Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp7137697ybn; Mon, 30 Sep 2019 09:10:19 -0700 (PDT) X-Google-Smtp-Source: APXvYqysHfqER6Fx/4VDrzxn7ZR7GkgN7FDt6IKzAoqsxcaSihZmspd7GLdz79+Ji3q49CYuP9Lj X-Received: by 2002:a50:a532:: with SMTP id y47mr20407003edb.273.1569859819152; Mon, 30 Sep 2019 09:10:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569859819; cv=none; d=google.com; s=arc-20160816; b=Dk9nAtHtX2n+iKHntiWajdXYjdkoStimxDLVizoHs/p+/N48pk6aPhN8Xnn+3ARN/i Z8I2DIYAiNUaz8XR822XSuKPfueoliJhJwqJRaNTKC9vv0psdTEw+MeEHiXmVFpqOFgN IsjVvIc9puNCbhtDKBlV6GI0HzCp6TsoQ65+pI+5pjzEazptjfw6P7Vb0gVarIryZitO wB8DokV7bnGtKUzG88Y4u/3LfFo4R5OrmajYsA/yFnIEyjqqoUq7B/E0yu7t6Z9hnWlp g0DW3GvkNhiD3IJwumvGazUzG4eQ01CXg1ng2o2E4/6pq6AFEhLzH/5yamWdbhc9Rl5r q/mQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=KLe2kylkHRDEIZkqma6Y17kUgB/cRkjjQz4tSwgXeyQ=; b=gP8PtVR2+PDWW0WLGf9pIaGAMPeEdB2ZuXR0zo/kHPqfn4kwWZIaSmV+UGGtcSTjbS K3n0TEXxTkWqxmNMtpsEXhzMgd00c3tf9/A7A+L/P58apMwC4ElwZKUDnYhuFkYAqV2p 6selpWg2NpsOkPdCloGc2dy+We3zrhxsaFxXxPNUTQyz5gRWS3QP8oU8z96q9Vs0sHrQ a7gLc3pJCkCK/7cxmm7bfnWaikS7Qs0FwG2cqxwWC7j/HyawlLbcBL6X/Y77j9+mWyzW fzFFZlykg5lbzICkmHqiPWmJQgT7n7+M8uEGoR4gnCeAFmjlEjSmV+6CypPgR7O9p4LG GJwA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=ItUevwyV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w20si7652401edc.202.2019.09.30.09.09.54; Mon, 30 Sep 2019 09:10:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=ItUevwyV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732163AbfI3QG7 (ORCPT + 99 others); Mon, 30 Sep 2019 12:06:59 -0400 Received: from mail-lj1-f196.google.com ([209.85.208.196]:37635 "EHLO mail-lj1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728424AbfI3QG7 (ORCPT ); Mon, 30 Sep 2019 12:06:59 -0400 Received: by mail-lj1-f196.google.com with SMTP id l21so10104925lje.4 for ; Mon, 30 Sep 2019 09:06:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KLe2kylkHRDEIZkqma6Y17kUgB/cRkjjQz4tSwgXeyQ=; b=ItUevwyV7K+5wlAC7uIMaBiq4O5RQHwz6gB4j41pmGvLNHJJDpjra6dNJkzZoLazfE E5vl2dbYUovDvSBxCVhMf2rkaldW6y6OXJpInRFLlK1dq2tUcHdFH2M5OXWmdotbJ2pB JxBSQE34E7oJiQd1SzU7G3iqevwk7iUZeeLmk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KLe2kylkHRDEIZkqma6Y17kUgB/cRkjjQz4tSwgXeyQ=; b=XMcHVZMhyYND84DRqqI5r/NzP23qZu/VDlwqZaOV5q3HdT36jTz3RldZQ1buZeVwYu k9aC/G4BqbJ1UFzYz2UteLRmstD9ZRZ02mFk0njChBSXSLxOE7qSlkgSrYBMdcq5HDkf YDziD6V8B9mPbq/5rO0Q+iJ6ATnAdrwRL/MCKtzKttsP9/MkHo8kebf9d2MYQbABWKIF uyX7yZ7NmbMeFawPS+bQTz8VA2/z+dB5+ZhwelahQSq0RXfzuzqzv3Djp4fTwBbg/7R1 c9Oe/uXQvEx2RlU0lKz8d0MOjPrwOfiA5A/F9TJq80gS4YL+x3K2AnSjQ6lxYxSk3T49 KLpA== X-Gm-Message-State: APjAAAX5eh7vKPjzSzr31ZAXXVkZfJbAlHeSii7rGkDRHaHGoKRBDBjf hsCb2aCdBOhf9Vm4eWgs6gdu8xaB4js= X-Received: by 2002:a2e:9702:: with SMTP id r2mr12858423lji.190.1569859614465; Mon, 30 Sep 2019 09:06:54 -0700 (PDT) Received: from mail-lf1-f43.google.com (mail-lf1-f43.google.com. [209.85.167.43]) by smtp.gmail.com with ESMTPSA id v7sm3312846lfd.55.2019.09.30.09.06.52 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 30 Sep 2019 09:06:53 -0700 (PDT) Received: by mail-lf1-f43.google.com with SMTP id r134so7448652lff.12 for ; Mon, 30 Sep 2019 09:06:52 -0700 (PDT) X-Received: by 2002:ac2:47f8:: with SMTP id b24mr12078157lfp.134.1569859612393; Mon, 30 Sep 2019 09:06:52 -0700 (PDT) MIME-Version: 1.0 References: <20190930061014.GC29694@zn.tnic> In-Reply-To: <20190930061014.GC29694@zn.tnic> From: Linus Torvalds Date: Mon, 30 Sep 2019 09:06:36 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: x86/random: Speculation to the rescue To: Borislav Petkov Cc: Thomas Gleixner , "Ahmed S. Darwish" , LKML , "Theodore Ts'o" , Nicholas Mc Guire , "the arch/x86 maintainers" , Andy Lutomirski , Kees Cook Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Sep 29, 2019 at 11:10 PM Borislav Petkov wrote: > > so sshd does getrandom(2) while those other userspace things don't. Oh > well. Well, that's actually what systems _should_ do. Presumably sshd actually wants secure randomness, and nothing else waits for it. Obviously, that can be a problem if you then need sshd in order to get into a headless box, so my patch fixes things for you too, but at least your box doesn't show the problem that Ahmed had, and the boot completing presumably means that you got more entropy from other disk IO being done by the rest of the boot. If you want to test my hacky "do /dev/urandom too", it was this one-liner: --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -2027,6 +2027,7 @@ urandom_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos) static int maxwarn = 10; int ret; + if (!crng_ready()) try_to_generate_entropy(); if (!crng_ready() && maxwarn > 0) { maxwarn--; if (__ratelimit(&urandom_warning)) and that should get rid of the warnings. It's not using the full "wait_for_random_bytes()", because in the absence of a cycle counter, that would introduce the boot-time lockup for /dev/urandom too. Doing something like the above to /dev/urandom is likely the right thing to do eventually, but I didn't want to mix up "we can perhaps improve the urandom situation too" with the basic "let's fix the boot problem". The urandom behavior change would be a separate thing. Also, talking about "future changes". Right now "try_to_generate_entropy()" is actually uninterruptible once it gets started. I think we should add a test for signal_pending() too, but it should generally complete really fairly quickly so I left it without one just to see if anybody even notices. Linus