From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Jason A. Donenfeld" Date: Mon, 18 Sep 2017 11:24:18 +0000 Subject: Re: [PATCH v4] security/keys: rewrite all of big_key crypto Message-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit List-Id: References: <20170916130034.17706-1-Jason@zx2c4.com> <2681038.03lnYPhpsa@tauon.chronox.de> In-Reply-To: <2681038.03lnYPhpsa@tauon.chronox.de> To: Stephan Mueller Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, kernel-hardening@lists.openwall.com, LKML , David Howells , Eric Biggers , Herbert Xu , Kirill Marinushkin , Ard Biesheuvel , Ilhan Gurel , security@kernel.org, stable@vger.kernel.org, Theodore Ts'o Hello Stephan, I realize you have your Linux RNG project, which is a very worthwhile goal that I support you in. I hope you're eventually successful, and I apologize for not being more available in the last 2.5 months to chime in on that patchset thread you posted. However, your message to this thread here is a completely inappropriate and nonsensical hijacking, which makes me entirely question your overall judgement. (David -- please don't let such hijacking derail or delay these critical vulnerability fixes from landing.) > This change is a challenge. The use of the kernel crypto API's DRNG has been > made to allow FIPS 140-2 compliance. Otherwise, the entire key generation > logic will not be using the right(TM) DRNG. Thus, I would not suggest to > replace that for a stable tree. Complete and utter nonsense. This patch has a history (this is already v6), and it's pretty obvious from prior discussion and conclusion that the only reason "crypto/rng" was used for this is because the original author just had no idea what he was doing (thus leading to using ECB as well). Besides, from what RNG do you think the seed for that was generated? > Note, I am currently working on a pluggable DRNG apporach for /dev/random and > /dev/urandom to be able to get rid of the use of the kernel crypto API's DRNG > API. It is ready and I will air that solution shortly. Good to hear you're still working on that project. > Yet, it needs work to > be integrated upstream (and approval from Ted Tso). Good luck with getting approval... While Ted and I have our differences like any two kernel developers, I really tend agree with him in his attitude about this FIPS silliness. It's unlikely you're going to be able to shovel this stuff into random.c, and I think doing so will undermine your entire LRNG effort. > An SP800-90A-compliant DRNG must be used in those circumstances. Again, complete and utter unsubstantiated nonsense. > Then I would recommend to leave it as is or hear complaints from other users. What a poor lack of judgement. I get it -- this FIPS compliance backwardness is something you're keen about. But don't start hijacking every thread that involves randomness with a demand to replace calls to get_random_bytes with wrappers in outdated, flawed, government compliance crypto API key expanders. From a cryptographic point of view it's a ridiculous demand. And from an engineering point of view, it's a ridiculous demand too, for if get_random_bytes already returned FIPS-compliant randomness, you wouldn't be writing this email here. Instead, if you want your FIPS garbage in the Linux RNG, take your battle for that over to random.c. I'll oppose you to the end on it, but at the very least it will the the appropriate venue for that discussion. In the meantime, stop hijacking this thread. Thanks, Jason PS: apologies for what's probably perceived as an unfriendly and overly hostile tone of this email. It's not my intention to alienate you, but I do feel necessary in these circumstances to write as directly as possible. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755296AbdIRLYY (ORCPT ); Mon, 18 Sep 2017 07:24:24 -0400 Received: from frisell.zx2c4.com ([192.95.5.64]:53825 "EHLO frisell.zx2c4.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751016AbdIRLYW (ORCPT ); Mon, 18 Sep 2017 07:24:22 -0400 X-Google-Smtp-Source: AOwi7QBFyUnppYXmsVwSX43kG1PpNCpAVFg2pCiyhb45CEKeNW1yBLzZWyG111i8lq7mOzfysaN4EjOaiXj7ehy6uv8= MIME-Version: 1.0 In-Reply-To: <2681038.03lnYPhpsa@tauon.chronox.de> References: <20170916130034.17706-1-Jason@zx2c4.com> <2681038.03lnYPhpsa@tauon.chronox.de> From: "Jason A. Donenfeld" Date: Mon, 18 Sep 2017 13:24:18 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v4] security/keys: rewrite all of big_key crypto To: Stephan Mueller Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, kernel-hardening@lists.openwall.com, LKML , David Howells , Eric Biggers , Herbert Xu , Kirill Marinushkin , Ard Biesheuvel , Ilhan Gurel , security@kernel.org, stable@vger.kernel.org, "Theodore Ts'o" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello Stephan, I realize you have your Linux RNG project, which is a very worthwhile goal that I support you in. I hope you're eventually successful, and I apologize for not being more available in the last 2.5 months to