Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp5710776ybe; Tue, 17 Sep 2019 12:12:39 -0700 (PDT) X-Google-Smtp-Source: APXvYqx9vIxpL9SEXKBQ/l9fr56ewW6DAj028ps5aSoHoZwFK5SuHXxlLt0c0e28wJ3jirAJDqQn X-Received: by 2002:a17:906:1e0e:: with SMTP id g14mr6068595ejj.247.1568747558933; Tue, 17 Sep 2019 12:12:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568747558; cv=none; d=google.com; s=arc-20160816; b=wGUFF9L7JsDm6pms8anOLnZ6X39haZ92TJivSkBOSEWNFzvrVNQASvKMABUWHgdIv0 DNzO5GdQRC84zZtQjohqsvaUUA4cU5m/SZTVIvsRF9PTpv0BhqrRGurhtSQTGZ5Rxi3l DjFtvMCUASntyX0QsMamEugkHMFe+8Vvlo3FS5Shv1rQu+jR1N6ng0yjXseu8moJpMnS 50ZkdRu1fHdbghUKUR40wTh6EG0dCNa511IJBWZIaiR5eo+3hNH8U3WucpUrY4UdArer tTuVgfBoIENYN0rL8cR6hBbtWWegL9TpJ9zvEO3Sab3ZqkEuHuGGxQCnZNDrN974z8g2 jTqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=NDopjfFYm1YeDQQwVhFlKraHGAB9EWh4BTC/FMDcV6M=; b=joSKA4883RmVoni258wJlNU+eovURgAMs/o+dvCBIJyVVbawjuDmteEWcTbRfeCHjA hMhsTl9k+b3iIgRabKOfIyPhG3drZMf3+5lFGje1ZZD6Bbkt+u/4QWOvWTo98+TBbsMN 9tVZU6lkUgtVb8DabpgokwRGuYfLSbf1zv0svznlVmWmpG4/r1PIefWrd+uLJeoyLy22 u2wkidzjsPvu/7ZzkxE+fgqJbkW1P0E/Ls1PLTzuL27MuXeG96tfrxc8VbYE/P/Mobx+ dUvOjDcewsRTLhZ5EEzE9jNNM2Wvb1fBYB/KaeG7FDrnZGXqx7ur6nw8P7WUEbJtrYJK PQGw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id ni5si1713160ejb.184.2019.09.17.12.12.13; Tue, 17 Sep 2019 12:12:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731152AbfIQR20 (ORCPT + 99 others); Tue, 17 Sep 2019 13:28:26 -0400 Received: from gardel.0pointer.net ([85.214.157.71]:40752 "EHLO gardel.0pointer.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731150AbfIQR20 (ORCPT ); Tue, 17 Sep 2019 13:28:26 -0400 Received: from gardel-login.0pointer.net (gardel.0pointer.net [IPv6:2a01:238:43ed:c300:10c3:bcf3:3266:da74]) by gardel.0pointer.net (Postfix) with ESMTP id 91A53E80FFC; Tue, 17 Sep 2019 19:28:24 +0200 (CEST) Received: by gardel-login.0pointer.net (Postfix, from userid 1000) id 44361160ADC; Tue, 17 Sep 2019 19:28:24 +0200 (CEST) Date: Tue, 17 Sep 2019 19:28:24 +0200 From: Lennart Poettering To: Linus Torvalds Cc: Willy Tarreau , Matthew Garrett , "Ahmed S. Darwish" , "Theodore Y. Ts'o" , Vito Caputo , Andreas Dilger , Jan Kara , Ray Strode , William Jon McCann , "Alexander E. Patrakov" , zhangjs , linux-ext4@vger.kernel.org, lkml Subject: Re: Linux 5.3-rc8 Message-ID: <20190917172824.GB31798@gardel-login> References: <20190917052438.GA26923@1wt.eu> <2508489.jOnZlRuxVn@merkaba> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Di, 17.09.19 09:27, Linus Torvalds (torvalds@linux-foundation.org) wrote: > But look at what gnome-shell and gnome-session-b does: > > https://lore.kernel.org/linux-ext4/20190912034421.GA2085@darwi-home-pc/ > > and most of them already set GRND_NONBLOCK, but look at the > problematic one that actually causes the boot problem: > > gnome-session-b-327 4.400620: getrandom(16 bytes, flags = 0) > > and here the big clue is: "Hey, it only asks for 128 bits of > randomness". I don't think this is a good check to make. In fact most cryptography folks say taking out more than 256bit is never going to make sense, that's why BSD getentropy() even returns an error if you ask for more than 256bit. (and glibc's getentropy() wrapper around getrandom() enforces the same size limit btw) On the BSDs the kernel's getentropy() call is primarily used to seed their libc's arc4random() every now and then, and userspace is supposed to use only arc4random(). I am pretty sure we should do the same on Linux in the long run. i.e. the idea that everyone uses the kernel syscall directly sounds wrong to me, and designing the syscall so that everyone calls it is hence wrong too. On the BSDs getentropy() is hence unconditionally blocking, without any flags or so, which makes sense since it's not supposed to be user-facing really so much, but more a basic primitive for low-level userspace infrastructure only, that is supposed to be wrapped non-trivially to be useful. (that's at least how I understood their APIs) > Does anybody believe that 128 bits of randomness is a good basis for a > long-term secure key? Even if the key itself contains than that, if > you are generating a long-term secure key in this day and age, you had > better be asking for more than 128 bits of actual unpredictable base > data. So just based on the size of the request we can determine that > this is not hugely important. aes128 is very common today. It's what baseline security is. I have the suspicion crypto folks would argue that 128…256 is the only sane range for cryptographic keys... Lennart -- Lennart Poettering, Berlin