Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp2091869pxb; Fri, 25 Mar 2022 10:57:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz3T3CAxWi4JVcxqId9/xtEG64Pxqy5/wW7IZgibBCF2KgUYOeWGoauKk8KyHkTI35KCDAC X-Received: by 2002:a17:902:8f82:b0:151:5d30:a019 with SMTP id z2-20020a1709028f8200b001515d30a019mr12817799plo.145.1648231020801; Fri, 25 Mar 2022 10:57:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648231020; cv=none; d=google.com; s=arc-20160816; b=hMpOYVgz18Q2bY3NOQ/jePpxhVK2lkCLW7iBl2YeHdu/Md1ZeQP27z0MKzSMyUq1CX mddpXd+7bax06p3Ksy1HQoMv2qQD2pZtVStFIazP32Ygq34BvAeHbE6qgXVcd9nDrO66 j4uXVx+8KvV+7s6BQx4BPPP0GgwtSoEyhylNTFOnGMxC2O9G2j7CxiYisLmiwJiQdxtb AaNnYBG2GGcCcbsjMH1V2siqrj0EItRI039ktyueh0z6F8yJom2FCejoJzGBTd3i1KMC RL7jSMCS1QsHwV4Zjfg6oycXRl0ivA/7ZG8Mcc5nz4QfG3WXp3wvJcLF9qA4xWgJebql Tz2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=xB6PKulHp1/cEWNkjE3fDsI4g/vmyOx8TKxWNMPVing=; b=zio3I3iVe00l0qEN6G8+vB5QeEmAi9VUBG57s4C6wHawLPsVsG9ZKhAmqDDdUQVLvq CD6TFDqd8gFNQU3OnRke562QaqowlYIxm8wCMVc1y+AWHMkGLoxIyCiONCdtMU2bcdl6 Bhq455LGPPKEoGFCWt8OsQOwAa6eetjuvYbEInPK9qLfUMQfrRpNOvtLIU8DKkUn9OlB XBm13e8tWattl2yiUn/aE2RcIvhGNQySiRt4+QWKmBfdkfQTe0tOY79p7GczDM1y9Tmp Bu/3hesS1Qw3nmEin/M6Ap4V+cpNipIBlT3gtiGWm76AlDpw9p78IjgotKlBA6mFqN70 tvbg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=jIWOtICf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id c9-20020a630d09000000b003816043f001si2841896pgl.502.2022.03.25.10.57.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Mar 2022 10:57:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=jIWOtICf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 2F74510C518; Fri, 25 Mar 2022 10:36:31 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1352219AbiCXRWT (ORCPT + 99 others); Thu, 24 Mar 2022 13:22:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57512 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344397AbiCXRWS (ORCPT ); Thu, 24 Mar 2022 13:22:18 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 20267986F6; Thu, 24 Mar 2022 10:20:46 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id AFA30619AC; Thu, 24 Mar 2022 17:20:45 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1B782C340EC; Thu, 24 Mar 2022 17:20:44 +0000 (UTC) Authentication-Results: smtp.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="jIWOtICf" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1648142442; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xB6PKulHp1/cEWNkjE3fDsI4g/vmyOx8TKxWNMPVing=; b=jIWOtICfivw//orbUKop1uPxm/X9yEN5M12kFp6+SL+mY9RcEN7uXVzjiutiLabpgi0H9R suATOPU2xZBBNI9oTbDCSWUwYPkIycAInnkrD4jlGzMxDiLe3KCkyyTpiXO6Vd1SLEKcgC ipwAXnIwhRuLdMhxRft45gNkRv13qHE= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 7c58b031 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Thu, 24 Mar 2022 17:20:41 +0000 (UTC) Date: Thu, 24 Mar 2022 11:20:40 -0600 From: "Jason A. Donenfeld" To: "Alex Xu (Hello71)" Cc: Jann Horn , Dominik Brodowski , Guenter Roeck , Linus Torvalds , Theodore Ts'o , Linux Crypto Mailing List , LKML Subject: Re: [PATCH] random: allow writes to /dev/urandom to influence fast init Message-ID: References: <20220322191436.110963-1-Jason@zx2c4.com> <1648009787.fah6dos6ya.none@localhost> <1648138746.2zrnsqdlu7.none@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1648138746.2zrnsqdlu7.none@localhost> X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Alex, On Thu, Mar 24, 2022 at 10:29 AM Alex Xu (Hello71) wrote: > > Excerpts from Jason A. Donenfeld's message of March 23, 2022 11:18 pm: > > Hi all, > > > > [...] > > > > In light of that conclusion, I'm going to work with every userspace > > downstream I can find to help them fix their file-based seeding, if it > > has bugs. I've started talking with the buildroot folks, and then I'll > > speak with the OpenRC people (being a Gentoo dev, that should be easy > > going). Systemd does the right thing already. > > > > I wrote a little utility for potential inclusion in > > busybox/util-linux/whatever when it matures beyond its current age of > > being half hour old: > > - https://git.zx2c4.com/seedrng/about/ > > - https://git.zx2c4.com/seedrng/tree/seedrng.c > > So I'll see what the buildroot people think of this and take it from there. > > > > The plus side of doing all this is that, if the efforts pan out, it > > means there'll actually be proper seeding on devices that don't > > currently do that, which then might lead to a better ecosystem and > > less boot time blocking and all that jazz. > > > > Jason > > > > The issue, in systemd developers' opinion, is that counting seed file > towards entropy initialization potentially causes repeated RNG output if > a system is cloned without resetting the seed file. This is discussed at > length in https://github.com/systemd/systemd/pull/4513. A few years ago, > I wrote most of a program to check machine ID, disk ID, DMI ID, and some > other things in order to avoid this issue. Since then, systemd decided > to store the random seed in EFI variables, I assume on the basis that > machine cloning typically does not clone the EFI variables? In my > opinion, since the same argument applies to machine ID, ssh keys, and > any other persistent cryptographic (or even non-cryptographic) material, > this falls outside the scope of random seeding and into a general > machine cloning "sysprep"-like utility. systemd's seed utility will credit a seed file if the seed file was generated properly (e.g. after the RNG was initialized). For that they use the user.random-seed-creditable xattr, which is a reasonable way of deciding. If that attribute is present, it's credited; if it's not, it's not. Here's their source:         /* If we got this random seed data from getrandom() the data is suitable for crediting          * entropy later on. Let's keep that in mind by setting an extended attribute. on the file */         if (getrandom_worked)                 if (fsetxattr(seed_fd, "user.random-seed-creditable", "1", 1, 0) < 0)                         log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, errno,                                      "Failed to mark seed file as creditable, ignoring: %m"); Since my seedrng.c is designed for more minimal systems (running buildroot or openrc or whatever), which might not have xattrs available, it distinguishes just based on the filename: if (new_seed_creditable && rename(NON_CREDITABLE_SEED, CREDITABLE_SEED) < 0) { fprintf(stderr, "ERROR: Unable to make new seed creditable: %s\n", strerror(errno)); program_ret |= 1 << 6; } It's no surprise that these are very similar; I've read systemd's seeding logic and contributed a fix to it. By the way, if you think something is different or wrong or whatever in seedrng.c, please feel free to send me a patch for it. It already received its first contribution this morning (from the buildroot maintainer). Hopefully the code will reach a good settling point soon, and then various projects that want it can just copy and paste it verbatim into their environment, and tweak idiomatic things as needed. Jason