Received: by 2002:a25:b323:0:0:0:0:0 with SMTP id l35csp1692502ybj; Sun, 22 Sep 2019 09:43:36 -0700 (PDT) X-Google-Smtp-Source: APXvYqwwZvpKg2/jNAgk/NPPEbrq+EP9Y8MBNe/ckTc5fpS+ripB4F4siEofVElGSfI9YptOaXca X-Received: by 2002:a17:906:48e:: with SMTP id f14mr10401829eja.15.1569170616515; Sun, 22 Sep 2019 09:43:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569170616; cv=none; d=google.com; s=arc-20160816; b=lTrt7nf2+9pJbltHehqvo/uXiy+Mn11OkchCJ9iK7D74zEsIKVJ6HHSk4Mp+chNqiS Dxhi3qGeSe9DsB4DSnc3TJHDbfGY7fvGuwKOmDP7dNEQjO7nj/mmIuD0lcv5deWcYCz3 BrFNtvnLPachLkUVWGw0EXn0qVrF46Zkx7g66xP9889k9RgSj4QVlQZIbgtOEt5aB6Nm jtb+uThmBc0P5YYdH99xEZhGe6aaVXMgeHdT6siQYQj4MHEHa5KzsVEyP5AV+vN1VZGi oglsakxtFD9gFVMxbjYsVAIJyt0BDurD2vprx6mSJ3AA8KH8HVJ493AQIYhIakMTqISe Z0Rw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=XnPO256DuOsYhrImHbZjlDyS9dr9lR3uhaJjfsUZiGs=; b=sVpQdyALlH3Jv/ckwFeTIkQYvoIXRHuGjZTZV4Gskv7Jt4l74b8gtvBtETGq9CtmAY OTkJU6icNJCIKlBIzXjDLAI/LpEoSl2IiuJKZIPpVFZ8dREPpNC6ijdZx2x1RLCBOjW4 NLTfLu3jkuhYDWN69oPfDR6cHSfJGjnLq7jDyA64dy/T3mhaMHf/aoXENkLIcYQeo9xJ 3fZrtHCSF9olE/N6qeM8vTAATbTibjefQvTkXpB1rDwZJO08GTaNpzqLLIt/SZkoTpYl 5B4uvbmAdnWWJ8jm6pEk//3QtQT/ln1dMqoE7kjmzSw8wPicx5Opg5N8V9VV1G0l3zKl iPjw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="ERG/Tepv"; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b15si3722066ejd.66.2019.09.22.09.42.47; Sun, 22 Sep 2019 09:43:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="ERG/Tepv"; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391639AbfITOeD (ORCPT + 99 others); Fri, 20 Sep 2019 10:34:03 -0400 Received: from mail.kernel.org ([198.145.29.99]:46818 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391630AbfITOeB (ORCPT ); Fri, 20 Sep 2019 10:34:01 -0400 Received: from mail-wr1-f46.google.com (mail-wr1-f46.google.com [209.85.221.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 81D1F21882 for ; Fri, 20 Sep 2019 14:34:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1568990040; bh=5T/4VfiO/HqhsBQATWPC19/qw+SPrKZRtyV53KT0GwQ=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=ERG/TepvuolOT6Mw8ez/j7trPLA7A2UHhgppUbM1UKt5I3anQ/LyiAyc1Gzj2TlKM sADxzjaDUCB5buPl3eS2UovJkkkCM5lajx430tmkdOhaMKDDGW+G/nttRZzcXhrsdr zAieZhwuQe6tN6TAp81EjJVKtEqxNKxDSB5o4mHU= Received: by mail-wr1-f46.google.com with SMTP id v8so7033462wrt.2 for ; Fri, 20 Sep 2019 07:34:00 -0700 (PDT) X-Gm-Message-State: APjAAAVI1HdsDoQ1oMJ9Mc8szRBxdAjvKsrzYiyuBoXzwRNozlhWcf+Y QGBnP2Z8fK213RnagA5fhVD8zJVYTjfGk6wYBX4CDw== X-Received: by 2002:adf:fe0f:: with SMTP id n15mr12713274wrr.343.1568990038968; Fri, 20 Sep 2019 07:33:58 -0700 (PDT) MIME-Version: 1.0 References: <20190912034421.GA2085@darwi-home-pc> <20190912082530.GA27365@mit.edu> <20190914122500.GA1425@darwi-home-pc> <008f17bc-102b-e762-a17c-e2766d48f515@gmail.com> <20190915052242.GG19710@mit.edu> <20190918211503.GA1808@darwi-home-pc> <20190918211713.GA2225@darwi-home-pc> <20190920134609.GA2113@pc> In-Reply-To: <20190920134609.GA2113@pc> From: Andy Lutomirski Date: Fri, 20 Sep 2019 07:33:47 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH RFC v4 1/1] random: WARN on large getrandom() waits