[Bug 214885] New: random.{4,7} [man-pages 5.13] do not reflect changes to /dev/random semantics since kernel 5.6

[Bug 214885] New: random.{4,7} [man-pages 5.13] do not reflect changes to /dev/random semantics since kernel 5.6

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=214885

            Bug ID: 214885
           Summary: random.{4,7} [man-pages 5.13] do not reflect changes
                    to /dev/random semantics since kernel 5.6
           Product: Documentation
           Version: unspecified
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: low
          Priority: P1
         Component: man-pages
          Assignee: documentation_man-pages@kernel-bugs.osdl.org
          Reporter: kerbug@zplane.com
        Regression: No

In kernel 5.6, the semantics of reading from /dev/random were changed
significantly [1][2]. If my understanding of [1] is correct -- and perhaps it
is not, I am not claiming any expertise -- /dev/random now behaves essentially
like /dev/urandom, except that it blocks only in the case of insufficient
initial entropy during boot, but never blocks thereafter. A few quick
experiments using kernel 5.14.14 seem to confirm that understanding.

This is a significant behavioral change but it does not seem to be reflected in
either random.4 or random.7 from man-pages release 5.13 (as provided in Arch
Linux man-pages 5.13-1). In looking thru the change history of those pages, it
does not seem that there have been any updates to either since man-pages 4.10. 

I'd be happy to offer a patch, but the required changes are not trivial and am
hestitant to contribute language on something that I don't have sufficient
familiarity with. 

Based on my quick experiments with kernel 5.14.14, at least the following
statements in random.4 seem to be entirely invalidated by the post 5.6
behavior:

  A read(2) from /dev/random will return at most 512 bytes (340
  bytes on Linux kernels before version 2.6.12):

      Observed behavior with 5.14.14: It returns up to 32MB, just as
/dev/urandom does.

  The subsection describing read_wakeup_threshold:

      This pseudo-file read_wakeup_threshold no longer exists in
/proc/sys/kernel/random.

- Glenn

[1]
https://github.com/torvalds/linux/commit/30c08efec8884fb106b8e57094baa51bb4c44e32
[2] https://lwn.net/Articles/808575/

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

[Bug 214885] random.{4,7} [man-pages 5.13] do not reflect changes to /dev/random semantics since kernel 5.6

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=214885

G. Golden (kerbug@zplane.com) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|low                         |normal

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

[Bug 214885] random.{4,7} [man-pages 5.13] do not reflect changes to /dev/random semantics since kernel 5.6

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=214885

Mingye Wang (arthur200126@gmail.com) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |arthur200126@gmail.com

--- Comment #1 from Mingye Wang (arthur200126@gmail.com) ---
Ha, can confirm. Was putting my nose through these things starting with
https://words.filippo.io/dispatches/linux-csprng/.

Things to change:

## random.7

* We should remove the concept of a "blocking pool".
* GRND_RANDOM is no longer a thing. Remove the two rows.

filippo also questions the wisdom of recommending people to roll their own
PRNG, now that the ChaCha stuff is much faster. I don't know.

filippo reports that 5.4 (commit
https://github.com/torvalds/linux/commit/50ee7529ec4500c88f8664560770a7a1b65db72b)
has some magic to get entropy from jitter. We should document this behavior so
people know blocking will not be that bad.

## random.4

Yep, that's gonna be painful. I recommend adding a sub section for "pre-5.6
behavior".

## getrandom.2

Removal of GRND_RANDOM shall be noted.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

[Bug 214885] random.{4,7} [man-pages 5.13] do not reflect changes to /dev/random semantics since kernel 5.6

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=214885

--- Comment #2 from Mingye Wang (arthur200126@gmail.com) ---
Created attachment 304322
  --> https://bugzilla.kernel.org/attachment.cgi?id=304322&action=edit
An attempt at an edit.

I feel like writing, so here goes my attempt at a patch.  Basically what was
requested by the reporter and myself in the preceding comment.

random.4:
* have the DESCRIPTION section rearranged such that the old and new random
behavior is split into two paragraphs. That will make reading easier.
* interface size changes & proc removal, as requested
* mention blocking time, as I requested
* I did NOT touch the comment in USAGE a lot. Old kernels will refuse to die
for a long time, so even though /dev/random acts exactly like getrandom() now,
we cannot tell people to expect that. So let's keep calling it a legacy
interface.

random.7:
Ho boy this is where most of it goes.
* Table demolition, as promised.
* Added table entry for GRND_INSECURE.
* Add mention of the unfortunate compromise that made /dev/urandom fast. I say
unfortunate, but we are all laughing because now we can dd that hard drive
FAST.
* "Choice of random source" revised to remove any recommendation of
/dev/random.  We would make an incorrect impression that the new change is
somehow less secure otherwise.
* "The old blocking pool" section added to further explain that removal was not
the mistake, /dev/random was.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

[PATCH] random.{4,7}, getrandom.2: Adapt to Linux 5.6 changes

[Mingye Wang]

[-- Attachment #1: Type: text/plain, Size: 187 bytes --]

Hi Alex,

I am still struggling with getting my mail client to send through a
proxy. The attached patch is the same as the bugzilla one, except that
the commit message has been expanded.

[-- Attachment #2: 0001-random.-4-7-getrandom.2-Adapt-to-Linux-5.6-changes.patch --]
[-- Type: application/octet-stream, Size: 9389 bytes --]

From 343b2ad76dc6d78daa529405f2ec7f9a3e2e65bf Mon Sep 17 00:00:00 2001
From: Mingye Wang <arthur200126@gmail.com>
Date: Thu, 25 May 2023 20:21:08 +0800
Subject: [PATCH] random.{4,7}, getrandom.2: Adapt to Linux 5.6 changes
In-Reply-To: <bug-214885-11311-M5kG7tptAp@https.bugzilla.kernel.org/>
X-Unsent: 1

Linux kernel 5.6 no longer has a blocking random pool.  This commit
updates all relevant references to reflect this change.

* random.7: Remove references to the blocking pool in the table.  Add a
  note about the blocking pool.
* random.7: Revise "choice of random source" to remove any recommen-
  dationof the blocking pool.  Stop suggesting that the blocking pool is
  safer (it's not after initialization).
* random.7: Add table entry for GRND_INSECURE.
* random.7: Weaken performance recommendation following the Linux 4.8
  CSPRNG speedup.
* getrandom.2: Add flag entry for GRND_INSECURE.
* getrandom.2: Add removal note to GRND_RANDOM.
* random.4: Split DESCRIPTION paragraph on /dev/random into two, one
  for the new behavior and the other for the old.
* random.4: Adjust size limits and /proc list for 5.6.
* random.4: Mention blocking resolution by high-precision timer entropy.

