Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp1183032ybe; Wed, 11 Sep 2019 10:37:32 -0700 (PDT) X-Google-Smtp-Source: APXvYqyrY0zEEJSfF2wRmQz/CM9tslraVSWD1ntPpysF+9N+khijUuQ3POGEClVbOWYrVkWi+ucy X-Received: by 2002:a17:906:4e13:: with SMTP id z19mr30132680eju.88.1568223452653; Wed, 11 Sep 2019 10:37:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568223452; cv=none; d=google.com; s=arc-20160816; b=tfhqI8zuB8oB13IloYx/+zMama2jtVeAa+IJAT0I9oaDWNAm5poDnSS50mdoee9gV4 oHFmXER29NFvLRi4WsMWTnpVtNudL1Lm3CuYAIiAvZ8i2eFFYu6q8InX4xpiT86oCi6A F/6Z7DmTY7/pynFn2CqP/D/7X8TQuKNhWQEGoEdXfmhgJUlhEi5H3K4pada3OSTCsMOy 6DMSS4s9APNMmpvVDhm4NvVrZ3JOnggQKJLczWFcF5v7lEXoLRnEMt9AdD6kvda4kBQm pevdLVAXxvnJ/pfwSBIUgzBG3Z3sFJjfNF35lqXhWjz8yTc2DKJOInC1oYr7BuynICx6 6feA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=hnYIUuPqoanBnG8ZD1PumECwV9++tTTDJcRWPShWHVI=; b=NmPDfRSV2LZHircZYGTL8Ma5fWlOSLZIdwD1r93iycO8gtkCB55zqBzzE2Ppfm4CW4 TxrhurgPFG4iA+DClVZhVXft9OtqCByiGIoE989KRgAG/ngzzPUkBEZWxH7vUMvY2Gjw f9hURIR++axlbZtIL6njyZFwaQBnxRPMGBEGOIR9I9rDaoENTDd5YNHTK7Dts0FFK+En gHP3ClRuyZEDoog2d0zotuqg7Ckm4N9vd4igAF+JwHa4S5ujsPmrF8YC5bpFbxY90Tkt upm4pA0jbRVkoGGboTmYqsjIe3d71RwdIGEogWnNjfE8/66LieektsQ3bNQ0XH3XJzVD pGJg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id oj20si11453489ejb.58.2019.09.11.10.37.04; Wed, 11 Sep 2019 10:37:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729352AbfIKRgs (ORCPT + 99 others); Wed, 11 Sep 2019 13:36:48 -0400 Received: from outgoing-auth-1.mit.edu ([18.9.28.11]:52259 "EHLO outgoing.mit.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1729349AbfIKRgs (ORCPT ); Wed, 11 Sep 2019 13:36:48 -0400 Received: from callcc.thunk.org (38.85.69.148.rev.vodafone.pt [148.69.85.38] (may be forged)) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x8BHaOjG004821 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Sep 2019 13:36:27 -0400 Received: by callcc.thunk.org (Postfix, from userid 15806) id 37C7442049E; Wed, 11 Sep 2019 13:36:24 -0400 (EDT) Date: Wed, 11 Sep 2019 13:36:24 -0400 From: "Theodore Y. Ts'o" To: Linus Torvalds Cc: "Ahmed S. Darwish" , Andreas Dilger , Jan Kara , Ray Strode , William Jon McCann , zhangjs , linux-ext4@vger.kernel.org, lkml Subject: Re: Linux 5.3-rc8 Message-ID: <20190911173624.GI2740@mit.edu> References: <20190910042107.GA1517@darwi-home-pc> <20190910173243.GA3992@darwi-home-pc> <20190911160729.GF2740@mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Wed, Sep 11, 2019 at 06:00:19PM +0100, Linus Torvalds wrote: > [ 0.231255] random: get_random_bytes called from > start_kernel+0x323/0x4f5 with crng_init=0 > > and that's this code: > > add_latent_entropy(); > add_device_randomness(command_line, strlen(command_line)); > boot_init_stack_canary(); > > in particular, it's the boot_init_stack_canary() thing that asks for a > random number for the canary. > > I don't actually see the 'crng init done' until much much later: > > [ 21.741125] random: crng init done Yes, that's super early in the boot sequence. IIRC the stack canary gets reinitialized later (or maybe it was only for the other CPU's in SMP mode; I don't recall the details of the top of my head). I think this one always fails, and perhaps we should have a way of suppressing it --- but that's correct the in-kernel interface doesn't block. The /dev/urandom device doesn't block either, despite security eggheads continually asking me to change it to block ala getrandom(2), but I have always pushed because because I *know* changing /dev/urandom to block would be asking for userspace regressions. The compromise we came up with was that since getrandom(2) is a new interface, we could make this have the behavior that the security heads wanted, which is to make blocking unconditional, since the theory was that *this* interface would be sane, and that userspace applications which used it too early was buggy, and we could make it *their* problem. People have suggested adding a new getrandom flag, GRND_I_KNOW_THIS_IS_INSECURE, or some such, which wouldn't block and would return "best efforts" randomness. I haven't been super enthusiastic about such a flag because I *know* it would be insecure. However, the next time a massive security bug shows up on the front pages of the Wall Street Journal, or on some web site such as https://factorable.net, it won't be the kernel's fault since the flag will be GRND_INSECURE_BROKEN_APPLICATION, or some such. It doesn't really solve the problem, though. > But this does show that > > (a) we have the same issue in the kernel, and we don't block there Ultimately, I think the only right answer is to make it the bootloader's responsibility to get us some decent entropy at boot time. There are patches to allow ARM systems to pass in entropy via the device tree. And in theory (assuming you trust the UEFI BIOS --- stop laughing in the back!) we can use that get entropy which will solve the problem for UEFI boot systems. I've been talking to Ron Minnich about trying to get this support into the NERF bootloader, at which point new servers from the Open Compute Project will have a solution as well. (We can probably also get solutions for Chrome OS devices, since those have TPM-like which are trusted to have a comptently engineered hardware RNG --- I'm not sure I would trust all TPM devices in commodity hardware, but again, at least we can shift blame off of the kernel. :-P) Still, these are all point solutions, and don't really solve the problem on older systems, or non-x86 systems. > (b) initializing the crng really can be a timing problem > > The interrupt thing is only going to get worse as disks turn into > ssd's and some of them end up using polling rather than interrupts.. > So we're likely to see _fewer_ interrupts in the future, not more. Yeah, agreed. Maybe we should have an "insecure_randomness" boot option which blindly forces the CRNG to be initialized at boot, so that at least people can get to a command line, if insecurely? I don't have any good ideas about how to solve this problem in general. :-( :-( :-( - Ted