Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp9618761ybl; Thu, 26 Dec 2019 02:22:22 -0800 (PST) X-Google-Smtp-Source: APXvYqx4SY5aaieIC+x9fqU6tF9nmsjF4F8Wk+4Neb6ZMYuy5juieXOzyJYXbBy8GLiNRzguhadL X-Received: by 2002:a9d:7f12:: with SMTP id j18mr51764674otq.17.1577355742008; Thu, 26 Dec 2019 02:22:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1577355742; cv=none; d=google.com; s=arc-20160816; b=C8MIANOVbjYMvV+5JlJDVzQAsEYxEfDkA/dBV1ahOJH8ETFe7qt2McLPO57OuV1IEo ZGccl8MnE/nlFpm+YNSFP21YQ2Puk5vvuMh8Fgmqobivk0+sNXuODEQYMbOW8AmhaM8P L2Yf4VIQR+o8lsY1WpXaygLlM92OMd9JOpnOu1c0DluUTLhzaiUxqHZ+Ap4YxYDCNSH0 aG5bROmDjGln1mmN2cGPmHJaT1rRXEv0DCcYk1RfINKodanHoqTjN8Z9zW0yySRNBBho rMs+qLGpi4qnun0Z7KKSyMk/4QZHhIBv/6fXJ+AvV+gT1ExRY4QGr/gn0TwtP/yxJjlu yfgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=C3mxjaIDMuJTeQyZTd+qCmmlFsqprmMX4F3TTiwzZHM=; b=tTqrDODJ+3fRFhxlsj6TtO9x24fD6P1/YDvqAVBFE8Sq8EOTznizXQHa4iDS/q9dtL P83DZChCuB1js6Bq/+OXEvGWT7dG1iCAdR0gf1vRqxReY0tNazPYm8uxjTaEqKNhuA5L 0dz/+aej0oFlIkqYhODIi1pH9rxeoSu+OXp02x4lkB/ZXsODEnz8Sh8eWB8Bl+/qLY1g yQvzGy0iFrO5MzpjmISiwc0gplIlu8O0UvK+Q3Rv8/7PqdK0p6kY8xm3WlqUNlTNRfAN MqJ+OFmBcbBUhGI4+NGaHlLrgy0ttth2O3bXBSaGZ/D9T6U8C7jsgum2fYhdXyLp/orX WQqA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@codon.org.uk header.s=63138784 header.b=j8R00hr2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q26si12802306oij.38.2019.12.26.02.22.11; Thu, 26 Dec 2019 02:22:21 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@codon.org.uk header.s=63138784 header.b=j8R00hr2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726505AbfLZKVf (ORCPT + 99 others); Thu, 26 Dec 2019 05:21:35 -0500 Received: from cavan.codon.org.uk ([93.93.128.6]:47018 "EHLO cavan.codon.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726055AbfLZKVf (ORCPT ); Thu, 26 Dec 2019 05:21:35 -0500 X-Greylist: delayed 1074 seconds by postgrey-1.27 at vger.kernel.org; Thu, 26 Dec 2019 05:21:34 EST DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=codon.org.uk; s=63138784; h=In-Reply-To:Content-Transfer-Encoding: Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date: Sender:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=C3mxjaIDMuJTeQyZTd+qCmmlFsqprmMX4F3TTiwzZHM=; b=j8R00hr2GEVsOkbbGEEmt01bYd vwA5caOLAxxH/pweQc3aPeaNuRixw7i2grmlD/9PxsIZFK2Hh9sYr11z17uDc9/Fk56hsulaz6mIQ QvAS7cNOG3FHxojjB1kadh6cR6NF54E366ltCDtGX32pLpVu7EWuJeBtSUiyyvREzbOQ=; Received: from mjg59 by cavan.codon.org.uk with local (Exim 4.89) (envelope-from ) id 1ikPzS-0003n7-Sm; Thu, 26 Dec 2019 10:03:34 +0000 Date: Thu, 26 Dec 2019 10:03:34 +0000 From: Matthew Garrett To: Stephan =?iso-8859-1?Q?M=FCller?= Cc: Andy Lutomirski , Ted Ts'o , LKML , Linux API , Kees Cook , "Jason A. Donenfeld" , "Ahmed S. Darwish" , Lennart Poettering , "Eric W. Biederman" , "Alexander E. Patrakov" , Michael Kerrisk , Willy Tarreau , Ext4 Developers List , linux-man Subject: Re: [PATCH v3 0/8] Rework random blocking Message-ID: <20191226100334.bsh3b3dphs4j4cvx@srcf.ucam.org> References: <9872655.prSdhymlXK@positron.chronox.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <9872655.prSdhymlXK@positron.chronox.de> User-Agent: NeoMutt/20170113 (1.7.2) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: mjg59@cavan.codon.org.uk X-SA-Exim-Scanned: No (on cavan.codon.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Dec 26, 2019 at 10:29:00AM +0100, Stephan M?ller wrote: > > What about offering a compile-time option to enable or disable such code? > Note, with the existing random.c code base, there is no need to have a > separate blocking_pool. The ChaCha20 DRNG could be used for that very same > purpose, provided that in case these true random numbers are generated when > the Chacha20 DRNG received an equal amount of "unused" entropy. I think it's reasonable to offer such an option as long as it's made clear that it'll break userland and should only be enabled under very weird circumstances. We don't want to end up in a situation where userland developers feel that they need to code to handle such situations - the only people who care about this distinction should be in control of their userland stack and able to cope with the consequences. > If an unprivileged caller requests true random data, at least 1024 bits of > entropy is left in the pool. I.e. all entropy above that point is available > for this request type. Note, even namespaces fall into this category > considering that unprivileged users can create a user name space in which they > can become root. I also feel like describing any of this as "true random data" is misleading. Most of our entropy sources are devices that could, given sufficient information, be modelled accurately. We're not sampling quantum events here. -- Matthew Garrett | mjg59@srcf.ucam.org