Received: by 2002:a25:b323:0:0:0:0:0 with SMTP id l35csp1788634ybj; Sun, 22 Sep 2019 11:58:33 -0700 (PDT) X-Google-Smtp-Source: APXvYqwB1Nkl1/K4oiVJc6Fssn6v+zbEVpDvOmkUy7zIk23kUUzahl21bhCFb5abyISnORWS7QaD X-Received: by 2002:a05:6402:121a:: with SMTP id c26mr32338999edw.100.1569178713680; Sun, 22 Sep 2019 11:58:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569178713; cv=none; d=google.com; s=arc-20160816; b=kYKcd4LonVAg6d8vSzHULNq5d1ZRuZi6yExNhiCzM9Q0kroRZwvvuv/JKUNJK8Verm CCDC4bp3fw/mqg8B2asb1LZsTwdXQf3jcJqj/tvnlIWNGJ2dkvsOVbu4l99TpXFuH4Lu hNBW5vBGjK3i8Q3L+ZzHwNHGvGOvIyxlkfJH+jZTcXAuc8hvx4GDITD4lxKhQY7q1l7/ p8vT2nLf/YUq6ID7Vdq/wK6rCWtW6zJuf4ruFITFgSE2m89xYD8SHPRwFhE4/M9ruqdq iDQWOZkFHFr7PKKfPs/marY6Wkv46YmW+lchmlGLEaxLcMoo74WiBh9PpUfwHH6hpeND 2aRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=ZbBIiCKHQ1b0Xk4V09GzvcjnD2mIMWO3GJOOmGpOarc=; b=SqFgnnTqeZ8zP3kkP5NItCoUQe1eELT1YYoiD0GREQTzY1dnwSw9oXV4IUBh5djqPT uJAihKUYHE1FcJ+1jMN3b0gQTuIm9x+0TRNLV9iDTqu93pfYiftiQXJFa1ataDTXPu87 jJf8tpAH90Vn0g7rWQxegHlXq+5pL9ZeHTCn2nTCq24kapVBoBX2woSVFqVdvbmx5s9o Ma8+t+hZymsk60mkcaeYdGL/ux6KZzeb+Im+9FfeZdZRgSUFX00ndIonx+wQlEj0cLca SqM/aKXCjpG24L6BtxGMKIqOcAsXvqor1pEIKi7LoUlfq562EvM7bPPZrzulPhM4ddz3 7P9g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u8si5389956edq.84.2019.09.22.11.58.09; Sun, 22 Sep 2019 11:58:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2405186AbfITSM3 (ORCPT + 99 others); Fri, 20 Sep 2019 14:12:29 -0400 Received: from wtarreau.pck.nerim.net ([62.212.114.60]:49225 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2405041AbfITSM3 (ORCPT ); Fri, 20 Sep 2019 14:12:29 -0400 Received: (from willy@localhost) by pcw.home.local (8.15.2/8.15.2/Submit) id x8KICGgZ001902; Fri, 20 Sep 2019 20:12:16 +0200 Date: Fri, 20 Sep 2019 20:12:16 +0200 From: Willy Tarreau To: Andy Lutomirski Cc: Linus Torvalds , "Ahmed S. Darwish" , Lennart Poettering , "Theodore Y. Ts'o" , "Eric W. Biederman" , "Alexander E. Patrakov" , Michael Kerrisk , Matthew Garrett , lkml , Ext4 Developers List , Linux API , linux-man Subject: Re: [PATCH RFC v4 1/1] random: WARN on large getrandom() waits and introduce getrandom2() Message-ID: <20190920181216.GA1889@1wt.eu> References: <008f17bc-102b-e762-a17c-e2766d48f515@gmail.com> <20190915052242.GG19710@mit.edu> <20190918211503.GA1808@darwi-home-pc> <20190918211713.GA2225@darwi-home-pc> <20190920134609.GA2113@pc> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.1 (2016-04-27) Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org Hi Andy, On Fri, Sep 20, 2019 at 10:52:30AM -0700, Andy Lutomirski wrote: > 2. Fix what is arguably a straight up kernel bug, not even an ABI > issue: when a user program is blocking in getrandom(..., 0), the > kernel happily sits there doing absolutely nothing and deadlocks the > system as a result. This IMO isn't an ABI issue -- it's an > implementation problem. How about we make getrandom() (probably > actually wait_for_random_bytes()) do something useful to try to seed > the RNG if the system is otherwise not doing IO. I thought about it as well with my old MSDOS reflexes, but here I doubt we can do a lot. It seems fishy to me to start to fiddle with various drivers from within a getrandom() syscall, we could sometimes even end up waiting even longer because one device is already locked, and when we have access there there's not much we can do without risking to cause some harm. On desktop systems you have a bit more choice than on headless systems (blink keyboard leds and time the interrupts, run some disk accesses when there's still a disk, get a copy of the last buffer of the audio input and/or output, turn on the microphone and/or webcam, and collect some data). Many of them cannot always be used. We could do some more portable stuff like scan and hash the totality of the RAM. But that's all quite bad and unreliable and at this point it's better to tell userland "here's what I could get for you, if you want better, do it yourself" and the userland can then ask the user "dear user, I really need valid entropy this time to generate your GPG key, please type frantically on this keyboard". And it will be more reliable this way in my opinion. My analysis of the problem precisely lies in the fact that we've always considered that the kernel had to provide randoms for any use case and had to cover the most difficult cases and imposed their constraints on simplest ones. Better let the application decide. Willy