From: Stephan Mueller <smueller@chronox.de> To: Kurt Roeckx <kurt@roeckx.be> Cc: "Theodore Y. Ts'o" <tytso@mit.edu>, Andy Lutomirski <luto@amacapital.net>, Andy Lutomirski <luto@kernel.org>, LKML <linux-kernel@vger.kernel.org>, Linux API <linux-api@vger.kernel.org>, Kees Cook <keescook@chromium.org>, "Jason A. Donenfeld" <Jason@zx2c4.com>, "Ahmed S. Darwish" <darwish.07@gmail.com>, Lennart Poettering <mzxreary@0pointer.de>, "Eric W. Biederman" <ebiederm@xmission.com>, "Alexander E. Patrakov" <patrakov@gmail.com>, Michael Kerrisk <mtk.manpages@gmail.com>, Willy Tarreau <w@1wt.eu>, Matthew Garrett <mjg59@srcf.ucam.org>, Ext4 Developers List <linux-ext4@vger.kernel.org>, linux-man <linux-man@vger.kernel.org> Subject: Re: [PATCH v3 0/8] Rework random blocking Date: Fri, 10 Jan 2020 08:53:54 +0100 [thread overview] Message-ID: <7629501.YrHEAiJyVJ@tauon.chronox.de> (raw) In-Reply-To: <20200109230237.GA2992@roeckx.be> Am Freitag, 10. Januar 2020, 00:02:37 CET schrieb Kurt Roeckx: Hi Kurt, > On Thu, Jan 09, 2020 at 05:40:11PM -0500, Theodore Y. Ts'o wrote: > > On Thu, Jan 09, 2020 at 11:02:30PM +0100, Kurt Roeckx wrote: > > > One thing the NIST DRBGs have is prediction resistance, which is > > > done by reseeding. If you chain DRBGs, you tell your parent DRBG > > > that you want prediction resistance, so your parent will also > > > reseed. There currently is no way to tell the kernel to reseed. > > > > It would be simple enough to add a new flag, perhaps GRND_RESEED, to > > getrandom() which requests that the kernel reseed first. This would > > require sufficient amounts of entropy in the input pool to do the > > reseed; if there is not enough, the getrandom() call would block until > > there was enough. If GRND_NONBLOCK is supplied, then getrandom() > > would return EAGAIN if there wasn't sufficient entropy. > > > > Is this what you want? > > I think some people might want to see it, but I think you > shouldn't add it. Just for your information: I played with that already as seen in [1] which does not require any kernel change. The only issue that is currently there are the two races noted in [1]. These races seem to be only addressable when the reseeding and the gathering of random numbers are atomic. I was toying with the idea that the RNDRESEEDCRNG allows the user to specify an output buffer which would be filled in an atomic operation when the reseed is invoked. That buffer should only be at most in size of the security strength of the DRNG. [1] https://github.com/smuellerDD/lrng/blob/master/test/syscall_test.c#L101 > > > > I don't think we want that. As far as I know, the only reason for > > > using /dev/random is that /dev/urandom returns data before it > > > has sufficient entropy. > > > > Is there any objections to just using getrandom(2)? > > It provides the interface we want, so no. But there are still > people who don't have it for various reasons. OpenSSL actually > does the system call itself if libc doesn't provider a wrapper for > it. > > > Kurt Ciao Stephan
WARNING: multiple messages have this Message-ID (diff)
From: Stephan Mueller <smueller-T9tCv8IpfcWELgA04lAiVw@public.gmane.org> To: Kurt Roeckx <kurt-burXGKnpAKGzQB+pC5nmwQ@public.gmane.org> Cc: "Theodore Y. Ts'o" <tytso-3s7WtUTddSA@public.gmane.org>, Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>, Andy Lutomirski <luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>, LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>, Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>, Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>, "Jason A. Donenfeld" <Jason-OnJsPKxuuEcAvxtiuMwx3w@public.gmane.org>, "Ahmed S. Darwish" <darwish.07-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>, Lennart Poettering <mzxreary-uLTowLwuiw4b1SvskN2V4Q@public.gmane.org>, "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>, "Alexander E. Patrakov" <patrakov-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>, Michael Kerrisk <mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>, Willy Tarreau <w@1wt.eu>, Matthew Garrett <mjg59-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>, Ext4 Developers List <linux-ext4-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>, linux-man <linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org> Subject: Re: [PATCH v3 0/8] Rework random blocking Date: Fri, 10 Jan 2020 08:53:54 +0100 [thread overview] Message-ID: <7629501.YrHEAiJyVJ@tauon.chronox.de> (raw) In-Reply-To: <20200109230237.GA2992-burXGKnpAKGzQB+pC5nmwQ@public.gmane.org> Am Freitag, 10. Januar 2020, 00:02:37 CET schrieb Kurt Roeckx: Hi Kurt, > On Thu, Jan 09, 2020 at 05:40:11PM -0500, Theodore Y. Ts'o wrote: > > On Thu, Jan 09, 2020 at 11:02:30PM +0100, Kurt Roeckx wrote: > > > One