Changes not made:
* random.4: USAGE section largely unchanged.  Old kernels will stick
  around for a while.

Closes: https://bugzilla.kernel.org/show_bug.cgi?id=214885
Signed-Off-By: Mingye Wang <arthur200126@gmail.com>
---
 man2/getrandom.2 |  9 +++++
 man4/random.4    | 30 +++++++++-------
 man7/random.7    | 89 ++++++++++++++++++++++++++----------------------
 3 files changed, 75 insertions(+), 53 deletions(-)

diff --git a/man2/getrandom.2 b/man2/getrandom.2
index dbd23a0a6..fb2e948be 100644
--- a/man2/getrandom.2
+++ b/man2/getrandom.2
@@ -64,6 +64,8 @@ argument is a bit mask that can contain zero or more of the following values
 ORed together:
 .TP
 .B GRND_RANDOM
+.\" commit 48446f198f9adcb499b30332488dfd5bc3f176f6
+Ignored since Linux 5.6.
 If this bit is set, then random bytes are drawn from the
 .I random
 source
@@ -105,6 +107,13 @@ does not block in these cases, but instead immediately returns \-1 with
 .I errno
 set to
 .BR EAGAIN .
+.TP GRND_INSECURE
+.\" commit 75551dbf112c992bc6c99a972990b3f272247e23
+Added in Linux 5.6.
+Request best-effort, non-cryptographic-quality random bytes.
+If this bit is set, then
+.BR getrandom ()
+will never block or fail due to a lack of entropy.
 .SH RETURN VALUE
 On success,
 .BR getrandom ()
diff --git a/man4/random.4 b/man4/random.4
index edd047b77..6ce9992fe 100644
--- a/man4/random.4
+++ b/man4/random.4
@@ -58,16 +58,20 @@ If this is of concern in your application, use
 .BR getrandom (2)
 or \fI/dev/random\fP instead.
 .PP
-The \fI/dev/random\fP device is a legacy interface which dates back to
-a time where the cryptographic primitives used in the implementation
-of \fI/dev/urandom\fP were not widely trusted.
-It will return random bytes only within the estimated number of
-bits of fresh noise in the entropy pool, blocking if necessary.
-\fI/dev/random\fP is suitable for applications that need
+.\" commit 30c08efec8884fb106b8e57094baa51bb4c44e32
+As of Linux 5.6, \fI/dev/random\fP is identical to \fI/dev/urandom\fP,
+except that it blocks during early boot.  A jitter-based seeding technique
+added in Linux 5.4 should help to reduce block time. 
+.\" commit 50ee7529ec4500c88f8664560770a7a1b65db72b
+.PP
+The pre-5.6 \fI/dev/random\fP device is a legacy interface which dates
+back to a time where the cryptographic primitives used in the implementation
+of \fI/dev/urandom\fP were not widely trusted. It would return random bytes
+only within the estimated number of bits of fresh noise in the entropy pool,
+blocking until additional environmental noise is gathered.
+This old \fI/dev/random\fP is suitable for applications that need
 high quality randomness, and can afford indeterminate delays.
 .PP
-When the entropy pool is empty, reads from \fI/dev/random\fP will block
-until additional environmental noise is gathered.
 Since Linux 5.6, the
 .B O_NONBLOCK
 flag is ignored as
@@ -116,15 +120,16 @@ A
 .BR read (2)
 from
 .I /dev/random
-will return at most 512 bytes
+has the same maximum size since Linux 5.6. Between Linux 3.16 and 5.5,
+the maximum size was 512 bytes. (340 bytes before Linux 2.6.12)
 .\" SEC_XFER_SIZE in drivers/char/random.c
-(340 bytes before Linux 2.6.12).
+
 .PP
 Writing to \fI/dev/random\fP or \fI/dev/urandom\fP will update the
 entropy pool with the data written, but this will not result in a
 higher entropy count.
 This means that it will impact the contents
-read from both files, but it will not make reads from
+read from both files, but it will not make reads from a pre-5.6
 \fI/dev/random\fP faster.
 .SS Usage
 The
@@ -145,7 +150,7 @@ soon as it is reloaded in the boot sequence, and perfectly adequate for
 network encryption session keys.
 (All major Linux distributions have saved the seed file across reboots
 since 2000 at least.)
-Since reads from
+Since reads from a pre-5.6
 .I /dev/random
 may block, users will usually want to open it in nonblocking mode
 (or perform a read with timeout),
@@ -246,6 +251,7 @@ It contains the value 4096.
 .RE
 .TP
 .I read_wakeup_threshold
+Removed in Linux 5.6.
 This file
 contains the number of bits of entropy required for waking up processes
 that sleep waiting for entropy from
diff --git a/man7/random.7 b/man7/random.7
index 69e6c2403..e80a1328e 100644
--- a/man7/random.7
+++ b/man7/random.7
@@ -59,17 +59,16 @@ The kernel collects bits of entropy from the environment.
 When a sufficient number of random bits has been collected, the
 entropy pool is considered to be initialized.
 .SS Choice of random source
-Unless you are doing long-term key generation (and most likely not even
-then), you probably shouldn't be reading from the
+Unless your program may run at early-boot, before the entropy pool
+is initialized, there is no longer any palpable difference between
 .I /dev/random
-device or employing
-.BR getrandom (2)
-with the
-.B GRND_RANDOM
-flag.
-Instead, either read from the
+and
 .I /dev/urandom
-device or employ
+since Linux 5.6. (See the table below.)
+.PP.
+On older kernels, either read from the
+.I /dev/urandom
+device or (especially if you are concerned with early boot) employ
 .BR getrandom (2)
 without the
 .B GRND_RANDOM
@@ -77,18 +76,6 @@ flag.
 The cryptographic algorithms used for the
 .I urandom
 source are quite conservative, and so should be sufficient for all purposes.
-.PP
-The disadvantage of
-.B GRND_RANDOM
-and reads from
-.I /dev/random
-is that the operation can block for an indefinite period of time.
-Furthermore, dealing with the partially fulfilled
-requests that can occur when using
-.B GRND_RANDOM
-or when reading from
-.I /dev/random
-increases code complexity.
 .\"
 .SS Monte Carlo and other probabilistic sampling applications
 Using these interfaces to provide large quantities of data for
@@ -99,6 +86,13 @@ need cryptographically secure random numbers.
 Instead, use the interfaces described in this page to obtain
 a small amount of data to seed a user-space pseudorandom
 number generator for use by such applications.
+.PP
+.\" commit e192be9d9a30555aae2ca1dc3aad37cba484cd4a
+.\" commit 48446f198f9adcb499b30332488dfd5bc3f176f6
+Since Linux 4.8, the random interfaces are backed by a much faster
+NUMA-aware ChaCha20 CSPRNG.
+It is still discouraged to use the random interfaces for sampling,
+but if you do, the performance will be much better than before.
 .\"
 .SS Comparison between getrandom, /dev/urandom, and /dev/random
 The following table summarizes the behavior of the various
@@ -122,9 +116,9 @@ T}
 T{
 .I /dev/random
 T}	T{
-Blocking pool
+CSPRNG output
 T}	T{
-If entropy too low, blocks until there is enough entropy again
+Never blocks
 T}	T{
 Blocks until enough entropy gathered
 T}
@@ -149,17 +143,6 @@ Blocks until pool ready
 T}
 T{
 .BR getrandom ()
-.B GRND_RANDOM
-T}	T{
-Same as
-.I /dev/random
-T}	T{
-If entropy too low, blocks until there is enough entropy again
-T}	T{
-Blocks until pool ready
-T}
-T{
-.BR getrandom ()
 .B GRND_NONBLOCK
 T}	T{
 Same as
@@ -171,21 +154,45 @@ T}	T{
 T}
 T{
 .BR getrandom ()
-.B GRND_RANDOM
-+
-.B GRND_NONBLOCK
+.B GRND_INSECURE
 T}	T{
 Same as
-.I /dev/random
+.I /dev/urandom
 T}	T{
-.B EAGAIN
-if not enough entropy available
+Never blocks
 T}	T{
-.B EAGAIN
+Returns output from uninitialized CSPRNG (may be low entropy and unsuitable for cryptography)
 T}
 .TE
 .ad
 .\"
+.SS The old blocking pool
+The above table describes the behavior of the interfaces since
+Linux 5.6.  In older kernels, the
+.I /dev/random
+used a separate blocking pool, and
+.BR getrandom () 
+had a
+.B GRND_RANDOM
+flag for reading from the blocking pool.
+.\"
+.PP
+The older blocking pool was a vestige of a time when the CSPRNG
+was not trusted.
+It assumed that entropy can run out by reading the CSPRNG.
+This has never been the case.
+Instead, programs using 
+.B GRND_RANDOM
+and
+.I /dev/random
+had to deal with operations blocking indefinitely.
+Furthermore, dealing with the partially fulfilled
+requests that can occur when using
+.B GRND_RANDOM
+or when reading from
+.I /dev/random
+increases code complexity.
+.\"
 .SS Generating cryptographic keys
 The amount of seed material required to generate a cryptographic key
 equals the effective key size of the key.
-- 
2.40.0

