Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp2210777pxb; Wed, 30 Mar 2022 19:27:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzGUQqpqiLBRhCTXqW0QyUkBlHWAJHY/nCnzjurX7wRKTt2beqdhvA4SWzZYjdHzIWYQU3T X-Received: by 2002:a62:840b:0:b0:4fa:31ae:7739 with SMTP id k11-20020a62840b000000b004fa31ae7739mr2787411pfd.6.1648693640788; Wed, 30 Mar 2022 19:27:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648693640; cv=none; d=google.com; s=arc-20160816; b=vlipJz6yCPFQbfLONX6SlmqsPWuyKV95p8PrnyTjuc1mn66n++O1QTF7VUH0JJmQ5A C2YGb2VdgPL7DnTPWrIdZMUfcF5X8W+QiNYpvka6dmD0mmOYmWLzCpjauu2o8a314HSO JeGGh7aSsXK5cJ8FYHqqTdS/x220Vdw59H144XGkuS/k4BwR62l+TvpOr2T3hTg1J9bt ZnrONoLnPPu5f7Cqj9lfHu1EDRGRgNswh0uu4FuHhOjB+0VZiBFxhNyOIzzMjyJ+WK4P KyelgwJMy2H1+Ycbv45+Ap/LAKqBO2DZJdSB4gmwuw6WkYet6BvuCEz+TYQMdLvuKH/I FFkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=qInx4Rp69ucp6wp8S1ootr5s+MPN2NDB9PchtSEOOJo=; b=Uuh1i+sIdYo+uf9D54srGdXd8ztjNzogwHToCeQACmXfLdKkkoiDPa/IJgHGTZlWIC ISOQ8zm0rRGPlzZksmE/vuvZnyCTHGDIDPBIV9fkHcxUZov3URM2f7HWX04ChNS6T1hE CpNm3dfTwXzngE4l0h79UA2tABKY+P808AWgoT6gVzF7X8Wk2XQmzJO1RT/87zuVs2+d ZVODZkS61JPg0rDjl8Ha6fXC20xpm/7ESJXsPQ4snp9QVMO6evsge/rxzSBTBfCfxbY5 6yGobDUMTo2N4t8fwMtk6ssP5gNh+zIMIVxvMNiU8VbUkli8Lo6or2Hczw0NRhz5Ra+7 /XpQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sweetwater-ai.20210112.gappssmtp.com header.s=20210112 header.b=IqtCzp+H; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id i5-20020a625405000000b004fa744877dasi21091973pfb.39.2022.03.30.19.27.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 30 Mar 2022 19:27:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@sweetwater-ai.20210112.gappssmtp.com header.s=20210112 header.b=IqtCzp+H; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 4F9A46E8F4; Wed, 30 Mar 2022 19:25:49 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1350546AbiC3TKn (ORCPT + 99 others); Wed, 30 Mar 2022 15:10:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57654 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1350023AbiC3TKk (ORCPT ); Wed, 30 Mar 2022 15:10:40 -0400 Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 65EC813D45 for ; Wed, 30 Mar 2022 12:08:54 -0700 (PDT) Received: by mail-ed1-x534.google.com with SMTP id y10so25556937edv.7 for ; Wed, 30 Mar 2022 12:08:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sweetwater-ai.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qInx4Rp69ucp6wp8S1ootr5s+MPN2NDB9PchtSEOOJo=; b=IqtCzp+H40sf7grP2d0Ohr+lcqFP7jv9DCvaXClC3CHzwXgYwvsnb+2EQ3bdx++w/v 8Zqp2J4yWyj/KEM0e6fVUMuBVaVB0jSYna/Q1kOfVT0WwISvf95q1FqAmRD7Kcag3BUg mHllTDirV9p4Dm3hCl+E5eaqAF8ri5uBUFUzL8vsVd+WNWlmQdSWw2pLiXWnDrJb1KqM ayBrwATc++o1sVeSbG6eRGxdHBQxgFanIUzYC2Sas8OrfaayiBY6U2jlU/9p9iXgex2K J/ha17gtDHK8emyKHfw94G0vngoxLibHl+Lm1BBMoyVonFnSohLPebeRTvx+rqQh6ese EZwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qInx4Rp69ucp6wp8S1ootr5s+MPN2NDB9PchtSEOOJo=; b=jo2zDyBtK2cRKqIMDQdJcWOYTphmbuU2sLiFJlERourtS/Uqc4t9FuGo3WMWcBSnWJ KnuMQp5YVJuTuvaT0Fj5Wz1nXBNslUUS41c/RZr894p3bY3ZMmz7vgbZl2t6cauDwYjO gSc5Kskymu/j2jWm+MO/LFLfg6GnH1XnmzzCJ6OXc1kb9mKtCvnwpE6UUtTvi0Vy5ZpC 7kAO0Lwz971hYCyUQjlQvDX7xgy4YQWwBXGvNiUV59bmULRO0LJTxzqtPfX0XHyIY+8I xcyv7oD34hZ7KNUVnPj+LQcpq0yZUfe9Km4srAykyOFc4Q3Z7LnAiyBd98P43iAvmy1s