Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp2162454ioo; Mon, 23 May 2022 11:34:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJytXQHcxZF/GSESqRXzoKWDtySrAARl9gEBb8Jkluu0fIrBDPOhX2b1BIDpJsNtxsTUHrBN X-Received: by 2002:a63:2a55:0:b0:3f6:7295:1c4a with SMTP id q82-20020a632a55000000b003f672951c4amr16474463pgq.85.1653330857577; Mon, 23 May 2022 11:34:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1653330857; cv=none; d=google.com; s=arc-20160816; b=xqzBBlmU9ZVl6BPq12IXe77hzLYI0QhUHirodIOzVldSwUfLCvkjhtIve+2Uq0QFEF x7Y1R/GBdvU/kZWeEE4WlOfyYTqm31sWjz3JQI7M5c6Xcrc+tk9wPUkwMz+SoKEkstft HuQiuGLKjbnTMJe6+IXN8ZQefJ9hfHg7TAfSHE16io4lRaAe+Da4Wh4rhXvF9wfBRAph 1qttrzyQFOND7K7EejFRHsm8QRrJUWBDEk+1UYmZBjnkUJTe+8ZKv8HJ6eyOr7YWXe7W Qzujlt88RK/Jxpk78YkIpkbfjnimiZl7odzxB2AxurL3Bh/K9HvzqwVutCr/lW6DqLEE KFJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=R8XI9k+Ocy7N3QrwVgHrVubZYCBRwpxc2h4AhR83enw=; b=PXrXgebGeVAk603m7K3lcGId6I2EGEue0Sdcm15+fwXjQtV9NZWmE2girXyixm5afi bULG65tSt0K+PLNqjDPqNYMypaOLBzIvVy+jN9PiFv3zOKO2vB9imBbUn3z6apIOSRk7 0UP0jd29zFaCasm1CVY0y/T7Mi/By2ly3KnrfhY8UR+koF1mMzHMOgROVtWAMwI8OEbN HacJcLt0Fk3orkgR9jT2A7TnM1veJLjxi+Sl7I4Hm+z+YRWlzWiY8Ze961sPxM/U9dft rUFpKUwCneq3Rtxxj190yU1BSKDpNmJt/WaYg97U/uogy12cZB3MnXJoWCF7/G58692/ SG1g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id z6-20020a170902d54600b00153b2d164bcsi10362680plf.196.2022.05.23.11.34.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 May 2022 11:34:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 2F9025E15B; Mon, 23 May 2022 11:32:42 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242440AbiEWS2e (ORCPT + 99 others); Mon, 23 May 2022 14:28:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49214 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245135AbiEWS0h (ORCPT ); Mon, 23 May 2022 14:26:37 -0400 Received: from jabberwock.ucw.cz (jabberwock.ucw.cz [46.255.230.98]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 90F885C369; Mon, 23 May 2022 11:02:03 -0700 (PDT) Received: by jabberwock.ucw.cz (Postfix, from userid 1017) id 827591C0B82; Mon, 23 May 2022 19:59:28 +0200 (CEST) Date: Mon, 23 May 2022 19:59:28 +0200 From: Pavel Machek To: "Jason A. Donenfeld" Cc: Theodore Ts'o , linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, Linus Torvalds , Guenter Roeck , Dominik Brodowski , Jann Horn Subject: Re: [PATCH] random: allow writes to /dev/urandom to influence fast init Message-ID: <20220523175928.GA30223@duo.ucw.cz> References: <20220322191436.110963-1-Jason@zx2c4.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="X1bOJ3K7DJ5YkBrT" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org --X1bOJ3K7DJ5YkBrT Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! > > One of the big issues with /dev/urandom writes is that *anyone*, > > including malicious user space, can force specific bytes to be mixed > > in. =A0That's the source of the reluctance to immediate use inputs from > > writes into /dev/[u]random until there is a chance for it to be mixed > > in with other entropy which is hopefully not under the control of > > malicious userspace. >=20 > Right, sort of. Since we now always use a cryptographic hash function, > we can haphazardly mix whatever any user wants, without too much > concern. The issue is whether we _credit_ those bits. Were we to credit > those bits, a malicious unpriv'd user could credit 248 bits of known > input, and then bruteforce 8 bits of unknown input, and repeat, and in > that way destroy the security of the thing. So, yea, the current > reluctance does make sense. >=20 > > Now, I recognize that things are a bit special in early boot, and if > > we have a malicious script running in a systemd unit script, we might > > as well go home. =A0But something to consider is whether we want to do > > soemthing special if the process writing to /dev/[u]random has > > CAP_SYS_ADMIN, or some such. >=20 > Exactly. So one way of approaching this would be to simply credit writes > to /dev/urandom if it's CAP_SYS_ADMIN and maybe if also !crng_ready(), > and just skip the crng_pre_init_inject() part that this current patch > adds. I'll attach a sample patch of what this might look like at the end > of this email. CAP_* should not really work like that. They should control if process can do the operation, but should not really silently change what syscall does based on the CAP_*... (And yes, I'm a bit late). Best regards, Pavel =09 --=20 People of Russia, stop Putin before his war on Ukraine escalates. --X1bOJ3K7DJ5YkBrT Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQRPfPO7r0eAhk010v0w5/Bqldv68gUCYovLgAAKCRAw5/Bqldv6 8okSAJ494jYj529aStpwUSRGJyX7bstzigCfUhDnVooEyqU8fxOWunoDWU4iZoc= =suKg -----END PGP SIGNATURE----- --X1bOJ3K7DJ5YkBrT--