Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp5612939ybn; Sun, 29 Sep 2019 02:05:57 -0700 (PDT) X-Google-Smtp-Source: APXvYqwccM+iwLzryugMIYg8C7rKHc/8fMroQUao+R8CH7I/+kMu9AuA5eFPfNfWE5PxSZi0UQ3u X-Received: by 2002:a17:906:5c07:: with SMTP id e7mr10294956ejq.127.1569747957570; Sun, 29 Sep 2019 02:05:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569747957; cv=none; d=google.com; s=arc-20160816; b=RIQ+wHPYDTPyahlWkewGo28lyfB3y9zDYN1UBnMUDQW4Wngy6qam67MsS6hcvm/Be5 m/fGsIuK67w7hH9sf9e5GkcAN3qvjaabsbr876UqiG4F6TpcBVZtFYWcwyu3fM2+C0kD X61ypYrnPRuflPbhtTO+Y3VptkZYi5U5ouFj6NXb8y7o6ev/5SK6czDGw5SIOQrBHc7L NL4TypdHadO8x9/Cl+kGQ4YV5/gjKJ4qZEAJz8XhEW42vamqs86qP1WYgmRtmN50+5aX f+h+sysfsdBaAUL2GCcMTvlm6qaRjbFZUJy6/V0Zm8YYswWUKqEDttm6k6iCuUzNYZIz vw+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=gKv6BuJthmxazjkHbUUsIrrMuKcHcpcTTg5yaWKQvF0=; b=VbKnlOehcf/wjLlZ7dB0LeqxGVzA+RdM/tHef0ooAzRFr2tTfL1zYlhZK44Ldm6vHZ QPEF2q38/9ylcb/GklW1qUyia1DfXvGAz1+FnMraeeHBVxjPx0NGMGI5yx4DEm98pNV3 SufXmXjULEfH2/PIiZr4lF5/D7vXevI9r+T5ceqDmbQI3IxqZ0Oxu5iioBabdmXlpuqq 3Vsk/Xsv9+Vb9Cq6YGSf09pEfv1sfCHO0G+JOxgHUelTSasM1JWmFoWtgV3+gla5dGNr /EjevmO1e+WMe1PUT44RpWHjSFCkq0Cbt1e5AUhj+x8QEpVsbhMS1uLms27rBZih0OGc ocHg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v25si4631244edy.392.2019.09.29.02.05.16; Sun, 29 Sep 2019 02:05:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725924AbfI2JFP (ORCPT + 99 others); Sun, 29 Sep 2019 05:05:15 -0400 Received: from gardel.0pointer.net ([85.214.157.71]:53304 "EHLO gardel.0pointer.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725379AbfI2JFP (ORCPT ); Sun, 29 Sep 2019 05:05:15 -0400 Received: from gardel-login.0pointer.net (gardel.0pointer.net [85.214.157.71]) by gardel.0pointer.net (Postfix) with ESMTP id 20337E80A99; Sun, 29 Sep 2019 11:05:13 +0200 (CEST) Received: by gardel-login.0pointer.net (Postfix, from userid 1000) id BB79E160AE4; Sun, 29 Sep 2019 11:05:12 +0200 (CEST) Date: Sun, 29 Sep 2019 11:05:12 +0200 From: Lennart Poettering To: Linus Torvalds Cc: "Alexander E. Patrakov" , "Eric W. Biederman" , "Ahmed S. Darwish" , "Theodore Y. Ts'o" , Willy Tarreau , Matthew Garrett , Vito Caputo , Andreas Dilger , Jan Kara , Ray Strode , William Jon McCann , zhangjs , Ext4 Developers List , lkml Subject: Re: Linux 5.3-rc8 Message-ID: <20190929090512.GB13049@gardel-login> References: <20190917121156.GC6762@mit.edu> <20190917123015.sirlkvy335crozmj@debian-stretch-darwi.lab.linutronix.de> <20190917160844.GC31567@gardel-login> <20190917174219.GD31798@gardel-login> <87zhj15qgf.fsf@x220.int.ebiederm.org> <84824f79-2d12-0fd5-5b32-b0360eb075ac@gmail.com> <20190927135708.GD11791@gardel-login> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Fr, 27.09.19 08:58, Linus Torvalds (torvalds@linux-foundation.org) wrote: > On Fri, Sep 27, 2019 at 6:57 AM Lennart Poettering wrote: > > > > Doing the random seed in the boot loader is nice for two reasons: > > > > 1. It runs very very early, so that the OS can come up with fully > > initialized entropy right from the beginning. > > Oh, that part I love. > > But I don't believe in your second case: > > > 2. The boot loader generally has found some disk to read the kernel from, > > i.e. has a place where stuff can be stored and which can be updated > > (most modern boot loaders can write to disk these days, and so can > > EFI). Thus, it can derive a new random seed from a stored seed on disk > > and pass it to the OS *AND* update it right away on disk ensuring that > > it is never reused again. > > No. This is absolutely no different at all from user space doing it > early with a file. > > All the same "golden image" issues exist, and in general the less the > boot loader writes to