Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp5952988ybe; Tue, 17 Sep 2019 16:47:25 -0700 (PDT) X-Google-Smtp-Source: APXvYqzjR5dw8RvESaY2ARWYOnu7GkChPwcy1wjwqHNUvwnEvmohZ6Ygfjep4f+rEzPFAtRx3/ll X-Received: by 2002:a17:906:a84d:: with SMTP id dx13mr7269719ejb.230.1568764045346; Tue, 17 Sep 2019 16:47:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568764045; cv=none; d=google.com; s=arc-20160816; b=lQeIKNduXgL5VWjEBW6XwvMaMjMRODXhkv++Yy/4SL9U9IKGaGlCaCubqN7Yjhxzv9 y1bujOu2wU3xrNXPPHoZPa1Yb2Q94sryIWU3xPbGfJa1SW2XxEXDfwKqE1OyCBiepFyC 2njOWrELUhI2FwNtYQWydjgEbjcpY4dMVL7ef6kVfF6RCvTek/88Rgl2goO3/o90avDL PnfVPECpYTTnmgmuQXQXGMOofOqvAEfnHdqNfHZglX90rtXjV+dKp8Xo/wjkZ25S2LtI /2PBDvxYwQIkTvpcFtPVZF08U87S/fWvdeRyGYzDjbFqn9XwTCZi07HiOsatMkCQ2XUM XIBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=GxsyW6nLofhV8viqZYmUtikq7MzcUQ0DLONnisNNMgg=; b=IMTHJkhETZClYYZfHMKdS3f9p7YUSmbACHYE/8hHcYSX0qxXv70ciJx0/1mZhEx35h 088urU24zcmNcGPvZYsRsLCLPOHcctb+hlp4KO6TXtBXZZ7/PMKTbkbOu6xgYBP+Dqkn oqhwblMN0954Zz4khWm5dLFecQUzllOZ8takADuzmRnsztR7PJVn51rU2Tm9sScaS9XC U6C+W8Hlf6K/a2WW3PghV1KwDJCcKdJJAMdgJL6WYX+KpnT/Tx/qbCArkovA9+irbDc3 dZV2phLv3E4lAu9KxTvCFO+ajEKOEKgU81D3Kypr5phOdznQGBuyw2KDThy8zKQXNQP0 SX6Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=TqK580QE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l3si2387667edc.109.2019.09.17.16.47.01; Tue, 17 Sep 2019 16:47:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=TqK580QE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727264AbfIQQYE (ORCPT + 99 others); Tue, 17 Sep 2019 12:24:04 -0400 Received: from mail-lf1-f65.google.com ([209.85.167.65]:44155 "EHLO mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726881AbfIQQYE (ORCPT ); Tue, 17 Sep 2019 12:24:04 -0400 Received: by mail-lf1-f65.google.com with SMTP id q11so3353828lfc.11 for ; Tue, 17 Sep 2019 09:24:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GxsyW6nLofhV8viqZYmUtikq7MzcUQ0DLONnisNNMgg=; b=TqK580QEDxVQPMUfHjJ7kx8CJ6swQ66oeXEZhXBI33FU+q9pAhpktcTOSJh9FjQuYB g/amoJaPGMr0tVs+0KonicAn6CEpIb0jSqvDt3HwUdn6xXa6sACcDsgEA68nfpRcpykU M3sf6qYdD8L0B4HAx6NYPW9aAgS0IclpQKu/s= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GxsyW6nLofhV8viqZYmUtikq7MzcUQ0DLONnisNNMgg=; b=Lai9RfCHTnDmy4+vqTlHii9fFHT/Bo6Z6OOxYWH8F7FcIgMYngb0E3t7Ki6YuvOzvi jfUGnbTftX2ffKeVJJTsc4WKeY/IJyGuwmRSELQp69ZJy4UPe+mXj0TMRGRFDKk3/Y6C vuma1uPYLyWcvd4f8hoz3BlYbpvjesPJWMrPNdDyvVmb2BZeqls6QvO3rdm5MyAmGVV8 u2ZhQw0DrEFtBjb15iih7JkJ0encF55mXn/ccROuAn2lGd5gbxPS3jpHxJozXEoScVVv kp433EBQPIawchZFzz4LX+Y6gQzh0Ic5A0cdVZ4VhXwN0v7FWb5k/Erm+/nqstfY9HCd 9UNA== X-Gm-Message-State: APjAAAUS0zgshq5EhwvUN2Cci7niPY01Rb4n42bnFP7wN4MFctVrvh5X pobQnpXLnvoaPkfdZwE5H3J0bW4PqMU= X-Received: by 2002:a05:6512:4dd:: with SMTP id w29mr2547375lfq.2.1568737441145; Tue, 17 Sep 2019 09:24:01 -0700 (PDT) Received: from mail-lj1-f177.google.com (mail-lj1-f177.google.com. [209.85.208.177]) by smtp.gmail.com with ESMTPSA id w27sm512905ljd.55.2019.09.17.09.23.59 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 17 Sep 2019 09:24:00 -0700 (PDT) Received: by mail-lj1-f177.google.com with SMTP id 7so4170827ljw.7 for ; Tue, 17 Sep 2019 09:23:59 -0700 (PDT) X-Received: by 2002:a2e:2c02:: with SMTP id s2mr2491562ljs.156.1568737439299; Tue, 17 Sep 2019 09:23:59 -0700 (PDT) MIME-Version: 1.0 References: <20190917052438.GA26923@1wt.eu> <2508489.jOnZlRuxVn@merkaba> <20190917121156.GC6762@mit.edu> <20190917123015.sirlkvy335crozmj@debian-stretch-darwi.lab.linutronix.de> <20190917160844.GC31567@gardel-login> In-Reply-To: <20190917160844.GC31567@gardel-login> From: Linus Torvalds Date: Tue, 17 Sep 2019 09:23:42 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Linux 5.3-rc8 To: Lennart Poettering Cc: "Ahmed S. Darwish" , "Theodore Y. Ts'o" , Willy Tarreau , Matthew Garrett , Vito Caputo , Andreas Dilger , Jan Kara , Ray Strode , William Jon McCann , "Alexander E. Patrakov" , zhangjs , linux-ext4@vger.kernel.org, lkml Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 17, 2019 at 9:08 AM Lennart Poettering wrote: > > Here's what I'd propose: So I think this is ok, but I have another proposal. Before I post that one, though, I just wanted to point out: > 1) Add GRND_INSECURE to get those users of getrandom() who do not need > high quality entropy off its use (systemd has uses for this, for > seeding hash tables for example), thus reducing the places where > things might block. I really think that trhe logic should be the other way around. The getrandom() users that don't need high quality entropy are the ones that don't really think about this, and so _they_ shouldn't be the ones that have to explicitly state anything. To those users, "random is random". By definition they don't much care, and quite possibly they don't even know what "entropy" really means in that context. The ones that *do* want high security randomness should be the ones that know that "random" means different things to different people, and that randomness is hard. So the onus should be on them to say that "yes, I'm one of those people willing to wait". That's why I'd like to see GRND_SECURE instead. That's kind of what GRND_RANDOM is right now, but it went overboard and it's not useful even to the people who do want secure random numners. Besides, the GRND_RANDOM naming doesn't really help the people who don't know anyway, so it's just bad in so many ways. We should probably just get rid of that flag entirely and make it imply GRND_SECURE without the overdone entropy accounting, but that's a separate issue. When we do add GRND_SECURE, we should also add the GRND_INSECURE just to allow people to mark their use, and to avoid the whole existing confusion about "0". > 2) Add a kernel log message if a getrandom(0) client hung for 15s or > more, explaining the situation briefly, but not otherwise changing > behaviour. The problem is that when you have some graphical boot, you'll not even see the kernel messages ;( I do agree that a message is a good idea regardless, but I don't think it necessarily solves the problems except for developers. > 3) Change systemd-random-seed.service to log to console in the same > case, blocking boot cleanly and discoverably. So I think systemd-random-seed might as well just use a new GRND_SECURE, and then not even have to worry about it. That said, I think I have a suggestion that everybody can live with - even if they might not be _happy_ about it. See next email. > I am not a fan of randomly killing userspace processes that just > happened to be the unlucky ones, to call this first... I see no > benefit in killing stuff over letting boot hang in a discoverable way. Absolutely agreed. The point was to not break things. Linus