Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp2767633ybe; Sat, 14 Sep 2019 23:59:37 -0700 (PDT) X-Google-Smtp-Source: APXvYqy/35HDMp4v9CjCjjbice+rCFuqv50m8eztEXeZIqPpf1JYv1PpfxA6d1aWHKNdgJ5/stsJ X-Received: by 2002:a17:906:5e09:: with SMTP id n9mr37439817eju.143.1568530777457; Sat, 14 Sep 2019 23:59:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568530777; cv=none; d=google.com; s=arc-20160816; b=dUigMqES+b3eCEydHuQTfk3EEGTfO2gY2Hi4sS7ojtDrX/cLNnw8mpezWSK0j1cMU+ gpxQXsq87UUNsgXHkFr3WktF2jsicJWmtk4tYQA2DXL8pJzfcoPfuAo8N8HpZV2UQRSw 9YmO2s8qFkT1UpHFvAn5A6D+QE3aV9GnKKwz9L54AaeAbdWaIg/a3zAI66N45D8j5Zf9 /2UHDeC4DcygafIqm1PXI0O6vMcCHHkbQ6r+iXwCdKNzB+aPYdxEg21rwxuw0HQlB4/r mu4FylUHzWrcJAcEn+YY5hUsdRTJcEV0FoJ3RgjUfhrxfJzLeSfqnNdYAtvcXdrCn086 F8cw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=dkL8N1hlLDKhTT68bLp23YkqpIU+00emRe821VujjlE=; b=wcKaAUR2fX2v7hreaBMCQdvtzFcUGMJCJINov6TM7dH0Srmxm33deLx+BTGn989lbn v8/hs3XcSBx/9siTsyXuT2tSXlxeEgWTxwUDQUn8/y57ydYicCWGYgBYEecN71kE4t3l /YZn4k/oT1H9osiPqGEYrirjUW/IZxeZnMRFe7z/B3dx+fwZesgh+NVXUJWPAalTIOnD CcAa7nef+kDj9plA0unP5rV5E4CDjS0BFZFLNLAjvNYp3WN3+y0fe/X0VCDKNTPvfItA Xxcb4i85Rsge+0KjQJ4Q/7BBR5VNNh334KxY9KckBZpzyHvQQkR0vUgChrCRwR/9Aecq 6QQQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id bs26si17250274ejb.348.2019.09.14.23.58.59; Sat, 14 Sep 2019 23:59:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725773AbfIOGx7 (ORCPT + 99 others); Sun, 15 Sep 2019 02:53:59 -0400 Received: from wtarreau.pck.nerim.net ([62.212.114.60]:45069 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725497AbfIOGx7 (ORCPT ); Sun, 15 Sep 2019 02:53:59 -0400 Received: (from willy@localhost) by pcw.home.local (8.15.2/8.15.2/Submit) id x8F6rdfG021602; Sun, 15 Sep 2019 08:53:39 +0200 Date: Sun, 15 Sep 2019 08:53:39 +0200 From: Willy Tarreau To: "Theodore Y. Ts'o" Cc: Linus Torvalds , "Ahmed S. Darwish" , Andreas Dilger , Jan Kara , Ray Strode , William Jon McCann , "Alexander E. Patrakov" , zhangjs , linux-ext4@vger.kernel.org, Lennart Poettering , lkml Subject: Re: Linux 5.3-rc8 Message-ID: <20190915065338.GB20811@1wt.eu> References: <20190912082530.GA27365@mit.edu> <20190914150206.GA2270@darwi-home-pc> <20190914211126.GA4355@darwi-home-pc> <20190914222432.GC19710@mit.edu> <20190915010037.GE19710@mit.edu> <20190915020521.GF19710@mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190915020521.GF19710@mit.edu> User-Agent: Mutt/1.6.1 (2016-04-27) Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Sat, Sep 14, 2019 at 10:05:21PM -0400, Theodore Y. Ts'o wrote: > You basically want to turn getrandom into /dev/urandom. And that's > how we got into the mess where 10% of the publically accessible ssh > keys could be guessed. Not exactly. This was an *API* issue that created this situation. The fact that you had a single random() call in the libc, either mapped to /dev/urandom or to /dev/random. By then many of us were used to rely on one or the other and finding systems where /dev/random was a symlink to /dev/urandom to avoid blocking was extremely common. In fact it was caused by the exact same situation: we try to enforce good random for everyone, it cannot work all the time and breaks programs which do not need such randoms, so the user breaks the trust on randomness by configuring the system so that randoms work all the time for the most common programs. And that's how you end up with SSH trusting a broken random generator without knowing it was misconfigured. Your getrandom() API does have the ability to fix this. In my opinion the best way to proceed is to consider that all those who don't care about randomness quality never block and that those who care can be sure they will either get good randoms or will know about it. Ideally calling getrandom() without any flag should be equivalent to what you have with /dev/urandom and be good enough to put a UUID on a file system. And calling it with "SECURE" or something like this will be the indication that it will not betray you and will only return good randoms (which is what GRND_RANDOM does in my opinion). The huge difference between getrandom() and /dev/*random here is that each application can decide what type of random to use without relying on what system-wide breakage was applied just for the sake of fixing another simple application. This could even help OpenSSL use two different calls for RAND_bytes() and RAND_pseudo_bytes(), instead of using the same call and blocking. Last but not least, I think we need to educate developers regarding random number consumption, asking "if you could produce only 16 bytes of random in your whole system's lifetime, where would you use them?". Entropy is extremely precious and yet the most poorly used resource. I almost wouldn't mind seeing GRND_RANDOM requiring a special capability since it does have a system-wide impact! Regards, Willy