Re: [PATCH] random.{4,7}, getrandom.2: Adapt to Linux 5.6 changes

[Alejandro Colomar]

[-- Attachment #1.1: Type: text/plain, Size: 11403 bytes --]

Hi Mingye,

On 5/29/23 10:50, Mingye Wang wrote:
> Hi Alex,
> 
> I am still struggling with getting my mail client to send through a
> proxy. The attached patch is the same as the bugzilla one, except that
> the commit message has been expanded.

Okay; no problem.

> From 343b2ad76dc6d78daa529405f2ec7f9a3e2e65bf Mon Sep 17 00:00:00 2001
> From: Mingye Wang <arthur200126@gmail.com>
> Date: Thu, 25 May 2023 20:21:08 +0800
> Subject: [PATCH] random.{4,7}, getrandom.2: Adapt to Linux 5.6 changes
> In-Reply-To: <bug-214885-11311-M5kG7tptAp@https.bugzilla.kernel.org/>
> X-Unsent: 1
> 
> Linux kernel 5.6 no longer has a blocking random pool.  This commit
> updates all relevant references to reflect this change.
> 
> * random.7: Remove references to the blocking pool in the table.  Add a
>   note about the blocking pool.
> * random.7: Revise "choice of random source" to remove any recommen-
>   dationof the blocking pool.  Stop suggesting that the blocking pool is
>   safer (it's not after initialization).
> * random.7: Add table entry for GRND_INSECURE.
> * random.7: Weaken performance recommendation following the Linux 4.8
>   CSPRNG speedup.

If some changes come from Linux 4.8, I prefer having two separate patches.

> * getrandom.2: Add flag entry for GRND_INSECURE.
> * getrandom.2: Add removal note to GRND_RANDOM.
> * random.4: Split DESCRIPTION paragraph on /dev/random into two, one
>   for the new behavior and the other for the old.
> * random.4: Adjust size limits and /proc list for 5.6.
> * random.4: Mention blocking resolution by high-precision timer entropy.
> 
> Changes not made:
> * random.4: USAGE section largely unchanged.  Old kernels will stick
>   around for a while.
> 
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=214885
> Signed-Off-By: Mingye Wang <arthur200126@gmail.com>
> ---
>  man2/getrandom.2 |  9 +++++
>  man4/random.4    | 30 +++++++++-------
>  man7/random.7    | 89 ++++++++++++++++++++++++++----------------------
>  3 files changed, 75 insertions(+), 53 deletions(-)
> 
> diff --git a/man2/getrandom.2 b/man2/getrandom.2
> index dbd23a0a6..fb2e948be 100644
> --- a/man2/getrandom.2
> +++ b/man2/getrandom.2
> @@ -64,6 +64,8 @@ argument is a bit mask that can contain zero or more of the following values
>  ORed together:
>  .TP
>  .B GRND_RANDOM
> +.\" commit 48446f198f9adcb499b30332488dfd5bc3f176f6
> +Ignored since Linux 5.6.
>  If this bit is set, then random bytes are drawn from the
>  .I random
>  source
> @@ -105,6 +107,13 @@ does not block in these cases, but instead immediately returns \-1 with
>  .I errno
>  set to
>  .BR EAGAIN .
> +.TP GRND_INSECURE
> +.\" commit 75551dbf112c992bc6c99a972990b3f272247e23
> +Added in Linux 5.6.
> +Request best-effort, non-cryptographic-quality random bytes.
> +If this bit is set, then
> +.BR getrandom ()
> +will never block or fail due to a lack of entropy.
>  .SH RETURN VALUE
>  On success,
>  .BR getrandom ()
> diff --git a/man4/random.4 b/man4/random.4
> index edd047b77..6ce9992fe 100644
> --- a/man4/random.4
> +++ b/man4/random.4
> @@ -58,16 +58,20 @@ If this is of concern in your application, use
>  .BR getrandom (2)
>  or \fI/dev/random\fP instead.
>  .PP
> -The \fI/dev/random\fP device is a legacy interface which dates back to
> -a time where the cryptographic primitives used in the implementation
> -of \fI/dev/urandom\fP were not widely trusted.
> -It will return random bytes only within the estimated number of
> -bits of fresh noise in the entropy pool, blocking if necessary.
> -\fI/dev/random\fP is suitable for applications that need
> +.\" commit 30c08efec8884fb106b8e57094baa51bb4c44e32
> +As of Linux 5.6, \fI/dev/random\fP is identical to \fI/dev/urandom\fP,
> +except that it blocks during early boot.

