Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp2843915ybe; Sun, 15 Sep 2019 01:59:36 -0700 (PDT) X-Google-Smtp-Source: APXvYqw1ENExtItKhc+/bPxQKnN/mETZGZC1ig6Xyq/oWT5Ba+RLB1Y7WXyEk5oaBEmmcRCdsr3E X-Received: by 2002:a50:ed17:: with SMTP id j23mr419092eds.11.1568537976632; Sun, 15 Sep 2019 01:59:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568537976; cv=none; d=google.com; s=arc-20160816; b=0o2BG8I1ODB1/W7LbVqNSgVinRngttKiANUb1j+5EUOy1LdDm9bnIhpDM7qDdt5kYr 3egwI7WQ5imlorHTekgx7UuLEVxqzfg1hwUfsfLhhnDfDESNIHraoWZVON+2pBA3a7h0 sMLHWTcwkNR8CMkV7IN3ATi3LqXPSpjDhwfsRrFkVWpvflRp/zqQ2wp8RvBmDVxP3o1j D9A+TkYbCNo0zKTsjuAXjCvQBVuxgBv9QHyChRMtpVaiwEQnZYG1GZdvN+59/uBUF9aZ ASEO5+1H/E6U3WoD+crFk/bbueqUsWatmxStofSidRoSxdtCcS1D4Py77iY2rS8S/K5K HPvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=XE2qFwNkWthfN920tzhAXFqlvWmGnHqGpp/z2VYNn/o=; b=ZHX1ocedIweCdGLmD23jXMG6i1q/FAP93urdP4FZoJ14tlOsZfwSKNp3doqobYdEW/ cpUefXnWReiHfowOftob4h7Dsi2VD9UZbp+huqD1AqAjqJSQTF/2txIsVIH7lOqObqHe 656XIw36W0jrDUJOCvIdj2sA6nL/l5TEa2ddgapxQGUB2PYvdULlYhrccPZxlMrekDYx 0ZS9enHPCZIoR3VtUe0AH44eIC7HVDddtjFA0SQPGXAEFFt02Rlu9tXv+AUivtPHSOWg 5T7Sd3R4ScZ+QebZX7iDGd3sj64Te+LuJSfP/IJ8wVU2w5jt7ICGzKIrNoZalUNlawXb bKbw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z20si14141163edq.250.2019.09.15.01.59.12; Sun, 15 Sep 2019 01:59:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727378AbfIOI7J (ORCPT + 99 others); Sun, 15 Sep 2019 04:59:09 -0400 Received: from gardel.0pointer.net ([85.214.157.71]:38412 "EHLO gardel.0pointer.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725951AbfIOI7J (ORCPT ); Sun, 15 Sep 2019 04:59:09 -0400 Received: from gardel-login.0pointer.net (gardel.0pointer.net [85.214.157.71]) by gardel.0pointer.net (Postfix) with ESMTP id 9F34EE81176; Sun, 15 Sep 2019 10:59:07 +0200 (CEST) Received: by gardel-login.0pointer.net (Postfix, from userid 1000) id 48AF2160ADC; Sun, 15 Sep 2019 10:59:07 +0200 (CEST) Date: Sun, 15 Sep 2019 10:59:07 +0200 From: Lennart Poettering To: "Ahmed S. Darwish" Cc: "Theodore Y. Ts'o" , Linus Torvalds , "Alexander E. Patrakov" , Michael Kerrisk , Willy Tarreau , Andreas Dilger , Jan Kara , Ray Strode , William Jon McCann , zhangjs , linux-ext4@vger.kernel.org, lkml Subject: Re: [PATCH RFC v3] random: getrandom(2): optionally block when CRNG is uninitialized Message-ID: <20190915085907.GC29771@gardel-login> References: <20190911173624.GI2740@mit.edu> <20190912034421.GA2085@darwi-home-pc> <20190912082530.GA27365@mit.edu> <20190914122500.GA1425@darwi-home-pc> <008f17bc-102b-e762-a17c-e2766d48f515@gmail.com> <20190915052242.GG19710@mit.edu> <20190915081747.GA1058@darwi-home-pc> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190915081747.GA1058@darwi-home-pc> Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On So, 15.09.19 10:17, Ahmed S. Darwish (darwish.07@gmail.com) wrote: > Thus, don't trust user-space on calling getrandom(2) from the right > context. Never block, by default, and just return data from the > urandom source if entropy is not yet available. This is an explicit > decision not to let user-space work around this through busy loops on > error-codes. > > Note: this lowers the quality of random data returned by getrandom(2) > to the level of randomness returned by /dev/urandom, with all the > original security implications coming out of that, as discussed in > problem "3." at the top of this commit log. If this is not desirable, > offer users a fallback to old behavior, by CONFIG_RANDOM_BLOCK=y, or > random.getrandom_block=true bootparam. This is an awful idea. It just means that all crypto that needs entropy doing during early boot will now be using weak keys, and doesn't even know it. Yeah, it's a bad situation, but I am very sure that failing loudly in this case is better than just sticking your head in the sand and ignoring the issue without letting userspace know is an exceptionally bad idea. We live in a world where people run HTTPS, SSH, and all that stuff in the initrd already. It's where SSH host keys are generated, and plenty session keys. If Linux lets all that stuff run with awful entropy then you pretend things where secure while they actually aren't. It's much better to fail loudly in that case, I am sure. Quite frankly, I don't think this is something to fix in the kernel. Let the people putting together systems deal with this. Let them provide a creditable hw rng, and let them pay the price if they don't. Lennart -- Lennart Poettering, Berlin