Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp5985974ybe;
        Tue, 10 Sep 2019 11:45:58 -0700 (PDT)
X-Google-Smtp-Source: APXvYqy4qC+Y7lHtvGxyL2pUV2Jx3dy0Hh9x25xGH3/JPccxMWY1de5kz0GN5DYF4DWgWGY6+BsS
X-Received: by 2002:a50:e68d:: with SMTP id z13mr32137003edm.142.1568141158100;
        Tue, 10 Sep 2019 11:45:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1568141158; cv=none;
        d=google.com; s=arc-20160816;
        b=QhDud3UjAdTVV4ZinoG4oU0XgHSMtv2IvEGCYw0WU/HOM5oM2+KkHbgU9fch1W+y/Y
         nIcd6G54pGY2mKER7MuL4Ofzpoi9TASy6xnJP4LQudIo1YhKT5GzZqSlS5T9+RdhiJ0f
         89JLWGVaHYZOjZK/ubz3TrZz2SNZXXegclwa+ytIBAo4/zZsAT5+MyYyCeZBvsnw55Pq
         fSKXH1a+W/QB3E7Ax1t/KCreL+APoXN57Qjy4NonEGLV1LRhjg+Kkn6gQj4FgmK81FSi
         1W702iWhoLoLk9Dd9CtgV1lyvCNsbZU1GAxuEQOvrfnkDhcKDiF2NTAKN4crp6mv+1pi
         f93Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=rLBTTTbkyNWmj1OhijcABYQarboIx4lr9tRaG616Wos=;
        b=N1FD+0V9+xM8KXfc2SEA44OQmIPgnIC7sMD70DOG/tnyhV/EoTIocBB5bBzwCOB04W
         JG0SGQMeafEOhZ2pjE15dTGdknC93xbX7T3eaT8egepduuaCJ5r21rOu0aNp2e951Hgc
         YyS6VkE+4K7jVSE3vb7JH1wDSV+Q5EXqDLs3DtwKZ9pERQkwfH0QnUyRgVY8QT8b/OHo
         O2JP+miB4bRIYrvW5XuVLO56OaQizdF2pUhJKp53lETvaJMjgB6UNpbwjOEnb2BLKYUz
         w1RNHauQYbWgARYuq+a7HoR6ypA+/sBz97ssmY+piaFmcC3foXPy0+12KhszlvMN1wv1
         yg+Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=wOkecgI6;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v3si10799131edc.404.2019.09.10.11.45.33;
        Tue, 10 Sep 2019 11:45:58 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=wOkecgI6;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729008AbfIIW6A (ORCPT <rfc822;linux.htchiang@gmail.com>
        + 99 others); Mon, 9 Sep 2019 18:58:00 -0400
Received: from mail.kernel.org ([198.145.29.99]:58942 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726393AbfIIW6A (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 9 Sep 2019 18:58:00 -0400
Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 0040E21D6C
        for <linux-kernel@vger.kernel.org>; Mon,  9 Sep 2019 22:57:58 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1568069879;
        bh=ieeg6N6SsihmRHhWQlCf1jmFz+Sgb4qasTIFr0xv6gA=;
        h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
        b=wOkecgI6RV5u48hhm18hrdmLwRuIBtqKQvwSlxoVggDjsyRThZrK66u2E93WU72eJ
         18g74to+p/vEDPnTM1uZ8MNegAtf84hOMyg1KFpY26vJO32kjrQeq/7ummR/JH0Acw
         A3diqOt9xrXDecZUJaH1VITNcNHmEZg4Nc7KDxjc=
Received: by mail-wr1-f48.google.com with SMTP id q17so11588809wrx.10
        for <linux-kernel@vger.kernel.org>; Mon, 09 Sep 2019 15:57:58 -0700 (PDT)
X-Gm-Message-State: APjAAAXAEg14awcH+k1HbmTgI3CE4AR+rYiQeE8Ne2ep/dRPtOZsRXkc
        5MiDVYlbdrGhHFeYu4E8n6myVC+UH9hieGF5RxtCqw==
X-Received: by 2002:adf:dcc4:: with SMTP id x4mr13767482wrm.221.1568069877467;
 Mon, 09 Sep 2019 15:57:57 -0700 (PDT)
MIME-Version: 1.0
References: <cover.1567126741.git.luto@kernel.org> <20190909094230.GB27626@amd>
In-Reply-To: <20190909094230.GB27626@amd>
From:   Andy Lutomirski <luto@kernel.org>
Date:   Mon, 9 Sep 2019 15:57:46 -0700
X-Gmail-Original-Message-ID: <CALCETrXfDSjgNieM3Q9bVH-7gAePXT=SXWxvzOsyb8xp_2ymQA@mail.gmail.com>
Message-ID: <CALCETrXfDSjgNieM3Q9bVH-7gAePXT=SXWxvzOsyb8xp_2ymQA@mail.gmail.com>
Subject: Re: [PATCH 0/7] Rework random blocking
To:     Pavel Machek <pavel@ucw.cz>
Cc:     Andy Lutomirski <luto@kernel.org>, Theodore Tso <tytso@google.com>,
        LKML <linux-kernel@vger.kernel.org>,
        Linux API <linux-api@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        "Jason A. Donenfeld" <Jason@zx2c4.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Sep 9, 2019 at 2:42 AM Pavel Machek <pavel@ucw.cz> wrote:
>
> On Thu 2019-08-29 18:11:35, Andy Lutomirski wrote:
> > This makes two major semantic changes to Linux's random APIs:
> >
> > It adds getentropy(..., GRND_INSECURE).  This causes getentropy to
> > always return *something*.  There is no guarantee whatsoever that
> > the result will be cryptographically random or even unique, but the
> > kernel will give the best quality random output it can.  The name is
> > a big hint: the resulting output is INSECURE.
> >
> > The purpose of this is to allow programs that genuinely want
> > best-effort entropy to get it without resorting to /dev/urandom.
> > Plenty of programs do this because they need to do *something*
> > during boot and they can't afford to wait.  Calling it "INSECURE" is
> > probably the best we can do to discourage using this API for things
> > that need security.
> >
> > This series also removes the blocking pool and makes /dev/random
> > work just like getentropy(..., 0) and makes GRND_RANDOM a no-op.  I
> > believe that Linux's blocking pool has outlived its usefulness.
> > Linux's CRNG generates output that is good enough to use even for
> > key generation.  The blocking pool is not stronger in any material
> > way, and keeping it around requires a lot of infrastructure of
> > dubious value.
>
> Could you give some more justification? If crng is good enough for
> you, you can use /dev/urandom...

Take a look at the diffstat.  The random code is extremely security
sensitive, and it's made considerably more complicated by the need to
support the blocking semantics for /dev/random.  My primary argument
is that there is no real reason for the kernel to continue to support
it.

>
>
> are
>
> > This series should not break any existing programs.  /dev/urandom is
> > unchanged.  /dev/random will still block just after booting, but it
> > will block less than it used to.  getentropy() with existing flags
> > will return output that is, for practical purposes, just as strong
> > as before.
>
> So what is the exact semantic of /dev/random after your change?

Reads return immediately if the CRNG is initialized, i.e reads return
immediately if and only if getentropy(..., 0) would succeed.
Otherwise reads block.

--Andy