Just wondering:  how is this description of /dev/urandom different from
GRND_INSECURE?

>  A jitter-based seeding technique
> +added in Linux 5.4 should help to reduce block time. 
> +.\" commit 50ee7529ec4500c88f8664560770a7a1b65db72b
> +.PP
> +The pre-5.6 \fI/dev/random\fP device is a legacy interface which dates
> +back to a time where the cryptographic primitives used in the implementation
> +of \fI/dev/urandom\fP were not widely trusted. It would return random bytes

Please use semantic newlines.  See man-pages(7):
   Use semantic newlines
       In the source of a manual page, new sentences should be started
       on  new  lines,  long  sentences  should be split into lines at
       clause breaks (commas, semicolons, colons, and so on), and long
       clauses should be split at phrase boundaries.  This convention,
       sometimes known as "semantic newlines", makes it easier to  see
       the  effect of patches, which often operate at the level of in‐
       dividual sentences, clauses, or phrases.

> +only within the estimated number of bits of fresh noise in the entropy pool,
> +blocking until additional environmental noise is gathered.
> +This old \fI/dev/random\fP is suitable for applications that need
>  high quality randomness, and can afford indeterminate delays.
>  .PP
> -When the entropy pool is empty, reads from \fI/dev/random\fP will block
> -until additional environmental noise is gathered.
>  Since Linux 5.6, the
>  .B O_NONBLOCK
>  flag is ignored as
> @@ -116,15 +120,16 @@ A
>  .BR read (2)
>  from
>  .I /dev/random
> -will return at most 512 bytes
> +has the same maximum size since Linux 5.6. Between Linux 3.16 and 5.5,
> +the maximum size was 512 bytes. (340 bytes before Linux 2.6.12)
>  .\" SEC_XFER_SIZE in drivers/char/random.c
> -(340 bytes before Linux 2.6.12).
> +

Blank lines are wrong.

Cheers,
Alex

>  .PP
>  Writing to \fI/dev/random\fP or \fI/dev/urandom\fP will update the
>  entropy pool with the data written, but this will not result in a
>  higher entropy count.
>  This means that it will impact the contents
> -read from both files, but it will not make reads from
> +read from both files, but it will not make reads from a pre-5.6
>  \fI/dev/random\fP faster.
>  .SS Usage
>  The
> @@ -145,7 +150,7 @@ soon as it is reloaded in the boot sequence, and perfectly adequate for
>  network encryption session keys.
>  (All major Linux distributions have saved the seed file across reboots
>  since 2000 at least.)
> -Since reads from
> +Since reads from a pre-5.6
>  .I /dev/random
>  may block, users will usually want to open it in nonblocking mode
>  (or perform a read with timeout),
> @@ -246,6 +251,7 @@ It contains the value 4096.
>  .RE
>  .TP
>  .I read_wakeup_threshold
> +Removed in Linux 5.6.
>  This file
>  contains the number of bits of entropy required for waking up processes
>  that sleep waiting for entropy from
> diff --git a/man7/random.7 b/man7/random.7
> index 69e6c2403..e80a1328e 100644
> --- a/man7/random.7
> +++ b/man7/random.7
> @@ -59,17 +59,16 @@ The kernel collects bits of entropy from the environment.
>  When a sufficient number of random bits has been collected, the
>  entropy pool is considered to be initialized.
>  .SS Choice of random source
> -Unless you are doing long-term key generation (and most likely not even
> -then), you probably shouldn't be reading from the
> +Unless your program may run at early-boot, before the entropy pool
> +is initialized, there is no longer any palpable difference between
>  .I /dev/random
> -device or employing
> -.BR getrandom (2)
> -with the
> -.B GRND_RANDOM
> -flag.
> -Instead, either read from the
> +and
>  .I /dev/urandom
> -device or employ
> +since Linux 5.6. (See the table below.)
> +.PP.
> +On older kernels, either read from the
> +.I /dev/urandom
> +device or (especially if you are concerned with early boot) employ
>  .BR getrandom (2)
>  without the
>  .B GRND_RANDOM
> @@ -77,18 +76,6 @@ flag.
>  The cryptographic algorithms used for the
>  .I urandom
>  source are quite conservative, and so should be sufficient for all purposes.
> -.PP
> -The disadvantage of
> -.B GRND_RANDOM
> -and reads from
> -.I /dev/random
> -is that the operation can block for an indefinite period of time.
> -Furthermore, dealing with the partially fulfilled
> -requests that can occur when using
> -.B GRND_RANDOM
> -or when reading from
> -.I /dev/random
> -increases code complexity.
>  .\"
>  .SS Monte Carlo and other probabilistic sampling applications
>  Using these interfaces to provide large quantities of data for
> @@ -99,6 +86,13 @@ need cryptographically secure random numbers.
>  Instead, use the interfaces described in this page to obtain
>  a small amount of data to seed a user-space pseudorandom
>  number generator for use by such applications.
> +.PP
> +.\" commit e192be9d9a30555aae2ca1dc3aad37cba484cd4a
> +.\" commit 48446f198f9adcb499b30332488dfd5bc3f176f6
> +Since Linux 4.8, the random interfaces are backed by a much faster
> +NUMA-aware ChaCha20 CSPRNG.
> +It is still discouraged to use the random interfaces for sampling,
> +but if you do, the performance will be much better than before.
>  .\"
>  .SS Comparison between getrandom, /dev/urandom, and /dev/random
>  The following table summarizes the behavior of the various
> @@ -122,9 +116,9 @@ T}
>  T{
>  .I /dev/random
>  T}	T{
> -Blocking pool
> +CSPRNG output
>  T}	T{
> -If entropy too low, blocks until there is enough entropy again
> +Never blocks
>  T}	T{
>  Blocks until enough entropy gathered
>  T}
> @@ -149,17 +143,6 @@ Blocks until pool ready
>  T}
>  T{
>  .BR getrandom ()
> -.B GRND_RANDOM
> -T}	T{
> -Same as
> -.I /dev/random
> -T}	T{
> -If entropy too low, blocks until there is enough entropy again
> -T}	T{
> -Blocks until pool ready
> -T}
> -T{
> -.BR getrandom ()
>  .B GRND_NONBLOCK
>  T}	T{
>  Same as
> @@ -171,21 +154,45 @@ T}	T{
>  T}
>  T{
>  .BR getrandom ()
> -.B GRND_RANDOM
> -+
> -.B GRND_NONBLOCK
> +.B GRND_INSECURE
>  T}	T{
>  Same as
> -.I /dev/random
> +.I /dev/urandom
>  T}	T{
> -.B EAGAIN
> -if not enough entropy available
> +Never blocks
>  T}	T{
> -.B EAGAIN
> +Returns output from uninitialized CSPRNG (may be low entropy and unsuitable for cryptography)
>  T}
>  .TE
>  .ad
>  .\"
> +.SS The old blocking pool
> +The above table describes the behavior of the interfaces since
> +Linux 5.6.  In older kernels, the
> +.I /dev/random
> +used a separate blocking pool, and
> +.BR getrandom () 
> +had a
> +.B GRND_RANDOM
> +flag for reading from the blocking pool.
> +.\"
> +.PP
> +The older blocking pool was a vestige of a time when the CSPRNG
> +was not trusted.
> +It assumed that entropy can run out by reading the CSPRNG.
> +This has never been the case.
> +Instead, programs using 
> +.B GRND_RANDOM
> +and
> +.I /dev/random
> +had to deal with operations blocking indefinitely.
> +Furthermore, dealing with the partially fulfilled
> +requests that can occur when using
> +.B GRND_RANDOM
> +or when reading from
> +.I /dev/random
> +increases code complexity.
> +.\"
>  .SS Generating cryptographic keys
>  The amount of seed material required to generate a cryptographic key
>  equals the effective key size of the key.
> -- 
> 2.40.0