disk, the better. > > Plus it doesn't actually work anyway in the one situation where people > _really_ want it - embedded devices, where the kernel image is quite > possibly in read-only flash that needs major setup for updates. > > PLUS. > > Your "it can update it right away on disk" is just crazy talk. With > WHAT? It has no randomness to play with, and it doesn't have time to > do jitter entropy stuff. So these two issues are addressed by the logic implemented in sd-boot (systemd's boot loader) like this: The old seed is read off the ESP seed file. We then calculate two hash sums in counter mode from it (SHA256), one we pass to the OS as seed to initialize the random pool from. The other we use to update the ESP seed file with. Unless you are capable of breaking SHA256 this means the seed passed to the OS and the new seed stored on disk are derived from the same seed but in a way you cannot determine one if you managed to learn the other. Moreover, on each boot you are guaranteed to get two new seeds, each time, and you cannot derive the sums used on previous boots from those. This means we are robust towards potential seed reuse when turning the system forcibly off during boot. Now, what's still missing in the above is protection against "golden image" issues, as you correctly pointed out. To deal with that the SHA256 sums are not just hashed from the old seed and the counter, but also include a system specific "system token" (you may also call it "salt") which is stored in an EFI variable, persistently, which was created once, during system installation. This hence gives you the behaviour your are looking for, using the NVRAM like you suggested, but we don't need to write the EFI vars all the time, as instead we update the seed file stored in the ESP each time, and updating the ESP should be safer and less problematic (i.e. if everything is done right it's a single sector write). To make this safer, on EFI firmwares that support the RNG protocol we also include some data derived from that in the hash, just for good measure. To sumarize: NEWDISKSEED = SHA256(OLDDISKSEED || SYSTEMTOKEN || EFIRNGVAL || "1") SEEDFORLINUX = SHA256(OLDDISKSEED || SYSTEMTOKEN || EFIRNGVAL || "2") (and no, this is not a crypto scheme I designed, but something Dr. Bertram Poettering (my brother, a cryptographer) suggested) > So all it can do is a really bad job at taking the previous random > seed, doing some transformation on it, and add a little bit of > whatever system randomness it can find. None of which is any better > than what the kernel can do. Well, the kernel cannot hash and rewrite the old seed file early enough, it's that simple. It can do that only when /var becomes writable, i.e. very late during boot, much later than when we need entropy for. The boot loader on the hand, can hash and rewrite the old seed file even before the kernel initializes, and that's the big benefit! > End result: you'd need to have the kernel update whatever bootloader > data later on, and I'm not seeing that happening. Afaik the current > bootloader interface has no way to specify how to update it when you > actually have better randomness. So, you could, but don't have to update the ESP random seed file from the OS too, every now and then, but the security of the model dos not rely on that. (And yes, the above doesn't help if you have a fully R/O medium, but those tend to be embedded devices, and I am much less concerned about those, the designers really can deal with the RNG seed issues themselves, and maybe provide some hw to do it; it's the generic user PCs that we should be concerned about, and for those the above should generally work) Lennart -- Lennart Poettering, Berlin