All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH v3 0/8] Rework random blocking
@ 2019-12-23  8:20 Andy Lutomirski
  2019-12-23  8:20 ` [PATCH v3 1/8] random: Don't wake crng_init_wait when crng_init == 1 Andy Lutomirski
                   ` (8 more replies)
  0 siblings, 9 replies; 43+ messages in thread
From: Andy Lutomirski @ 2019-12-23  8:20 UTC (permalink / raw)
  To: Ted Ts'o
  Cc: LKML, Linux API, Kees Cook, Jason A. Donenfeld, Ahmed S. Darwish,
	Lennart Poettering, Eric W. Biederman, Alexander E. Patrakov,
	Michael Kerrisk, Willy Tarreau, Matthew Garrett,
	Ext4 Developers List, linux-man, Stephan Mueller,
	Andy Lutomirski

This makes two major semantic changes to Linux's random APIs:

It adds getentropy(..., GRND_INSECURE).  This causes getentropy to
always return *something*.  There is no guarantee whatsoever that
the result will be cryptographically random or even unique, but the
kernel will give the best quality random output it can.  The name is
a big hint: the resulting output is INSECURE.

The purpose of this is to allow programs that genuinely want
best-effort entropy to get it without resorting to /dev/urandom.
Plenty of programs do this because they need to do *something*
during boot and they can't afford to wait.  Calling it "INSECURE" is
probably the best we can do to discourage using this API for things
that need security.

This series also removes the blocking pool and makes /dev/random
work just like getentropy(..., 0) and makes GRND_RANDOM a no-op.  I
believe that Linux's blocking pool has outlived its usefulness.
Linux's CRNG generates output that is good enough to use even for
key generation.  The blocking pool is not stronger in any material
way, and keeping it around requires a lot of infrastructure of
dubious value.

This series should not break any existing programs.  /dev/urandom is
unchanged.  /dev/random will still block just after booting, but it
will block less than it used to.  getentropy() with existing flags
will return output that is, for practical purposes, just as strong
as before.

There are some open questions and future work here:

Should the kernel provide an interface to get software-generated
"true random" numbers?  I can think of only one legitimate reason to
use such an interface: compliance with government standards.  If the
kernel provides such an interface going forward, I think it should
be a brand new character device, and it should have a default mode
0440 or similar.  Software-generated "true random numbers" are a
very limited resource, and resource exhaustion is a big deal.  Ask
anyone who has twiddled their thumbs while waiting for gnupg to
generate a key.  If we think the kernel might do such a thing, then
patches 5-8 could be tabled for now.

Alternatively, perhaps the kernel should instead provide a
privileged interface to read out raw samples from the various
entropy sources, and users who care could have a user daemon that
does something intelligent with them.  This would push the mess of
trying to comply with whatever standards are involved to userspace.
Userspace could then export "true randomness" via CUSE if it is so
inclined, or could have a socket with a well-known name, or whatever
else seems appropriate.

I think that each available hwrng device should have its own
character device, which will make it much easier to use sensibly
from user mode.  But I don't think this series needs to block on
this.

Changes from v2:
 - Fix some bugs in the conditions that cause warnings.  Patch 2 is new.
 - Rebase to Linus' tree today.  This didn't change anything.

Changes from v1:
 - Rebased to v5.3.  No other changes.

Andy Lutomirski (8):
  random: Don't wake crng_init_wait when crng_init == 1
  random: Add a urandom_read_nowait() for random APIs that don't warn
  random: Add GRND_INSECURE to return best-effort non-cryptographic
    bytes
  random: Ignore GRND_RANDOM in getentropy(2)
  random: Make /dev/random be almost like /dev/urandom
  random: Remove the blocking pool
  random: Delete code to pull data into pools
  random: Remove kernel.random.read_wakeup_threshold

 drivers/char/random.c       | 245 +++++-------------------------------
 include/uapi/linux/random.h |   4 +-
 2 files changed, 37 insertions(+), 212 deletions(-)

-- 
2.23.0


^ permalink raw reply	[flat|nested] 43+ messages in thread

end of thread, other threads:[~2020-01-10  7:54 UTC | newest]

Thread overview: 43+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-23  8:20 [PATCH v3 0/8] Rework random blocking Andy Lutomirski
2019-12-23  8:20 ` [PATCH v3 1/8] random: Don't wake crng_init_wait when crng_init == 1 Andy Lutomirski
2020-01-07 20:42   ` Theodore Y. Ts'o
2019-12-23  8:20 ` [PATCH v3 2/8] random: Add a urandom_read_nowait() for random APIs that don't warn Andy Lutomirski
2020-01-07 20:43   ` Theodore Y. Ts'o
2019-12-23  8:20 ` [PATCH v3 3/8] random: Add GRND_INSECURE to return best-effort non-cryptographic bytes Andy Lutomirski
2020-01-07 20:44   ` Theodore Y. Ts'o
2019-12-23  8:20 ` [PATCH v3 4/8] random: Ignore GRND_RANDOM in getentropy(2) Andy Lutomirski
2020-01-07 20:44   ` Theodore Y. Ts'o
2019-12-23  8:20 ` [PATCH v3 5/8] random: Make /dev/random be almost like /dev/urandom Andy Lutomirski
2020-01-07 21:02   ` Theodore Y. Ts'o
2019-12-23  8:20 ` [PATCH v3 6/8] random: Remove the blocking pool Andy Lutomirski
2020-01-07 21:03   ` Theodore Y. Ts'o
2019-12-23  8:20 ` [PATCH v3 7/8] random: Delete code to pull data into pools Andy Lutomirski
2020-01-07 21:03   ` Theodore Y. Ts'o
2019-12-23  8:20 ` [PATCH v3 8/8] random: Remove kernel.random.read_wakeup_threshold Andy Lutomirski
2020-01-07 21:04   ` Theodore Y. Ts'o
2019-12-26  9:29 ` [PATCH v3 0/8] Rework random blocking Stephan Müller
2019-12-26 10:03   ` Matthew Garrett
2019-12-26 11:40     ` Stephan Mueller
2019-12-26 11:12   ` Andy Lutomirski
2019-12-26 12:03     ` Stephan Mueller
2019-12-26 12:46       ` Andy Lutomirski
2019-12-27  9:55         ` Stephan Mueller
2019-12-26 14:04       ` Theodore Y. Ts'o
2019-12-26 23:29         ` Andy Lutomirski
2019-12-27 10:29           ` Stephan Mueller
2019-12-27 13:04             ` Theodore Y. Ts'o
2019-12-27 21:22               ` Stephan Mueller
2019-12-27 22:08                 ` Theodore Y. Ts'o
2019-12-28  2:06                   ` Andy Lutomirski
2019-12-29 14:49                     ` Theodore Y. Ts'o
2019-12-29 15:08                       ` Andy Lutomirski
2019-12-28  7:01                   ` Willy Tarreau
2020-01-09 22:02                   ` Kurt Roeckx
2020-01-09 22:02                     ` Kurt Roeckx
2020-01-09 22:40                     ` Theodore Y. Ts'o
2020-01-09 22:40                       ` Theodore Y. Ts'o
2020-01-09 23:02                       ` Kurt Roeckx
2020-01-09 23:02                         ` Kurt Roeckx
2020-01-10  7:53                         ` Stephan Mueller
2020-01-10  7:53                           ` Stephan Mueller
2020-01-10  0:30                     ` Andy Lutomirski

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.