Received: by 2002:a05:6512:2355:0:0:0:0 with SMTP id p21csp204125lfu; Wed, 30 Mar 2022 20:50:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxAYKs+2ai6/8XSSBL/YOdnmUZdFG1qII0a+z/qD9ci0aURukje6EMPqmEcSj6zHcUWeT/W X-Received: by 2002:a63:1758:0:b0:381:effc:b48f with SMTP id 24-20020a631758000000b00381effcb48fmr9121831pgx.124.1648698647142; Wed, 30 Mar 2022 20:50:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648698647; cv=none; d=google.com; s=arc-20160816; b=kqNTYl7LAgNCxpWAnMa2JARUkLKIwfWxwN738m57hrYwaR/Kf46PX8Vyos/lxqv6mi FzkKsPKbDAmQMrDQVF/yQoYZBAmLrrZ03SSgPOutcKo/ql/V+TMf4+pUqDTO3tHJxj76 gH/OJUG4hi80xOehvV4eD/ukFkBEpWgFJEeWC1w0LLSb2xGYx4Ogyz+JjOUTk1WGAsbP XKTYK+YUTjQnWBkmu5Ck6rrAFuKW8KYogs3YNidqmIyfoBGCjyRGBeCwB5jFbCAEBtis ZblSaXuPdTc9DSBQ+zocdBwJiLCl/q+OL0v7ihbp42DvY7U80Dwza2+y4COoOBzlV49H eIDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=t7NJGrw4evpWy7bzDdOLqjBJRmGn5G5dfqQlgfY0bS0=; b=z3dBnPoVz8cc/ub8Q2pykdKwjbl5mOYgpMj4MQHE8lRfFWWG4kgcKXyTuNM5kQ/9WH vddm1e6uPvRMW2BB7awWgacDZrjw4fb2p1Gf+/1yPFH4wEfayLK5GzPeaf8jo+YpgJXo PFKTEgekwJWI/mTobQrtVrWHar8qkgrX3t8ceLggIOSbetsKkggD5O/VdhasgP/iwGJN v8apapLXrNAUg3Mjv6Pe3t3+W4/VASMVz4nugRfSa0KJmy5z4NHo2OM3DKK2hycmzGVP qMqDpkvte6qOiT32RgWq8CYnY+fI61131jXMKjIAhgX+DLxXIJV1ATbeshRmRapsHFWC cwFw== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id x84-20020a627c57000000b004fa7288d199si22058403pfc.55.2022.03.30.20.50.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 30 Mar 2022 20:50:47 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 17D6C4E3BC; Wed, 30 Mar 2022 20:04:37 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1350415AbiC3TDp (ORCPT + 99 others); Wed, 30 Mar 2022 15:03:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60940 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1350394AbiC3TDk (ORCPT ); Wed, 30 Mar 2022 15:03:40 -0400 Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 577FD7B543; Wed, 30 Mar 2022 12:01:54 -0700 (PDT) Received: from callcc.thunk.org (c-24-1-67-28.hsd1.il.comcast.net [24.1.67.28]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 22UJ1V8e008101 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 30 Mar 2022 15:01:32 -0400 Received: by callcc.thunk.org (Postfix, from userid 15806) id 73D894200DE; Wed, 30 Mar 2022 15:01:31 -0400 (EDT) Date: Wed, 30 Mar 2022 15:01:31 -0400 From: "Theodore Y. Ts'o" To: Michael Brooks Cc: David Laight , Sasha Levin , Dominik Brodowski , Eric Biggers , Greg Kroah-Hartman , "Jason A. Donenfeld" , Jean-Philippe Aumasson , "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" Subject: Re: [PATCH AUTOSEL 5.17 16/43] random: use computational hash for entropy extraction Message-ID: References: <20220328111828.1554086-1-sashal@kernel.org> <20220328111828.1554086-16-sashal@kernel.org> <9e78091d07d74550b591c6a594cd72cc@AcuMS.aculab.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 30, 2022 at 11:33:21AM -0700, Michael Brooks wrote: > The /dev/random device driver need not concern itself with root > adversaries as this type of user has permissions to read and overwrite > memory - this user even possesses permission to replace the kernel elf > binary with a copy of /dev/random that always returns the number 0 - > that is their right. The design consideration that random number generators do concern themselves with is recovery after pool exposure. This could happen through any number of ways; maybe someone got a hold of the suspended image after a hiberation, or maybe a VM is getting hybernated, and then replicated, etc. One can argue whether or not it's "reasonable" that these sorts of attacks could happen, or whether they are equivalent to full root access whether you can overwrite the pool. The point remains that it is *possible* to have situations where the internal state of the RNG might have gotten exposed, and a design criteria is how quickly or reliably can you reocver from that situation over time. See the Yarrow paper and its discussion of iterative guessing attack for an explanation of why cryptographers like John Kelsey, Bruce Schneier, and Niels Ferguson think it is important. And please don't argue with me on this point while discussing which patches should be backported to stable kernels --- argue with them. :-) Cheers, - Ted