and introduce getrandom2() To: "Ahmed S. Darwish" Cc: Linus Torvalds , Lennart Poettering , "Theodore Y. Ts'o" , "Eric W. Biederman" , "Alexander E. Patrakov" , Michael Kerrisk , Willy Tarreau , Matthew Garrett , lkml , Ext4 Developers List , Linux API , linux-man Content-Type: text/plain; charset="UTF-8" Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Fri, Sep 20, 2019 at 6:46 AM Ahmed S. Darwish wrote: > > Hi, > > On Wed, Sep 18, 2019 at 04:57:58PM -0700, Linus Torvalds wrote: > > On Wed, Sep 18, 2019 at 2:17 PM Ahmed S. Darwish wrote: > > > > > > Since Linux v3.17, getrandom(2) has been created as a new and more > > > secure interface for pseudorandom data requests. It attempted to > > > solve three problems, as compared to /dev/urandom: > > > > I don't think your patch is really _wrong_, but I think it's silly to > > introduce a new system call, when we have 30 bits left in the flags of > > the old one, and the old system call checked them. > > > > So it's much simpler and more straightforward to just introduce a > > single new bit #2 that says "I actually know what I'm doing, and I'm > > explicitly asking for secure/insecure random data". > > > > And then say that the existing bit #1 just means "I want to wait for entropy". > > > > So then you end up with this: > > > > /* > > * Flags for getrandom(2) > > * > > * GRND_NONBLOCK Don't block and return EAGAIN instead > > * GRND_WAIT_ENTROPY Explicitly wait for entropy > > * GRND_EXPLICIT Make it clear you know what you are doing > > */ > > #define GRND_NONBLOCK 0x0001 > > #define GRND_WAIT_ENTROPY 0x0002 > > #define GRND_EXPLICIT 0x0004 What is this GRND_EXPLICIT thing? A few weeks ago, I sent a whole series to address this, and I obviously didn't cc enough people. I'll resend a rebased version today. Meanwhile, some comments on this whole mess: As I think everyone mostly agrees in this whole thread, getrandom() can't just magically start returning non-random results. That would be a big problem. Linus, I disagree that blocking while waiting for randomness is an error. Sometimes you want to generate a key, you want to finish as quickly as possible, and you don't want to be in the business of fiddling with the setup of the kernel RNG. I would argue that *most* crypto applications are in this category. I think that the kernel should, instead, handle this mess itself. As a first pass, it could be as simple as noticing that someone is blocking on randomness and kicking off a thread that does some randomish reads to the rootfs. This would roughly simulate the old behavior in which an ext4 rootfs did more IO than necessary. A fancier version would, as discussed in this thread, do more clever things. (As an aside, I am not a fan of xoring or adding stuff to the CRNG state. We should just use an actual crypto primitive for this. Accumulate the state in a buffer and SHA-512 it. Or use something like the Keccak duplex sponge. But this is a discussion for another day.) So I'm going to resend my series. You can all fight over whether the patch that actually goes in should be based on my series or based on this patch. --Andy