chime in on that patchset thread you posted. However, your message to this thread here is a completely inappropriate and nonsensical hijacking, which makes me entirely question your overall judgement. (David -- please don't let such hijacking derail or delay these critical vulnerability fixes from landing.) > This change is a challenge. The use of the kernel crypto API's DRNG has been > made to allow FIPS 140-2 compliance. Otherwise, the entire key generation > logic will not be using the right(TM) DRNG. Thus, I would not suggest to > replace that for a stable tree. Complete and utter nonsense. This patch has a history (this is already v6), and it's pretty obvious from prior discussion and conclusion that the only reason "crypto/rng" was used for this is because the original author just had no idea what he was doing (thus leading to using ECB as well). Besides, from what RNG do you think the seed for that was generated? > Note, I am currently working on a pluggable DRNG apporach for /dev/random and > /dev/urandom to be able to get rid of the use of the kernel crypto API's DRNG > API. It is ready and I will air that solution shortly. Good to hear you're still working on that project. > Yet, it needs work to > be integrated upstream (and approval from Ted Tso). Good luck with getting approval... While Ted and I have our differences like any two kernel developers, I really tend agree with him in his attitude about this FIPS silliness. It's unlikely you're going to be able to shovel this stuff into random.c, and I think doing so will undermine your entire LRNG effort. > An SP800-90A-compliant DRNG must be used in those circumstances. Again, complete and utter unsubstantiated nonsense. > Then I would recommend to leave it as is or hear complaints from other users. What a poor lack of judgement. I get it -- this FIPS compliance backwardness is something you're keen about. But don't start hijacking every thread that involves randomness with a demand to replace calls to get_random_bytes with wrappers in outdated, flawed, government compliance crypto API key expanders. From a cryptographic point of view it's a ridiculous demand. And from an engineering point of view, it's a ridiculous demand too, for if get_random_bytes already returned FIPS-compliant randomness, you wouldn't be writing this email here. Instead, if you want your FIPS garbage in the Linux RNG, take your battle for that over to random.c. I'll oppose you to the end on it, but at the very least it will the the appropriate venue for that discussion. In the meantime, stop hijacking this thread. Thanks, Jason PS: apologies for what's probably perceived as an unfriendly and overly hostile tone of this email. It's not my intention to alienate you, but I do feel necessary in these circumstances to write as directly as possible. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason@zx2c4.com (Jason A. Donenfeld) Date: Mon, 18 Sep 2017 13:24:18 +0200 Subject: [PATCH v4] security/keys: rewrite all of big_key crypto In-Reply-To: <2681038.03lnYPhpsa@tauon.chronox.de> References: <20170916130034.17706-1-Jason@zx2c4.com> <2681038.03lnYPhpsa@tauon.chronox.de> Message-ID: To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org Hello Stephan, I realize you have your Linux RNG project, which is a very worthwhile goal that I support you in. I hope you're eventually successful, and I apologize for not being more available in the last 2.5 months to chime in on that patchset thread you posted. However, your message to this thread here is a completely inappropriate and nonsensical hijacking, which makes me entirely question your overall judgement. (David -- please don't let such hijacking derail or delay these critical vulnerability fixes from landing.) > This change is a challenge. The use of the kernel crypto API's DRNG has been > made to allow FIPS 140-2 compliance. Otherwise, the entire key generation > logic will not be using the right(TM) DRNG. Thus, I would not suggest to > replace that for a stable tree. Complete and utter nonsense. This patch has a history (this is already v6), and it's pretty obvious from prior discussion and conclusion that the only reason "crypto/rng" was used for this is because the original author just had no idea what he was doing (thus leading to using ECB as well). Besides, from what RNG do you think the seed for that was generated? > Note, I am currently working on a pluggable DRNG apporach for /dev/random and > /dev/urandom to be able to get rid of the use of the kernel crypto API's DRNG > API. It is ready and I will air that solution shortly. Good to hear you're still working on that project. > Yet, it needs work to > be integrated upstream (and approval from Ted Tso). Good luck with getting approval... While Ted and I have our differences like any two kernel developers, I really tend agree with him in his attitude about this FIPS silliness. It's unlikely you're going to be able to shovel this stuff into random.c, and I think doing