Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp2162454ioo;
        Mon, 23 May 2022 11:34:18 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJytXQHcxZF/GSESqRXzoKWDtySrAARl9gEBb8Jkluu0fIrBDPOhX2b1BIDpJsNtxsTUHrBN
X-Received: by 2002:a63:2a55:0:b0:3f6:7295:1c4a with SMTP id q82-20020a632a55000000b003f672951c4amr16474463pgq.85.1653330857577;
        Mon, 23 May 2022 11:34:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1653330857; cv=none;
        d=google.com; s=arc-20160816;
        b=xqzBBlmU9ZVl6BPq12IXe77hzLYI0QhUHirodIOzVldSwUfLCvkjhtIve+2Uq0QFEF
         x7Y1R/GBdvU/kZWeEE4WlOfyYTqm31sWjz3JQI7M5c6Xcrc+tk9wPUkwMz+SoKEkstft
         HuQiuGLKjbnTMJe6+IXN8ZQefJ9hfHg7TAfSHE16io4lRaAe+Da4Wh4rhXvF9wfBRAph
         1qttrzyQFOND7K7EejFRHsm8QRrJUWBDEk+1UYmZBjnkUJTe+8ZKv8HJ6eyOr7YWXe7W
         Qzujlt88RK/Jxpk78YkIpkbfjnimiZl7odzxB2AxurL3Bh/K9HvzqwVutCr/lW6DqLEE
         KFJQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=R8XI9k+Ocy7N3QrwVgHrVubZYCBRwpxc2h4AhR83enw=;
        b=PXrXgebGeVAk603m7K3lcGId6I2EGEue0Sdcm15+fwXjQtV9NZWmE2girXyixm5afi
         bULG65tSt0K+PLNqjDPqNYMypaOLBzIvVy+jN9PiFv3zOKO2vB9imBbUn3z6apIOSRk7
         0UP0jd29zFaCasm1CVY0y/T7Mi/By2ly3KnrfhY8UR+koF1mMzHMOgROVtWAMwI8OEbN
         HacJcLt0Fk3orkgR9jT2A7TnM1veJLjxi+Sl7I4Hm+z+YRWlzWiY8Ze961sPxM/U9dft
         rUFpKUwCneq3Rtxxj190yU1BSKDpNmJt/WaYg97U/uogy12cZB3MnXJoWCF7/G58692/
         SG1g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id z6-20020a170902d54600b00153b2d164bcsi10362680plf.196.2022.05.23.11.34.16
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 23 May 2022 11:34:17 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 2F9025E15B;
	Mon, 23 May 2022 11:32:42 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S242440AbiEWS2e (ORCPT <rfc822;benevolent.opressor@gmail.com>
        + 99 others); Mon, 23 May 2022 14:28:34 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49214 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S245135AbiEWS0h (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Mon, 23 May 2022 14:26:37 -0400
Received: from jabberwock.ucw.cz (jabberwock.ucw.cz [46.255.230.98])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 90F885C369;
        Mon, 23 May 2022 11:02:03 -0700 (PDT)
Received: by jabberwock.ucw.cz (Postfix, from userid 1017)
        id 827591C0B82; Mon, 23 May 2022 19:59:28 +0200 (CEST)
Date:   Mon, 23 May 2022 19:59:28 +0200
From:   Pavel Machek <pavel@ucw.cz>
To:     "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc:     Theodore Ts'o <tytso@mit.edu>, linux-kernel@vger.kernel.org,
        linux-crypto@vger.kernel.org,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Guenter Roeck <linux@roeck-us.net>,
        Dominik Brodowski <linux@dominikbrodowski.net>,
        Jann Horn <jannh@google.com>
Subject: Re: [PATCH] random: allow writes to /dev/urandom to influence fast
 init
Message-ID: <20220523175928.GA30223@duo.ucw.cz>
References: <20220322191436.110963-1-Jason@zx2c4.com>
 <YjqVemCkZCU1pOzj@mit.edu>
 <YjqbcQbYHCOpgqGg@zx2c4.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="X1bOJ3K7DJ5YkBrT"
Content-Disposition: inline
In-Reply-To: <YjqbcQbYHCOpgqGg@zx2c4.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE,
	SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org


--X1bOJ3K7DJ5YkBrT
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi!

> > One of the big issues with /dev/urandom writes is that *anyone*,
> > including malicious user space, can force specific bytes to be mixed
> > in. =A0That's the source of the reluctance to immediate use inputs from
> > writes into /dev/[u]random until there is a chance for it to be mixed
> > in with other entropy which is hopefully not under the control of
> > malicious userspace.
>=20
> Right, sort of. Since we now always use a cryptographic hash function,
> we can haphazardly mix whatever any user wants, without too much
> concern. The issue is whether we _credit_ those bits. Were we to credit
> those bits, a malicious unpriv'd user could credit 248 bits of known
> input, and then bruteforce 8 bits of unknown input, and repeat, and in
> that way destroy the security of the thing. So, yea, the current
> reluctance does make sense.
>=20
> > Now, I recognize that things are a bit special in early boot, and if
> > we have a malicious script running in a systemd unit script, we might
> > as well go home. =A0But something to consider is whether we want to do
> > soemthing special if the process writing to /dev/[u]random has
> > CAP_SYS_ADMIN, or some such.
>=20
> Exactly. So one way of approaching this would be to simply credit writes
> to /dev/urandom if it's CAP_SYS_ADMIN and maybe if also !crng_ready(),
> and just skip the crng_pre_init_inject() part that this current patch
> adds. I'll attach a sample patch of what this might look like at the end
> of this email.

CAP_* should not really work like that. They should control if process
can do the operation, but should not really silently change what
syscall does based on the CAP_*...

(And yes, I'm a bit late).

Best regards,
								Pavel
							=09

--=20
People of Russia, stop Putin before his war on Ukraine escalates.

--X1bOJ3K7DJ5YkBrT
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRPfPO7r0eAhk010v0w5/Bqldv68gUCYovLgAAKCRAw5/Bqldv6
8okSAJ494jYj529aStpwUSRGJyX7bstzigCfUhDnVooEyqU8fxOWunoDWU4iZoc=
=suKg
-----END PGP SIGNATURE-----

--X1bOJ3K7DJ5YkBrT--