Return-path: Received: from mail-ob0-f171.google.com ([209.85.214.171]:34241 "EHLO mail-ob0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751299Ab3KOSm3 (ORCPT ); Fri, 15 Nov 2013 13:42:29 -0500 Received: by mail-ob0-f171.google.com with SMTP id gq1so4270202obb.16 for ; Fri, 15 Nov 2013 10:42:28 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <20131114041829.GA26901@order.stressinduktion.org> References: <2ea03f60bb65429cbe5d74a6d356fde3eefcf06c.1384160397.git.dborkman@redhat.com> <20131111134357.GC10104@thunk.org> <20131112000307.GB14929@order.stressinduktion.org> <20131112115350.GA14077@thunk.org> <20131112131627.GD14929@order.stressinduktion.org> <20131112134603.GE14929@order.stressinduktion.org> <20131114025448.GB31602@thunk.org> <20131114041829.GA26901@order.stressinduktion.org> Date: Fri, 15 Nov 2013 10:42:28 -0800 Message-ID: (sfid-20131115_194234_729761_1BE5980A) Subject: Re: [PATCH] random: seed random_int_secret at least poorly at core_initcall time From: Kees Cook To: "Theodore Ts'o" , Daniel Borkmann , "David S. Miller" , shemminger@networkplumber.org, Florian Weimer , netdev@vger.kernel.org, Eric Dumazet , linux-wireless@vger.kernel.org, Kees Cook Content-Type: text/plain; charset=ISO-8859-1 Sender: linux-wireless-owner@vger.kernel.org List-ID: On Wed, Nov 13, 2013 at 8:18 PM, Hannes Frederic Sowa wrote: > On Wed, Nov 13, 2013 at 09:54:48PM -0500, Theodore Ts'o wrote: >> On Tue, Nov 12, 2013 at 02:46:03PM +0100, Hannes Frederic Sowa wrote: >> > > It is needed by fork to set up the stack canary. And this actually gets >> > > called before the secret is initialized. >> > >> > Maybe we could use this for the time being and use the seeding method >> > of kaslr as soon as it hits the tree? >> >> Hmm, from what I can tell even early_initcall() is going to be early >> enough. The stack canary is set up by boot_init_stack_canary(), which >> is run very, very early in start_kerne() --- way before >> early_initcalls, or even before interrupts are enabled. So adding >> random_int_secret_init_early() as a core_initcall is still too late. > > Actually I tried to protect the tsk->stack_canary = get_random_int() > in fork.c. It sets up the per-task canary. I haven't looked closely yet at how the stack canary gets plumbed, but what do things outside of process context end up using? >> I wonder if we need to do something in common with what Kees has been >> considering for the kaslr code, since it's a similar issue --- we need >> random number way earlier than we can really afford to initialize >> /dev/random. > > Definiteley. I would also propose hashing the boot arguments, often > enough there is a filesystem UUID in there, or even hash the multiboot > information we are given from grub. Maybe compile-time entropy, at least > a bit. Yeah, other suggestions were things ACPI tables, memory layouts, etc. Basically anything that might be different from system to system. Even just perturbing by the build strings (which has compiler version, build date, build host, etc etc) gets us a tiny amount of entropy (which is still better than 0). >> P.S. Unless I'm missing something (and I hope I am), it would appear >> that the stack canary is going to easily predictable by an attacker on >> non-x86 platforms that don't have RDRAND. Has someone tested whether >> or not the stack canary isn't constant across ARM or pre-Sandy Bridge >> x86 systems? > > In case of protection for interrupt stacks and early cmwq threads, > it looks pretty bad from a first look at the source (at least for the > first initialized CPU). > > I'll try to do some tests tomorrow. > > Greetings, > > Hannes > -Kees -- Kees Cook Chrome OS Security