Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp3429163ybe; Sun, 15 Sep 2019 15:28:03 -0700 (PDT) X-Google-Smtp-Source: APXvYqxzaDg6qxEXwXV9RahaloG+AUS8llOnKMVki2gdqehs+ZDwEJNChUBhdlt3Le/OfZmo9r4J X-Received: by 2002:a50:f152:: with SMTP id z18mr57637185edl.141.1568586483448; Sun, 15 Sep 2019 15:28:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568586483; cv=none; d=google.com; s=arc-20160816; b=ybx36/TeoKMw5jKUc+qr8YcFzpqIsV9V9lW5JsXzxKiqZm96xJKa83fVjhXhtQRIPt auUgBhcRTLNUu2BrZv7sF+KxsnVIk3CkM8E8PsFIraqZ+thFmBa/VPDMYtMqnRGzHWYj mGgdQr4aC3vPv2/PT7iM0if/V2S/U9yf/viL1VvvdF0b4wxZ9kwt0XfNoRLzTkqFquT+ wLWnFJfE+ll6A3w2GjsREvNvelJnJXidJ2A+a8gzbJIBffjII2Sud5KENVz3Pq3xMd5v soItheBg163OQIbniqU9kCX/RsFSVrNS/qQpe/76RY70hTnup+6HQk8XelSSmwF9Qh92 AInA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=YU1/D8uhx7yk2/q0fbs4Hw9Jp01S0hZscu3lwO86Ock=; b=p6F1GzfP0yss5XLWAFgB2uwryuTWD40oXFJVCJxw9y+j42qy1MKUJfTcoC1MJuGC17 H5GuE943GBXHz4KtLP8CWuT5QfeFOSLJCjtUFFagCPyW5hyDnltgdJ+MxG1jFe+eXRdU AKsHbsTjxT2/h/E9hqpchgGCdb/T4i3uumQGD45Xxn+5eGoifPUyA80nXzQau07b/lrC Ji+Xh8B+m+QjaLqZCfRFKZXZoxegKn2jPZ0ifrPSzIi8c8ncd0QKvBrrUuEUoPkCI1Ab XRp1TlLYucxDN/W8nqRdptVuWkfbBMduUZ9Th4jf7jUDBnRCnZrSzFF2d5sqiE72EYcV txcw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b9si20391535eda.129.2019.09.15.15.27.32; Sun, 15 Sep 2019 15:28:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726111AbfIOTzH (ORCPT + 99 others); Sun, 15 Sep 2019 15:55:07 -0400 Received: from wtarreau.pck.nerim.net ([62.212.114.60]:45468 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726074AbfIOTzH (ORCPT ); Sun, 15 Sep 2019 15:55:07 -0400 Received: (from willy@localhost) by pcw.home.local (8.15.2/8.15.2/Submit) id x8FJsi6f023261; Sun, 15 Sep 2019 21:54:44 +0200 Date: Sun, 15 Sep 2019 21:54:44 +0200 From: Willy Tarreau To: Linus Torvalds Cc: "Theodore Y. Ts'o" , "Alexander E. Patrakov" , "Ahmed S. Darwish" , Michael Kerrisk , Andreas Dilger , Jan Kara , Ray Strode , William Jon McCann , zhangjs , linux-ext4@vger.kernel.org, lkml , Lennart Poettering Subject: Re: [PATCH RFC v2] random: optionally block in getrandom(2) when the CRNG is uninitialized Message-ID: <20190915195444.GA23245@1wt.eu> References: <20190914122500.GA1425@darwi-home-pc> <008f17bc-102b-e762-a17c-e2766d48f515@gmail.com> <20190915052242.GG19710@mit.edu> <20190915183240.GA23155@1wt.eu> <20190915183659.GA23179@1wt.eu> <20190915191814.GB23212@1wt.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.1 (2016-04-27) Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Sun, Sep 15, 2019 at 12:31:42PM -0700, Linus Torvalds wrote: > On Sun, Sep 15, 2019 at 12:18 PM Willy Tarreau wrote: > > > > Oh no I definitely don't want this behavior at all for urandom, what > > I'm saying is that as long as getrandom() will have a lower quality > > of service than /dev/urandom for non-important randoms > > Ahh, here you're talking about the fact that it can block at all being > "lower quality". > > I do agree that getrandom() is doing some odd things. It has the > "total blocking mode" of /dev/random (if you pass it GRND_RANDOM), but > it has no mode of replacing /dev/urandom. Yep but with your change it's getting better. > So if you want the /dev/urandom bvehavior, then no, getrandom() simply > has never given you that. > > Use /dev/urandom if you want that. It's not available in chroot, which is the main driver for getrandom() I guess. > Sad, but there it is. We could have a new flag (GRND_URANDOM) that > actually gives the /dev/urandom behavior. But the ostensible reason > for getrandom() was the blocking for entropy. See commit c6e9d6f38894 > ("random: introduce getrandom(2) system call") from back in 2014. Oh I definitely know it's been a long debate. > The fact that it took five years to hit this problem is probably due > to two reasons: > > (a) we're actually pretty good about initializing the entropy pool > fairly quickly most of the time > > (b) people who started using 'getrandom()' and hit this issue > presumably then backed away from it slowly and just used /dev/urandom > instead. We've hit it the hard way more than a year ago already, when openssl adopted getrandom() instead of urandom for certain low-importance things in order to work better in chroots and/or avoid fd leaks. And even openssl had to work around these issues in multiple iterations (I don't remember how however). > So it needed an actual "oops, we don't get as much entropy from the > filesystem accesses" situation to actually turn into a problem. And > presumably the people who tried out things like nvdimm filesystems > never used Arch, and never used a sufficiently new systemd to see the > "oh, without disk interrupts you don't get enough randomness to boot". In my case the whole system is in the initramfs and the only accesses to the flash are to read the config. So that's pretty a limited source of interrupts for a headless system ;-) > One option is to just say that GRND_URANDOM is the default (ie never > block, do the one-liner log entry to warn) and add a _new_ flag that > says "block for entropy". But if we do that, then I seriously think > that the new behavior should have that timeout limiter. I think the timeout is a good thing to do, but it would be nice to let the application know that what was provided was probably not as good as expected (well if the application wants real random, it should use GRND_RANDOM). > For 5.3, I'll just revert the ext4 change, stupid as that is. That > avoids the regression, even if it doesn't avoid the fundamental > problem. And gives us time to discuss it. It's sad to see that being excessive on randomness leads to forcing totally unrelated subsystem to be less efficient :-( Willy