-- 
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH] random.{4,7}, getrandom.2: Adapt to Linux 5.6 changes

[Mingye Wang]

Hi Alex,

On Thu, Jun 1, 2023 at 6:20 AM Alejandro Colomar <alx.manpages@gmail.com> wrote:
> If some changes come from Linux 4.8, I prefer having two separate patches.

Will do.

> Just wondering:  how is this description of /dev/urandom different from
> GRND_INSECURE?

It isn't! I reckon that they added the flag to give device file parity.

> Blank lines are wrong.

Will fix.

Thanks,
Mingye

Re: [PATCH] random.{4,7}, getrandom.2: Adapt to Linux 5.6 changes

[Mingye Wang]

[-- Attachment #1: Type: text/plain, Size: 84 bytes --]

Hi Alex,

attached are two patches split and revised as requested.

Regards,
Mingye

[-- Attachment #2: 0002-random.7-weaken-performance-recommendation-for-4.8.patch --]
[-- Type: application/octet-stream, Size: 1123 bytes --]

From 2ac4bc3606b4062823e766528a87800e6f5f3b65 Mon Sep 17 00:00:00 2001
From: Mingye Wang <arthur200126@gmail.com>
Date: Mon, 5 Jun 2023 11:13:07 +0800
Subject: [PATCH 2/2] random.7: weaken performance recommendation for 4.8

---
 man7/random.7 | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/man7/random.7 b/man7/random.7
index 23aecf2a2..d1abc0c91 100644
--- a/man7/random.7
+++ b/man7/random.7
@@ -86,6 +86,13 @@ need cryptographically secure random numbers.
 Instead, use the interfaces described in this page to obtain
 a small amount of data to seed a user-space pseudorandom
 number generator for use by such applications.
+.PP
+.\" commit e192be9d9a30555aae2ca1dc3aad37cba484cd4a
+.\" commit 48446f198f9adcb499b30332488dfd5bc3f176f6
+Since Linux 4.8, the random interfaces are backed by a much faster
+NUMA-aware ChaCha20 CSPRNG.
+It is still discouraged to use the random interfaces for sampling,
+but if you do, the performance will be much better than before.
 .\"
 .SS Comparison between getrandom, /dev/urandom, and /dev/random
 The following table summarizes the behavior of the various
-- 
2.40.0


[-- Attachment #3: 0001-random.-4-7-getrandom.2-Adapt-to-Linux-5.6-changes.patch --]
[-- Type: application/octet-stream, Size: 8475 bytes --]

From 582732e6e583decc20bf003688386c0e0036f4ab Mon Sep 17 00:00:00 2001
From: Mingye Wang <arthur200126@gmail.com>
Date: Mon, 5 Jun 2023 11:10:12 +0800
Subject: [PATCH 1/2] random.{4,7}, getrandom.2: Adapt to Linux 5.6 changes
 In-Reply-To: <bug-214885-11311-M5kG7tptAp@https.bugzilla.kernel.org/>

Linux kernel 5.6 no longer has a blocking random pool.  This commit
updates all relevant references to reflect this change.

* random.7: Remove references to the blocking pool in the table.  Add a
  note about the blocking pool.
* random.7: Revise "choice of random source" to remove any recommen-
  dationof the blocking pool.  Stop suggesting that the blocking pool is
  safer (it's not after initialization).
* random.7: Add table entry for GRND_INSECURE.
* getrandom.2: Add flag entry for GRND_INSECURE.
* getrandom.2: Add removal note to GRND_RANDOM.
* random.4: Split DESCRIPTION paragraph on /dev/random into two, one
  for the new behavior and the other for the old.
* random.4: Adjust size limits and /proc list for 5.6.
* random.4: Mention blocking resolution by high-precision timer entropy.

Closes: https://bugzilla.kernel.org/show_bug.cgi?id=214885
Signed-Off-By: Mingye Wang <arthur200126@gmail.com>
---
 man2/getrandom.2 |  9 ++++++
 man4/random.4    | 30 +++++++++++-------
 man7/random.7    | 82 ++++++++++++++++++++++++------------------------
 3 files changed, 68 insertions(+), 53 deletions(-)

