Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp1919891ybe; Thu, 12 Sep 2019 01:26:53 -0700 (PDT) X-Google-Smtp-Source: APXvYqy3R/v5VD9DoHt0DaZ+ugAfdJGwQiLLyIC3XwKpX3/1PkeKs5nDfPImrq2zjzy7Tezb2xvn X-Received: by 2002:a17:906:3087:: with SMTP id 7mr1067039ejv.212.1568276812940; Thu, 12 Sep 2019 01:26:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568276812; cv=none; d=google.com; s=arc-20160816; b=EZScMIzqJCcLLtCc2Axjgt1LTnIJNV1P3Mk2qTy2AwLa4vmQhJni5IEq6H5JPFGykN XmP7MiG9Ij91TVXbTg46Mri8f7+TOsEjFX3zvzsakRxhO3bBeySutmHLMZ9s96nBD6mM 858yN1qJKEix+wRNKyzhYty0ktm3H1ge+4KOmVyAT4arAmuajArIaLEMKcJ/4PfLbsqS zRsQXuYxaIgQbKftnjSatkyc3gNh7qiEX1RLGYN+60ZcaW7cNd3ipo8Hs8ws944Gfpnx 6rv/Ng5M8/fnvBZPTIEtJ5+uANnU1juqNIjHvmS0VJ8Tj0MYhfxlyRWKlMUkcWxzJgcg 7ZbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=gjdgllr/HKs8s3FkY5KOtQbV0PijlPwcUua7A268ThI=; b=bZX7fl/m/FsQtWqZlpg9CNpLm0CUjpjOVE8TzDeoFZQ0oNhKr9f2qOw/OaHJsPJRiS s7HvVW0SaWEGgtiJky9ZzM9DQBKSTKa5Tm5GgrPAlvWoGk6zBd0rDWX+F2OUrJyuJqzI w2uLYbwSep5ils32gOeWoPIit/YIS2YgSX4sLFMDEITmMmEcwshU9SGoLGqAlCJga/ys LpYSZcmjtZiouWOPek+E8h5+ok2GkZbtBkrhE4lUYrV0rTF6cpik+xSoABeOS1FCcukd 5TPskl8k6n6QmtZMZP8qDv6MOmbx4Qjp+BQVTdi0Wed4padQc/XfA/jq4cyxscr+nAZc JSpw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f4si12005657ejr.273.2019.09.12.01.26.22; Thu, 12 Sep 2019 01:26:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730213AbfILI0D (ORCPT + 99 others); Thu, 12 Sep 2019 04:26:03 -0400 Received: from outgoing-auth-1.mit.edu ([18.9.28.11]:43235 "EHLO outgoing.mit.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725765AbfILI0D (ORCPT ); Thu, 12 Sep 2019 04:26:03 -0400 Received: from callcc.thunk.org (38.85.69.148.rev.vodafone.pt [148.69.85.38] (may be forged)) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x8C8PVKg015863 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 12 Sep 2019 04:25:33 -0400 Received: by callcc.thunk.org (Postfix, from userid 15806) id A129142049E; Thu, 12 Sep 2019 04:25:30 -0400 (EDT) Date: Thu, 12 Sep 2019 04:25:30 -0400 From: "Theodore Y. Ts'o" To: "Ahmed S. Darwish" Cc: Linus Torvalds , Andreas Dilger , Jan Kara , Ray Strode , William Jon McCann , "Alexander E. Patrakov" , zhangjs , linux-ext4@vger.kernel.org, lkml Subject: Re: Linux 5.3-rc8 Message-ID: <20190912082530.GA27365@mit.edu> References: <20190910042107.GA1517@darwi-home-pc> <20190910173243.GA3992@darwi-home-pc> <20190911160729.GF2740@mit.edu> <20190911173624.GI2740@mit.edu> <20190912034421.GA2085@darwi-home-pc> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190912034421.GA2085@darwi-home-pc> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Thu, Sep 12, 2019 at 05:44:21AM +0200, Ahmed S. Darwish wrote: > > People have suggested adding a new getrandom flag, GRND_I_KNOW_THIS_IS_INSECURE, > > or some such, which wouldn't block and would return "best efforts" > > randomness. I haven't been super enthusiastic about such a flag > > because I *know* it would be abused. However, the next time a massive > > security bug shows up on the front pages of the Wall Street Journal, > > or on some web site such as https://factorable.net, it won't be the kernel's fault > > since the flag will be GRND_INSECURE_BROKEN_APPLICATION, or some such. > > It doesn't really solve the problem, though. Hmm, one thought might be GRND_FAILSAFE, which will wait up to two minutes before returning "best efforts" randomness and issuing a huge massive warning if it is triggered? > At least for generating the MIT cookie, it would make some sort of > sense... Really caring about truly random-numbers while using Xorg > is almost like perfecting a hard-metal door for the paper house ;) For the MIT Magic Cookie, it might as well use GRND_NONBLOCK, and if it fails due to randomness being not available, it should just fall back to random_r(3). Or heck, just use random_r(3) all the time, since it's not at all secure anyway.... > Just 8 days ago, systemd v243 was released, with systemd-random-seed(8) > now supporting *crediting* the entropy while loading the random seed: > > https://systemd.io/RANDOM_SEEDS > > systemd-random-seed do something similar to what OpenBSD does, by > preserving the seed across reboots at /var/lib/systemd/random-seed. That makes it systemd's responsibility to properly manage the random seed file, and if the random seed file gets imaged, or if it gets read while the system is off, that's on systemd.... which is fine. The real problem here is that we're trying to engineer a system which makes it safe for real cryptographic systems, but there's no way to distinguish between real cryptographic systems where proper entropy is critical and pretend security systems like X.org's MIT Magic Cookie --- or python trying to get random numbers seeding its dictionary hash tables to avoid DOS attacks when python is used for CGI scripts --- but guess what happens when python is used for systemd generator scripts in early boot.... before the random seed file might even be mounted? In that case, python reverted to using /dev/urandom, which was probably the right choice --- it didn't *need* to use getrandom. > 1. Cutting down the number of bits needed to initialize the CRNG > to 256 bits (CHACHA20 cipher) Does the attach patch (see below) help? > 2. Complaining loudly when getrandom() is used while the CRNG is > not yet initialized. A kernel printk will make it easier for people to understand why their system is hung, in any case --- and which process is to blame. So that's definitely a good thing. - Ted diff --git a/drivers/char/random.c b/drivers/char/random.c index 5d5ea4ce1442..b9b3a5a82abf 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -500,7 +500,7 @@ static int crng_init = 0; #define crng_ready() (likely(crng_init > 1)) static int crng_init_cnt = 0; static unsigned long crng_global_init_time = 0; -#define CRNG_INIT_CNT_THRESH (2*CHACHA_KEY_SIZE) +#define CRNG_INIT_CNT_THRESH CHACHA_KEY_SIZE static void _extract_crng(struct crng_state *crng, __u8 out[CHACHA_BLOCK_SIZE]); static void _crng_backtrack_protect(struct crng_state *crng, __u8 tmp[CHACHA_BLOCK_SIZE], int used);