Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp5101627ybe; Tue, 17 Sep 2019 02:37:43 -0700 (PDT) X-Google-Smtp-Source: APXvYqySb6Hj7xpMtmNqKsWMQCS9LT58yzt2lwpeqiGAgwQogythT64/I+sqY/e2yCELm/KOaAk6 X-Received: by 2002:a17:906:4a19:: with SMTP id w25mr3827589eju.239.1568713063706; Tue, 17 Sep 2019 02:37:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568713063; cv=none; d=google.com; s=arc-20160816; b=0Jn9GZth8jc/NxWgOmhpaYGgEE6nEwB3IM11gz1zNoG4ISlCNoLzhoTT/kkIa3HcPe jodZmaDVTa86gzJNiWBk5P43aCxHhVY5RIQK3AxeyxBgNg4Rq5SSu50zIcwy5Weyw7Cd mMuuRar8feTpRLM55T9RBZKT9IWbpKwgaPKEon/TgnwHuMFzQWCJN6C2hWQu2/CZcnV6 6CtJ6MPkVTpiSd2sk4cH/P/V9c00F7pwLXPUfvn9jxWKgv32oszP2WdBaTk37UdNDEQF u855jIUKU4CATxJdVXUfc05jpmS5iqCXJ2AqCbusQSSmvQ5EHpgHis9W0x+ksvIxdaSm gqfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=36mfI9tqc9fzcFsANTisRm/jrmfTyuAB2+tUjfWtke4=; b=edFn6l7bP3W4DbL2/FlPQ3LF95X1j4ma6L1XfgIDfF/9CgQpHCvLzje14BecmNrI50 Sgn2/Py5pTUm3WUFTqaqRTrVODFWaZrdmVE9mojo/Y0NXadvf3DhCV6XEVQ51uyzfKUp RhKPrn36MVztT3i3EU5DEb2vRFyLwG5Qm3TUPGUSvW8kU60+iDc6ence1J/GJO4zyxnE WtTk1GNuWite5Apg8jhEIiUDzE3bHDd7fFVv1QnpUA6KDCIkQPl7IoevPz74asyNeprd MgxVDo2aSMRdB5g+IXhZQbaDvp4A2VRAezCLaOPrXeJspkeoPPHTzBOHGKHvqDdOKDmU mWpg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x47si961197eda.396.2019.09.17.02.37.14; Tue, 17 Sep 2019 02:37:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392371AbfIQFZK (ORCPT + 99 others); Tue, 17 Sep 2019 01:25:10 -0400 Received: from wtarreau.pck.nerim.net ([62.212.114.60]:46631 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391179AbfIQFZK (ORCPT ); Tue, 17 Sep 2019 01:25:10 -0400 Received: (from willy@localhost) by pcw.home.local (8.15.2/8.15.2/Submit) id x8H5OckJ026945; Tue, 17 Sep 2019 07:24:38 +0200 Date: Tue, 17 Sep 2019 07:24:38 +0200 From: Willy Tarreau To: Matthew Garrett Cc: Linus Torvalds , "Ahmed S. Darwish" , "Theodore Y. Ts'o" , Vito Caputo , Lennart Poettering , Andreas Dilger , Jan Kara , Ray Strode , William Jon McCann , "Alexander E. Patrakov" , zhangjs , linux-ext4@vger.kernel.org, lkml Subject: Re: Linux 5.3-rc8 Message-ID: <20190917052438.GA26923@1wt.eu> References: <20190916230217.vmgvsm6o2o4uq5j7@srcf.ucam.org> <20190916231103.bic65ab4ifv7vhio@srcf.ucam.org> <20190916232922.GA7880@darwi-home-pc> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.1 (2016-04-27) Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Mon, Sep 16, 2019 at 06:46:07PM -0700, Matthew Garrett wrote: > >Well, the patch actually made getrandom() return en error too, but you > >seem more interested in the hypotheticals than in arguing actualities. > > If you want to be safe, terminate the process. This is an interesting approach. At least it will cause bug reports in application using getrandom() in an unreliable way and they will check for other options. Because one of the issues with systems that do not finish to boot is that usually the user doesn't know what process is hanging. Anyway regarding the impact on applications relying on getrandom() for security, I'm in favor of not *silently* changing their behavior and provide a new flag to help others get insecure randoms without waiting. With your option above we could then have this way to go: - GRND_SECURE: the application wants secure randoms, i.e. like the current getrandom(0), waiting for entropy. - GRND_INSECURE: the application never wants to wait, it just wants a replacement for /dev/urandom. - GRND_RANDOM: unchanged, or subject to CAP_xxx, or maybe just emit a "deprecated" warning if called without a certain capability, to spot potentially harmful applications. - by default (0), the application continues to wait but when the timeout strikes (30 seconds ?), it gets terminated with a message in the logs for users to report the issue. After some time all relevant applications which accidently misuse getrandom() will be fixed to either use GRND_INSECURE or GRND_SECURE and be able to wait longer if they want (likely SECURE|NONBLOCK). Willy