so will undermine your entire LRNG effort. > An SP800-90A-compliant DRNG must be used in those circumstances. Again, complete and utter unsubstantiated nonsense. > Then I would recommend to leave it as is or hear complaints from other users. What a poor lack of judgement. I get it -- this FIPS compliance backwardness is something you're keen about. But don't start hijacking every thread that involves randomness with a demand to replace calls to get_random_bytes with wrappers in outdated, flawed, government compliance crypto API key expanders. From a cryptographic point of view it's a ridiculous demand. And from an engineering point of view, it's a ridiculous demand too, for if get_random_bytes already returned FIPS-compliant randomness, you wouldn't be writing this email here. Instead, if you want your FIPS garbage in the Linux RNG, take your battle for that over to random.c. I'll oppose you to the end on it, but at the very least it will the the appropriate venue for that discussion. In the meantime, stop hijacking this thread. Thanks, Jason PS: apologies for what's probably perceived as an unfriendly and overly hostile tone of this email. It's not my intention to alienate you, but I do feel necessary in these circumstances to write as directly as possible. -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <2681038.03lnYPhpsa@tauon.chronox.de> References: <20170916130034.17706-1-Jason@zx2c4.com> <2681038.03lnYPhpsa@tauon.chronox.de> From: "Jason A. Donenfeld" Date: Mon, 18 Sep 2017 13:24:18 +0200 Message-ID: Content-Type: text/plain; charset="UTF-8" Subject: [kernel-hardening] Re: [PATCH v4] security/keys: rewrite all of big_key crypto To: Stephan Mueller Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, kernel-hardening@lists.openwall.com, LKML , David Howells , Eric Biggers , Herbert Xu , Kirill Marinushkin , Ard Biesheuvel , Ilhan Gurel , security@kernel.org, stable@vger.kernel.org, Theodore Ts'o List-ID: Hello Stephan, I realize you have your Linux RNG project, which is a very worthwhile goal that I support you in. I hope you're eventually successful, and I apologize for not being more available in the last 2.5 months to chime in on that patchset thread you posted. However, your message to this thread here is a completely inappropriate and nonsensical hijacking, which makes me entirely question your overall judgement. (David -- please don't let such hijacking derail or delay these critical vulnerability fixes from landing.) > This change is a challenge. The use of the kernel crypto API's DRNG has been > made to allow FIPS 140-2 compliance. Otherwise, the entire key generation > logic will not be using the right(TM) DRNG. Thus, I would not suggest to > replace that for a stable tree. Complete and utter nonsense. This patch has a history (this is already v6), and it's pretty obvious from prior discussion and conclusion that the only reason "crypto/rng" was used for this is because the original author just had no idea what he was doing (thus leading to using ECB as well). Besides, from what RNG do you think the seed for that was generated? > Note, I am currently working on a pluggable DRNG apporach for /dev/random and > /dev/urandom to be able to get rid of the use of the kernel crypto API's DRNG > API. It is ready and I will air that solution shortly. Good to hear you're still working on that project. > Yet, it needs work to > be integrated upstream (and approval from Ted Tso). Good luck with getting approval... While Ted and I have our differences like any two kernel developers, I really tend agree with him in his attitude about this FIPS silliness. It's unlikely you're going to be able to shovel this stuff into random.c, and I think doing so will undermine your entire LRNG effort. > An SP800-90A-compliant DRNG must be used in those circumstances. Again, complete and utter unsubstantiated nonsense. > Then I would recommend to leave it as is or hear complaints from other users. What a poor lack of judgement. I get it -- this FIPS compliance backwardness is something you're keen about. But don't start hijacking every thread that involves randomness with a demand to replace calls to get_random_bytes with wrappers in outdated, flawed, government compliance crypto API key expanders. From a cryptographic point of view it's a ridiculous demand. And from an engineering point of view, it's a ridiculous demand too, for if get_random_bytes already returned FIPS-compliant randomness, you wouldn't be writing this email here. Instead, if you want your FIPS garbage in the Linux RNG, take your battle for that over to random.c. I'll oppose you to the end on it, but at the very least it will the the appropriate venue for that discussion. In the meantime, stop hijacking this thread. Thanks, Jason PS: apologies for what's probably perceived as an unfriendly and overly hostile tone of this email. It's not my intention to alienate you, but I do feel necessary in these circumstances to write as directly as possible.