diff --git a/man2/getrandom.2 b/man2/getrandom.2
index dbd23a0a6..fb2e948be 100644
--- a/man2/getrandom.2
+++ b/man2/getrandom.2
@@ -64,6 +64,8 @@ argument is a bit mask that can contain zero or more of the following values
 ORed together:
 .TP
 .B GRND_RANDOM
+.\" commit 48446f198f9adcb499b30332488dfd5bc3f176f6
+Ignored since Linux 5.6.
 If this bit is set, then random bytes are drawn from the
 .I random
 source
@@ -105,6 +107,13 @@ does not block in these cases, but instead immediately returns \-1 with
 .I errno
 set to
 .BR EAGAIN .
+.TP GRND_INSECURE
+.\" commit 75551dbf112c992bc6c99a972990b3f272247e23
+Added in Linux 5.6.
+Request best-effort, non-cryptographic-quality random bytes.
+If this bit is set, then
+.BR getrandom ()
+will never block or fail due to a lack of entropy.
 .SH RETURN VALUE
 On success,
 .BR getrandom ()
diff --git a/man4/random.4 b/man4/random.4
index edd047b77..8e5b7152b 100644
--- a/man4/random.4
+++ b/man4/random.4
@@ -58,16 +58,21 @@ If this is of concern in your application, use
 .BR getrandom (2)
 or \fI/dev/random\fP instead.
 .PP
-The \fI/dev/random\fP device is a legacy interface which dates back to
-a time where the cryptographic primitives used in the implementation
-of \fI/dev/urandom\fP were not widely trusted.
-It will return random bytes only within the estimated number of
-bits of fresh noise in the entropy pool, blocking if necessary.
-\fI/dev/random\fP is suitable for applications that need
+.\" commit 30c08efec8884fb106b8e57094baa51bb4c44e32
+As of Linux 5.6, \fI/dev/random\fP is identical to \fI/dev/urandom\fP,
+except that it blocks during early boot.
+A jitter-based seeding technique added in Linux 5.4 should help reduce
+block time. 
+.\" commit 50ee7529ec4500c88f8664560770a7a1b65db72b
+.PP
+The pre-5.6 \fI/dev/random\fP device is a legacy interface which dates
+back to a time where the cryptographic primitives used in the implementation
+of \fI/dev/urandom\fP were not widely trusted. It would return random bytes
+only within the estimated number of bits of fresh noise in the entropy pool,
+blocking until additional environmental noise is gathered.
+This old \fI/dev/random\fP is suitable for applications that need
 high quality randomness, and can afford indeterminate delays.
 .PP
-When the entropy pool is empty, reads from \fI/dev/random\fP will block
-until additional environmental noise is gathered.
 Since Linux 5.6, the
 .B O_NONBLOCK
 flag is ignored as
@@ -116,15 +121,15 @@ A
 .BR read (2)
 from
 .I /dev/random
-will return at most 512 bytes
+has the same maximum size since Linux 5.6. Between Linux 3.16 and 5.5,
+the maximum size was 512 bytes. (340 bytes before Linux 2.6.12)
 .\" SEC_XFER_SIZE in drivers/char/random.c
-(340 bytes before Linux 2.6.12).
 .PP
 Writing to \fI/dev/random\fP or \fI/dev/urandom\fP will update the
 entropy pool with the data written, but this will not result in a
 higher entropy count.
 This means that it will impact the contents
-read from both files, but it will not make reads from
+read from both files, but it will not make reads from a pre-5.6
 \fI/dev/random\fP faster.
 .SS Usage
 The
@@ -145,7 +150,7 @@ soon as it is reloaded in the boot sequence, and perfectly adequate for
 network encryption session keys.
 (All major Linux distributions have saved the seed file across reboots
 since 2000 at least.)
-Since reads from
+Since reads from a pre-5.6
 .I /dev/random
 may block, users will usually want to open it in nonblocking mode
 (or perform a read with timeout),
@@ -246,6 +251,7 @@ It contains the value 4096.
 .RE
 .TP
 .I read_wakeup_threshold
+Removed in Linux 5.6.
 This file
 contains the number of bits of entropy required for waking up processes
 that sleep waiting for entropy from
diff --git a/man7/random.7 b/man7/random.7
index 69e6c2403..23aecf2a2 100644
--- a/man7/random.7
+++ b/man7/random.7
@@ -59,17 +59,16 @@ The kernel collects bits of entropy from the environment.
 When a sufficient number of random bits has been collected, the
 entropy pool is considered to be initialized.
 .SS Choice of random source
-Unless you are doing long-term key generation (and most likely not even
-then), you probably shouldn't be reading from the
+Unless your program may run at early-boot, before the entropy pool
+is initialized, there is no longer any palpable difference between
 .I /dev/random
-device or employing
-.BR getrandom (2)
-with the
-.B GRND_RANDOM
-flag.
-Instead, either read from the
+and
 .I /dev/urandom
-device or employ
+since Linux 5.6. (See the table below.)
+.PP.
+On older kernels, either read from the
+.I /dev/urandom
+device or (especially if you are concerned with early boot) employ
 .BR getrandom (2)
 without the
 .B GRND_RANDOM
@@ -77,18 +76,6 @@ flag.
 The cryptographic algorithms used for the
 .I urandom
 source are quite conservative, and so should be sufficient for all purposes.
-.PP
-The disadvantage of
-.B GRND_RANDOM
-and reads from
-.I /dev/random
-is that the operation can block for an indefinite period of time.
-Furthermore, dealing with the partially fulfilled
-requests that can occur when using
-.B GRND_RANDOM
-or when reading from
-.I /dev/random
-increases code complexity.
 .\"
 .SS Monte Carlo and other probabilistic sampling applications
 Using these interfaces to provide large quantities of data for
@@ -122,9 +109,9 @@ T}
 T{
 .I /dev/random
 T}	T{
-Blocking pool
+CSPRNG output
 T}	T{
-If entropy too low, blocks until there is enough entropy again
+Never blocks
 T}	T{
 Blocks until enough entropy gathered
 T}
@@ -149,17 +136,6 @@ Blocks until pool ready
 T}
 T{
 .BR getrandom ()
-.B GRND_RANDOM
-T}	T{
-Same as
-.I /dev/random
-T}	T{
-If entropy too low, blocks until there is enough entropy again
-T}	T{
-Blocks until pool ready
-T}
-T{
-.BR getrandom ()
 .B GRND_NONBLOCK
 T}	T{
 Same as
@@ -171,21 +147,45 @@ T}	T{
 T}
 T{
 .BR getrandom ()
-.B GRND_RANDOM
-+
-.B GRND_NONBLOCK
+.B GRND_INSECURE
 T}	T{
 Same as
-.I /dev/random
+.I /dev/urandom
 T}	T{
-.B EAGAIN
-if not enough entropy available
+Never blocks
 T}	T{
-.B EAGAIN
+Returns output from uninitialized CSPRNG (may be low entropy and unsuitable for cryptography)
 T}
 .TE
 .ad
 .\"
+.SS The old blocking pool
+The above table describes the behavior of the interfaces since
+Linux 5.6.  In older kernels, the
+.I /dev/random
+used a separate blocking pool, and
+.BR getrandom ()
+had a
+.B GRND_RANDOM
+flag for reading from the blocking pool.
+.\"
+.PP
+The older blocking pool was a vestige of a time when the CSPRNG
+was not trusted.
+It assumed that entropy can run out by reading the CSPRNG.
+This has never been the case.
+Instead, programs using
+.B GRND_RANDOM
+and
+.I /dev/random
+had to deal with operations blocking indefinitely.
+Furthermore, dealing with the partially fulfilled
+requests that can occur when using
+.B GRND_RANDOM
+or when reading from
+.I /dev/random
+increases code complexity.
+.\"
 .SS Generating cryptographic keys
 The amount of seed material required to generate a cryptographic key
 equals the effective key size of the key.
-- 
2.40.0

