Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp5247931ybe; Tue, 17 Sep 2019 05:14:40 -0700 (PDT) X-Google-Smtp-Source: APXvYqzfpJMwReORkp4nd+XDEaU6cnt8bF+chOeYRtP+AGE5s+ZJgrgDJ24v/zqanzWgpT8J3rLE X-Received: by 2002:a05:6402:121a:: with SMTP id c26mr2822844edw.100.1568722480798; Tue, 17 Sep 2019 05:14:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568722480; cv=none; d=google.com; s=arc-20160816; b=CAx/LoaQY6pqVnKgK8U1maFgfK7pS/YKi3+8K+ifuR7ovVxt5CF15j4FpBuUaj1k4a pm6o0QfSwC6PtA0SsPLBiBfwAsVjMPhOQ4gSs6BJ1CbW9IW006dNrMWZlrHZaltrb/Vj gpBsRCjYruMyYWZwtZ55mMCFknXudf2PHHByUFAtHm8d49VQsIVbqpb++TUX8ZrXNMn0 w49Z3LcUfuYMJKnf0U6GR3sPA2C2LCS95/4rSf1JCxxEva6Qge56ZgplN7VhCLFwyK4D 7SBd9N5/O5/ka2SB+9vDIYdSYmfEy+QX3dlPjFpY87HJYdtX0+iG5dH92HDmlGCZrGTz nVmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=U37hVAtYpeMpJJXDFig0fXG1gBiQ+294NCTDj7fW+VU=; b=UEFc2YnF5mqer5V/z3E6LgQY9FJpeYGTWX2ZjKhOE1A3LCbCgMra7k0Rc5/qVl+gqT VeShXcSdasT+i463srJMF3xqUd5WHCP+taROkcb72uMusCFL2D9FWMWSQHTUs1GpCmAc JVSjpl+lpvapKO2AUqtYnQAdaScZu94LrGIWnEcfdY1aCR0icStZ4VkyAXm+sdwUvuM7 iRMSI8xJsSFrQMVBD5g3r5exEpMiomemFndOyOIWL+XjWw2lgIsuaUQHPYXepy4uG9bs esJfXbRXrwjkSM+HtJY8nyfgeXDxKYXlcAKX79yjsnD/+qBsnJh25SyzKL/7cFm8e1e6 uWsw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id ok21si587798ejb.296.2019.09.17.05.14.10; Tue, 17 Sep 2019 05:14:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727179AbfIQMNg (ORCPT + 99 others); Tue, 17 Sep 2019 08:13:36 -0400 Received: from outgoing-auth-1.mit.edu ([18.9.28.11]:45621 "EHLO outgoing.mit.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725270AbfIQMNg (ORCPT ); Tue, 17 Sep 2019 08:13:36 -0400 Received: from callcc.thunk.org (guestnat-104-133-0-98.corp.google.com [104.133.0.98] (may be forged)) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x8HCBvaY011073 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 17 Sep 2019 08:11:58 -0400 Received: by callcc.thunk.org (Postfix, from userid 15806) id DC55C420811; Tue, 17 Sep 2019 08:11:56 -0400 (EDT) Date: Tue, 17 Sep 2019 08:11:56 -0400 From: "Theodore Y. Ts'o" To: Martin Steigerwald Cc: Willy Tarreau , Matthew Garrett , Linus Torvalds , "Ahmed S. Darwish" , Vito Caputo , Lennart Poettering , Andreas Dilger , Jan Kara , Ray Strode , William Jon McCann , "Alexander E. Patrakov" , zhangjs , linux-ext4@vger.kernel.org, lkml Subject: Re: Linux 5.3-rc8 Message-ID: <20190917121156.GC6762@mit.edu> References: <20190917052438.GA26923@1wt.eu> <2508489.jOnZlRuxVn@merkaba> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2508489.jOnZlRuxVn@merkaba> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Tue, Sep 17, 2019 at 09:33:40AM +0200, Martin Steigerwald wrote: > Willy Tarreau - 17.09.19, 07:24:38 CEST: > > On Mon, Sep 16, 2019 at 06:46:07PM -0700, Matthew Garrett wrote: > > > >Well, the patch actually made getrandom() return en error too, but > > > >you seem more interested in the hypotheticals than in arguing > > > >actualities.> > > > If you want to be safe, terminate the process. > > > > This is an interesting approach. At least it will cause bug reports in > > application using getrandom() in an unreliable way and they will > > check for other options. Because one of the issues with systems that > > do not finish to boot is that usually the user doesn't know what > > process is hanging. > I would be happy with a change which changes getrandom(0) to send a kill -9 to the process if it is called too early, with a new flag, getrandom(GRND_BLOCK) which blocks until entropy is available. That leaves it up to the application developer to decide what behavior they want. Userspace applications which want to do something more sophisticated could set a timer which will cause getrandom(GRND_BLOCK) to return with EINTR (or the signal handler could use longjmp; whatever) to abort and do something else, like calling random_r if it's for some pathetic use of random numbers like MIT-MAGIC-COOKIE. > A userspace process could just poll on the kernel by forking a process > to use getrandom() and waiting until it does not get terminated anymore. > And then it would still hang. So.... I'm not too worried about that, because if a process is determined to do something stupid, they can always do something stupid. This could potentially be a problem, as would GRND_BLOCK, in that if an application author decides to use to do something to wait for real randomness, because in the good judgement of the application author, it d*mned needs real security because otherwise an attacker could, say, force a launch of nuclear weapons and cause world war III, and then some small 3rd-tier distro decides to repurpose that application for some other use, and puts it in early boot, it's possible that a user will report it as a "regression", and we'll be back to the question of whether we revert a performance optimization patch. There are only two ways out of this mess. The first option is we take functionality away from a userspace author who Really Wants A Secure Random Number Generator. And there are an awful lot of programs who really want secure crypto, becuase this is not a hypothetical. The result in "Mining your P's and Q's" did happen before. If we forget the history, we are doomed to repeat it. The only other way is that we need to try to get the CRNG initialized securely in early boot, before we let userspace start. If we do it early enough, we can also make the kernel facilities like KASLR and Stack Canaries more secure. And this is *doable*, at least for most common platforms. We can leverage UEFI; we cn try to use the TPM's random number generator, etc. It won't help so much for certain brain-dead architectures, like MIPS and ARM, but if they are used for embedded use cases, it will be caught before the product is released for consumer use. And this is where blocking is *way* better than a big fat warning, or sleeping for 15 seconds, both of which can easily get missed in the embedded case. If we can fix this for traditional servers/desktops/laptops, then users won't be complaining to Linus, and I think we can all be happy. Regards, - Ted