Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp3124406ybp; Sun, 6 Oct 2019 05:20:20 -0700 (PDT) X-Google-Smtp-Source: APXvYqw8sr2l8gPS3GR6X4j/M7AnGDc3EXDwWcVAbdwK+9ngSuldQLRERsUmj25zanXt50ejRh23 X-Received: by 2002:a17:907:20e4:: with SMTP id rh4mr19671270ejb.59.1570364420793; Sun, 06 Oct 2019 05:20:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570364420; cv=none; d=google.com; s=arc-20160816; b=cQcFmTotMWPA4/SIPTm8A1e2f4nm0RT0i4JPd0ZhoPQoD7k72OkqcoJqb7Izky5Xib w4p1vF2gTxHONi12i9vhlH202axhYsDQdq0N65K/CyZLAUeEik/mntbwLGxzRT815Mvj zw36ma5gyOhEwAXdGNnnSwcUpTTZA6kUazble5/HfuQRdWuK8PbC9VT5NNjGGwPTDQJF ClZmqVAbPgX3T/+oJAAUL04l/QxVqbFC9zFPmTmG8FVo3ZaP32tMnlrqcCi+KzIy1Y8e m92p3+gHSashcUaHoXEItIa/ZNsHdwNFo15TtSQirQQ4JQ2yfZtLcHDAsRJ+2SbXZNJ1 2rWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=CgyB1pqFuyd6oOwaexEE4huCtVDiq4NviMPw1wrlL6w=; b=t5UtOboYCVhcmcvrgggdKdmzIiOrvilA/2CdfZCwJBN4He49ZmV+uwGApYGW6M7iSE iBzAvJAkc9b8WhNU3T8rlBh3XfuBxjVKG6uh24brmGblmMMffIgrHxjfuGll5HJH3QEO mTMP0UJU+gwo1ozAMNb0OnYMMVNl+3HfnvVigmy+rnpxJUH2yBqdY11rcHwcaYSZ90Fu D2dSYXMAKhPZv7fAEuVPNK5a0jxXUKNdbMunwhq5muLU33hpgZfiq101TxBUBtp5aRdl JVCDuszASBBDw2g4AO9ZMoS7h3/uWDv5zFKZqbZcIIFKk9i8JrMY7mnQ27NHSdCqS/w2 nG4A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l1si5450482ejr.246.2019.10.06.05.19.57; Sun, 06 Oct 2019 05:20:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726458AbfJFMPt (ORCPT + 99 others); Sun, 6 Oct 2019 08:15:49 -0400 Received: from atrey.karlin.mff.cuni.cz ([195.113.26.193]:45730 "EHLO atrey.karlin.mff.cuni.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726275AbfJFMPs (ORCPT ); Sun, 6 Oct 2019 08:15:48 -0400 Received: by atrey.karlin.mff.cuni.cz (Postfix, from userid 512) id 626FA80463; Sun, 6 Oct 2019 14:15:31 +0200 (CEST) Date: Sun, 6 Oct 2019 14:15:45 +0200 From: Pavel Machek To: "Theodore Y. Ts'o" Cc: Kurt Roeckx , linux-kernel@vger.kernel.org Subject: Re: Stop breaking the CSRNG Message-ID: <20191006121545.GF24605@amd> References: <20191002165533.GA18282@roeckx.be> <20191003033655.GA3226@mit.edu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="lIrNkN/7tmsD/ALM" Content-Disposition: inline In-Reply-To: <20191003033655.GA3226@mit.edu> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --lIrNkN/7tmsD/ALM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed 2019-10-02 23:36:55, Theodore Y. Ts'o wrote: > On Wed, Oct 02, 2019 at 06:55:33PM +0200, Kurt Roeckx wrote: > >=20 > > But it seems people are now thinking about breaking getrandom() too, > > to let it return data when it's not initialized by default. Please > > don't. >=20 > "It's complicated" >=20 > The problem is that whether a CRNG can be considered secure is a > property of the entire system, including the hardware, and given the > large number of hardware configurations which the kernel and OpenSSL > can be used, in practice, we can't assure that getrandom(2) is > "secure" without making certain assumptions. For example, if we > assume that the CPU is an x86 processor new enough to support RDRAND, > and that RDRAND is competently implemented (e.g., it won't disappear > after a suspend/resume) and doesn't have any backdoors implanted in > it, then it's easy to say that getrandom() will always be secure. Actually... if we have buggy AMD CPU with broken RDRAND, we should still be able to get enough entropy during boot so that getrandom() is cryptographically secure. I don't think we get that right at the moment. > Bottom line, we can do the best we can with each of our various > components, but without control over the hardware that will be in use, > or for OpenSSL, what applications are trying to call OpenSSL for, and > when they might try to generate long-term public keys during the first > boot, perfection is always going to be impossible to achieve. The > only thing we can choose is how do we handle failure. >=20 > And Linus has laid down the law that a performance improving commit > should never cause boot-ups to hang due to the lack of randomness. > Given that I can't control when some application might try to call > OpenSSL to generate a long-term public key, and OpenSSL certainly > can't control if it gets called during early boot, if getrandom(2) > ever boots, we can't meet Linus's demand. You can. You can just access disk while the userpsace is blocked on getrandom. ("find /"). Best regards, Pavel --=20 (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blo= g.html --lIrNkN/7tmsD/ALM Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAl2Z2vEACgkQMOfwapXb+vKfXwCfabBwBy1NSsdYvWFokr8878nN mtEAn0xKb8plDgbKxaqnpvotbEMhhc6b =JIat -----END PGP SIGNATURE----- --lIrNkN/7tmsD/ALM--