thing the NIST DRBGs have is prediction resistance, which is > > > done by reseeding. If you chain DRBGs, you tell your parent DRBG > > > that you want prediction resistance, so your parent will also > > > reseed. There currently is no way to tell the kernel to reseed. > > > > It would be simple enough to add a new flag, perhaps GRND_RESEED, to > > getrandom() which requests that the kernel reseed first. This would > > require sufficient amounts of entropy in the input pool to do the > > reseed; if there is not enough, the getrandom() call would block until > > there was enough. If GRND_NONBLOCK is supplied, then getrandom() > > would return EAGAIN if there wasn't sufficient entropy. > > > > Is this what you want? > > I think some people might want to see it, but I think you > shouldn't add it. Just for your information: I played with that already as seen in [1] which does not require any kernel change. The only issue that is currently there are the two races noted in [1]. These races seem to be only addressable when the reseeding and the gathering of random numbers are atomic. I was toying with the idea that the RNDRESEEDCRNG allows the user to specify an output buffer which would be filled in an atomic operation when the reseed is invoked. That buffer should only be at most in size of the security strength of the DRNG. [1] https://github.com/smuellerDD/lrng/blob/master/test/syscall_test.c#L101 > > > > I don't think we want that. As far as I know, the only reason for > > > using /dev/random is that /dev/urandom returns data before it > > > has sufficient entropy. > > > > Is there any objections to just using getrandom(2)? > > It provides the interface we want, so no. But there are still > people who don't have it for various reasons. OpenSSL actually > does the system call itself if libc doesn't provider a wrapper for > it. > > > Kurt Ciao Stephan
next prev parent reply other threads:[~2020-01-10 7:54 UTC|newest] Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-12-23 8:20 [PATCH v3 0/8] Rework random blocking Andy Lutomirski 2019-12-23 8:20 ` [PATCH v3 1/8] random: Don't wake crng_init_wait when crng_init == 1 Andy Lutomirski 2020-01-07 20:42 ` Theodore Y. Ts'o 2019-12-23 8:20 ` [PATCH v3 2/8] random: Add a urandom_read_nowait() for random APIs that don't warn Andy Lutomirski 2020-01-07 20:43 ` Theodore Y. Ts'o 2019-12-23 8:20 ` [PATCH v3 3/8] random: Add GRND_INSECURE to return best-effort non-cryptographic bytes Andy Lutomirski 2020-01-07 20:44 ` Theodore Y. Ts'o 2019-12-23 8:20 ` [PATCH v3 4/8] random: Ignore GRND_RANDOM in getentropy(2) Andy Lutomirski 2020-01-07 20:44 ` Theodore Y. Ts'o 2019-12-23 8:20 ` [PATCH v3 5/8] random: Make /dev/random be almost like /dev/urandom Andy Lutomirski 2020-01-07 21:02 ` Theodore Y. Ts'o 2019-12-23 8:20 ` [PATCH v3 6/8] random: Remove the blocking pool Andy Lutomirski 2020-01-07 21:03 ` Theodore Y. Ts'o 2019-12-23 8:20 ` [PATCH v3 7/8] random: Delete code to pull data into pools Andy Lutomirski 2020-01-07 21:03 ` Theodore Y. Ts'o 2019-12-23 8:20 ` [PATCH v3 8/8] random: Remove kernel.random.read_wakeup_threshold Andy Lutomirski 2020-01-07 21:04 ` Theodore Y. Ts'o 2019-12-26 9:29 ` [PATCH v3 0/8] Rework random blocking Stephan Müller 2019-12-26 10:03 ` Matthew Garrett 2019-12-26 11:40 ` Stephan Mueller 2019-12-26 11:12 ` Andy Lutomirski 2019-12-26 12:03 ` Stephan Mueller 2019-12-26 12:46 ` Andy Lutomirski 2019-12-27 9:55 ` Stephan Mueller 2019-12-26 14:04 ` Theodore Y. Ts'o 2019-12-26 23:29 ` Andy Lutomirski 2019-12-27 10:29 ` Stephan Mueller 2019-12-27 13:04 ` Theodore Y. Ts'o 2019-12-27 21:22 ` Stephan Mueller 2019-12-27 22:08 ` Theodore Y. Ts'o 2019-12-28 2:06 ` Andy Lutomirski 2019-12-29 14:49 ` Theodore Y. Ts'o 2019-12-29 15:08 ` Andy Lutomirski 2019-12-28 7:01 ` Willy Tarreau 2020-01-09 22:02 ` Kurt Roeckx 2020-01-09 22:02 ` Kurt Roeckx 2020-01-09 22:40 ` Theodore Y. Ts'o 2020-01-09 22:40 ` Theodore Y. Ts'o 2020-01-09 23:02 ` Kurt Roeckx 2020-01-09 23:02 ` Kurt Roeckx 2020-01-10 7:53 ` Stephan Mueller [this message] 2020-01-10 7:53 ` Stephan Mueller 2020-01-10 0:30 ` Andy Lutomirski
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=7629501.YrHEAiJyVJ@tauon.chronox.de \ --to=smueller@chronox.de \ --cc=Jason@zx2c4.com \ --cc=darwish.07@gmail.com \ --cc=ebiederm@xmission.com \ --cc=keescook@chromium.org \ --cc=kurt@roeckx.be \ --cc=linux-api@vger.kernel.org \ --cc=linux-ext4@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-man@vger.kernel.org \ --cc=luto@amacapital.net \ --cc=luto@kernel.org \ --cc=mjg59@srcf.ucam.org \ --cc=mtk.manpages@gmail.com \ --cc=mzxreary@0pointer.de \ --cc=patrakov@gmail.com \ --cc=tytso@mit.edu \ --cc=w@1wt.eu \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.