YHvg== X-Gm-Message-State: AOAM533PzVQer9OEcxoMe9OwhnP60sYNaHiI/CwZegG6k6CQ7IyHD8HI MH+9UOtkPcy2paLFr7hz2uKJbMzC+7tCTRAzxhjQzQ== X-Received: by 2002:aa7:c704:0:b0:418:ee8f:3fd0 with SMTP id i4-20020aa7c704000000b00418ee8f3fd0mr12485316edq.248.1648667332699; Wed, 30 Mar 2022 12:08:52 -0700 (PDT) MIME-Version: 1.0 References: <20220328111828.1554086-1-sashal@kernel.org> <20220328111828.1554086-16-sashal@kernel.org> <9e78091d07d74550b591c6a594cd72cc@AcuMS.aculab.com> In-Reply-To: From: Michael Brooks Date: Wed, 30 Mar 2022 12:08:44 -0700 Message-ID: Subject: Re: [PATCH AUTOSEL 5.17 16/43] random: use computational hash for entropy extraction To: "Theodore Y. Ts'o" Cc: David Laight , Sasha Levin , Dominik Brodowski , Eric Biggers , Greg Kroah-Hartman , "Jason A. Donenfeld" , Jean-Philippe Aumasson , "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" , nicholas Lyons Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Good point Ted, I agree we should have a defense-in-depth design that plans on failure. I expect keypoolrandom to be resistant against this attack as well. In this threat model, p' is a Laplacian Demon. Any parallel construction is aided by whatever source of information the attacker can come by. Using jiffies as a known-perimage aids Laplace's Demon, as does a memory disclosure vulnerability. Leplace's Demon can simply "get lucky" and report both false-positives and false-negatives, but in this model it should get more lucky over time. Now we get into the realm of statistics and predictive mathematics, which gets into Langevin Dynamics and Einstein's early work describing Brownian Motion. Looping in a fellow Cryptographer Nicholas, who has a passion for Laplace's work. Regards, Michael On Wed, Mar 30, 2022 at 12:01 PM Theodore Y. Ts'o wrote: > > On Wed, Mar 30, 2022 at 11:33:21AM -0700, Michael Brooks wrote: > > The /dev/random device driver need not concern itself with root > > adversaries as this type of user has permissions to read and overwrite > > memory - this user even possesses permission to replace the kernel elf > > binary with a copy of /dev/random that always returns the number 0 - > > that is their right. > > The design consideration that random number generators do concern > themselves with is recovery after pool exposure. This could happen > through any number of ways; maybe someone got a hold of the suspended > image after a hiberation, or maybe a VM is getting hybernated, and > then replicated, etc. > > One can argue whether or not it's "reasonable" that these sorts of > attacks could happen, or whether they are equivalent to full root > access whether you can overwrite the pool. The point remains that it > is *possible* to have situations where the internal state of the RNG > might have gotten exposed, and a design criteria is how quickly or > reliably can you reocver from that situation over time. > > See the Yarrow paper and its discussion of iterative guessing attack > for an explanation of why cryptographers like John Kelsey, Bruce > Schneier, and Niels Ferguson think it is important. And please don't > argue with me on this point while discussing which patches should be > backported to stable kernels --- argue with them. :-) > > Cheers, > > - Ted