda secure, but they weren't willing to pay the cost of calling get_random_u64() or get_random_u32(). So I don't think we should be encouraging people to think that reseeding should actually be happening, at least with some explicit explanation of documentation somewhere about why it's needed, and what security guarantees people should be expecting. (e.g., for the networking subsystem, the claim is that it's trying to make certain DOS attackers harder, and it shouldn't be mistaken for real security). In fact, why we're supporting multiple prandom per-cpu state families makes me worried we're going in the wrong direction. I suspect the reason why people are settng up separate prandom states is because they don't want to leak knowledge about the prandom internal state to an external attacker. That should only matter for a small set of network stack users; so maybe we should just have two prandom states. One for the vast majority of users where there should be no security concerns around using prandom (because if there are, 99% of the time they should be get_random_u32), and then for those people who want get_random_fast_but_maybe_insecure_u64() --- and maybe for those architectures where there is some instruction like RDRAND which is really super-fast, it would use RDRAND for the get_random_fast_but_maybe_insecure_u64(). - Ted