Re: [PATCH] random.{4,7}, getrandom.2: Adapt to Linux 5.6 changes

[Alejandro Colomar]

[-- Attachment #1.1: Type: text/plain, Size: 10113 bytes --]

On 6/5/23 05:13, Mingye Wang wrote:
> Hi Alex,
> 
> attached are two patches split and revised as requested.
> 
> Regards,
> Mingye

Hi!  Here go some comments for one of the patches:

> Author: Mingye Wang <arthur200126@gmail.com>
> Date:   Mon Jun 5 11:10:12 2023 +0800
> 
>     random.{4,7}, getrandom.2: Adapt to Linux 5.6 changes In-Reply-To: <bug-214885-11311-M5kG7tptAp@https.bugzilla.kernel.org/>
>     
>     Linux kernel 5.6 no longer has a blocking random pool.  This commit
>     updates all relevant references to reflect this change.
>     
>     * random.7: Remove references to the blocking pool in the table.  Add a
>       note about the blocking pool.
>     * random.7: Revise "choice of random source" to remove any recommen-

Don't hyphenate words here.

>       dationof the blocking pool.  Stop suggesting that the blocking pool is
>       safer (it's not after initialization).
>     * random.7: Add table entry for GRND_INSECURE.
>     * getrandom.2: Add flag entry for GRND_INSECURE.
>     * getrandom.2: Add removal note to GRND_RANDOM.
>     * random.4: Split DESCRIPTION paragraph on /dev/random into two, one
>       for the new behavior and the other for the old.
>     * random.4: Adjust size limits and /proc list for 5.6.
>     * random.4: Mention blocking resolution by high-precision timer entropy.
>     
>     Closes: https://bugzilla.kernel.org/show_bug.cgi?id=214885
>     Signed-Off-By: Mingye Wang <arthur200126@gmail.com>
> 
> diff --git a/man2/getrandom.2 b/man2/getrandom.2
> index dbd23a0a6..fb2e948be 100644
> --- a/man2/getrandom.2
> +++ b/man2/getrandom.2
> @@ -64,6 +64,8 @@ .SH DESCRIPTION
>  ORed together:
>  .TP
>  .B GRND_RANDOM
> +.\" commit 48446f198f9adcb499b30332488dfd5bc3f176f6
> +Ignored since Linux 5.6.
>  If this bit is set, then random bytes are drawn from the
>  .I random
>  source
> @@ -105,6 +107,13 @@ .SH DESCRIPTION
>  .I errno
>  set to
>  .BR EAGAIN .
> +.TP GRND_INSECURE
> +.\" commit 75551dbf112c992bc6c99a972990b3f272247e23
> +Added in Linux 5.6.
> +Request best-effort, non-cryptographic-quality random bytes.
> +If this bit is set, then
> +.BR getrandom ()
> +will never block or fail due to a lack of entropy.
>  .SH RETURN VALUE
>  On success,
>  .BR getrandom ()
> diff --git a/man4/random.4 b/man4/random.4
> index edd047b77..8e5b7152b 100644
> --- a/man4/random.4
> +++ b/man4/random.4
> @@ -58,16 +58,21 @@ .SH DESCRIPTION
>  .BR getrandom (2)
>  or \fI/dev/random\fP instead.
>  .PP
> -The \fI/dev/random\fP device is a legacy interface which dates back to
> -a time where the cryptographic primitives used in the implementation
> -of \fI/dev/urandom\fP were not widely trusted.
> -It will return random bytes only within the estimated number of
> -bits of fresh noise in the entropy pool, blocking if necessary.
> -\fI/dev/random\fP is suitable for applications that need
> +.\" commit 30c08efec8884fb106b8e57094baa51bb4c44e32
> +As of Linux 5.6, \fI/dev/random\fP is identical to \fI/dev/urandom\fP,
> +except that it blocks during early boot.
> +A jitter-based seeding technique added in Linux 5.4 should help reduce
> +block time. 

Please use semantic newlines.  See man-pages(7):

    Use semantic newlines
        In  the  source of a manual page, new sentences should be
        started on new lines, long sentences should be split into
        lines at clause breaks (commas, semicolons,  colons,  and
        so on), and long clauses should be split at phrase bound‐
        aries.   This  convention,  sometimes  known as "semantic
        newlines", makes it easier to see the effect of  patches,
        which often operate at the level of individual sentences,
        clauses, or phrases.

> +.\" commit 50ee7529ec4500c88f8664560770a7a1b65db72b
> +.PP
> +The pre-5.6 \fI/dev/random\fP device is a legacy interface which dates
> +back to a time where the cryptographic primitives used in the implementation
> +of \fI/dev/urandom\fP were not widely trusted. It would return random bytes
> +only within the estimated number of bits of fresh noise in the entropy pool,
> +blocking until additional environmental noise is gathered.
> +This old \fI/dev/random\fP is suitable for applications that need
>  high quality randomness, and can afford indeterminate delays.
>  .PP
> -When the entropy pool is empty, reads from \fI/dev/random\fP will block
> -until additional environmental noise is gathered.
>  Since Linux 5.6, the
>  .B O_NONBLOCK
>  flag is ignored as
> @@ -116,15 +121,15 @@ .SH DESCRIPTION
>  .BR read (2)
>  from
>  .I /dev/random
> -will return at most 512 bytes
> +has the same maximum size since Linux 5.6. Between Linux 3.16 and 5.5,
> +the maximum size was 512 bytes. (340 bytes before Linux 2.6.12)
>  .\" SEC_XFER_SIZE in drivers/char/random.c
> -(340 bytes before Linux 2.6.12).
>  .PP
>  Writing to \fI/dev/random\fP or \fI/dev/urandom\fP will update the
>  entropy pool with the data written, but this will not result in a
>  higher entropy count.
>  This means that it will impact the contents
> -read from both files, but it will not make reads from
> +read from both files, but it will not make reads from a pre-5.6

To make it easier to grep, prefix verions with the software name (this
is done consistently in the pages).  So something like 'pre-Linux 5.6' 
would work.

Thanks,
Alex

>  \fI/dev/random\fP faster.
>  .SS Usage
>  The
> @@ -145,7 +150,7 @@ .SS Usage
>  network encryption session keys.
>  (All major Linux distributions have saved the seed file across reboots
>  since 2000 at least.)
> -Since reads from
> +Since reads from a pre-5.6
>  .I /dev/random
>  may block, users will usually want to open it in nonblocking mode
>  (or perform a read with timeout),
> @@ -246,6 +251,7 @@ .SS /proc interfaces
>  .RE
>  .TP
>  .I read_wakeup_threshold
> +Removed in Linux 5.6.
>  This file
>  contains the number of bits of entropy required for waking up processes
>  that sleep waiting for entropy from
> diff --git a/man7/random.7 b/man7/random.7
> index 69e6c2403..23aecf2a2 100644
> --- a/man7/random.7
> +++ b/man7/random.7
> @@ -59,17 +59,16 @@ .SS Initialization of the entropy pool
>  When a sufficient number of random bits has been collected, the
>  entropy pool is considered to be initialized.
>  .SS Choice of random source
> -Unless you are doing long-term key generation (and most likely not even
> -then), you probably shouldn't be reading from the
> +Unless your program may run at early-boot, before the entropy pool
> +is initialized, there is no longer any palpable difference between
>  .I /dev/random
> -device or employing
> -.BR getrandom (2)
> -with the
> -.B GRND_RANDOM
> -flag.
> -Instead, either read from the
> +and
>  .I /dev/urandom
> -device or employ
> +since Linux 5.6. (See the table below.)
> +.PP.
> +On older kernels, either read from the
> +.I /dev/urandom
> +device or (especially if you are concerned with early boot) employ
>  .BR getrandom (2)
>  without the
>  .B GRND_RANDOM
> @@ -77,18 +76,6 @@ .SS Choice of random source
>  The cryptographic algorithms used for the
>  .I urandom
>  source are quite conservative, and so should be sufficient for all purposes.
> -.PP
> -The disadvantage of
> -.B GRND_RANDOM
> -and reads from
> -.I /dev/random
> -is that the operation can block for an indefinite period of time.
> -Furthermore, dealing with the partially fulfilled
> -requests that can occur when using
> -.B GRND_RANDOM
> -or when reading from
> -.I /dev/random
> -increases code complexity.
>  .\"
>  .SS Monte Carlo and other probabilistic sampling applications
>  Using these interfaces to provide large quantities of data for
> @@ -122,9 +109,9 @@ .SS Comparison between getrandom, /dev/urandom, and /dev/random
>  T{
>  .I /dev/random
>  T}     T{
> -Blocking pool
> +CSPRNG output
>  T}     T{
> -If entropy too low, blocks until there is enough entropy again
> +Never blocks
>  T}     T{
>  Blocks until enough entropy gathered
>  T}
> @@ -149,17 +136,6 @@ .SS Comparison between getrandom, /dev/urandom, and /dev/random
>  T}
>  T{
>  .BR getrandom ()
> -.B GRND_RANDOM
> -T}     T{
> -Same as
> -.I /dev/random
> -T}     T{
> -If entropy too low, blocks until there is enough entropy again
> -T}     T{
> -Blocks until pool ready
> -T}
> -T{
> -.BR getrandom ()
>  .B GRND_NONBLOCK
>  T}     T{
>  Same as
> @@ -171,21 +147,45 @@ .SS Comparison between getrandom, /dev/urandom, and /dev/random
>  T}
>  T{
>  .BR getrandom ()
> -.B GRND_RANDOM
> -+
> -.B GRND_NONBLOCK
> +.B GRND_INSECURE
>  T}     T{
>  Same as
> -.I /dev/random
> +.I /dev/urandom
>  T}     T{
> -.B EAGAIN
> -if not enough entropy available
> +Never blocks
>  T}     T{
> -.B EAGAIN
> +Returns output from uninitialized CSPRNG (may be low entropy and unsuitable for cryptography)
>  T}
>  .TE
>  .ad
>  .\"
> +.SS The old blocking pool
> +The above table describes the behavior of the interfaces since
> +Linux 5.6.  In older kernels, the
> +.I /dev/random
> +used a separate blocking pool, and
> +.BR getrandom ()
> +had a
> +.B GRND_RANDOM
> +flag for reading from the blocking pool.
> +.\"
> +.PP
> +The older blocking pool was a vestige of a time when the CSPRNG
> +was not trusted.
> +It assumed that entropy can run out by reading the CSPRNG.
> +This has never been the case.
> +Instead, programs using
> +.B GRND_RANDOM
> +and
> +.I /dev/random
> +had to deal with operations blocking indefinitely.
> +Furthermore, dealing with the partially fulfilled
> +requests that can occur when using
> +.B GRND_RANDOM
> +or when reading from
> +.I /dev/random
> +increases code complexity.
> +.\"
>  .SS Generating cryptographic keys
>  The amount of seed material required to generate a cryptographic key
>  equals the effective key size of the key.


-- 
<http://www.alejandro-colomar.es/>
GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[Bug 214885] random.{4,7} [man-pages 5.13] do not reflect changes to /dev/random semantics since kernel 5.6

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=214885

Mingye Wang (arthur200126@gmail.com) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #304322|0                           |1
        is obsolete|                            |

--- Comment #3 from Mingye Wang (arthur200126@gmail.com) ---
Created attachment 306038
  --> https://bugzilla.kernel.org/attachment.cgi?id=306038&action=edit
Patch set as of 2024-03-25

I am not functioning well enough to do man pages right now. The attached
tarball contains the current progress of my tree. It contains three patches
suitable for the current HEAD at c6a68aef7334f32ffffb74050702b8b53b064f37:

* The first is basically #304322, which changes a bunch of things. It's been
e-mailed, but I honestly don't recall whether I've done the requested changes.
* The second is a small change. It has also been emailed, and I also don't know
if the formatting issues have been fixed.
* The third is new. It addresses a pool size change and a
write_wakeup_threshold obsoletion. It could have addressed the obsolete
"urandom_min_reseed_secs" too, but I don't want to hunt down when it appeared
and when it stopped working.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

[Bug 214885] random.{4,7} [man-pages 5.13] do not reflect changes to /dev/random semantics since kernel 5.6

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=214885

--- Comment #4 from Alejandro Colomar (alx@kernel.org) ---
Hi Mingye,

On Mon, Mar 25, 2024 at 12:44:08PM +0000, bugzilla-daemon@kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=214885
> 
> Mingye Wang (arthur200126@gmail.com) changed:
> 
>            What    |Removed                     |Added
> ----------------------------------------------------------------------------
>  Attachment #304322|0                           |1
>         is obsolete|                            |
> 
> --- Comment #3 from Mingye Wang (arthur200126@gmail.com) ---
> Created attachment 306038
>   --> https://bugzilla.kernel.org/attachment.cgi?id=306038&action=edit
> Patch set as of 2024-03-25
> 
> I am not functioning well enough to do man pages right now. The attached
> tarball contains the current progress of my tree. It contains three patches
> suitable for the current HEAD at c6a68aef7334f32ffffb74050702b8b53b064f37:
> 
> * The first is basically #304322, which changes a bunch of things. It's been
> e-mailed, but I honestly don't recall whether I've done the requested
> changes.
> * The second is a small change. It has also been emailed, and I also don't
> know
> if the formatting issues have been fixed.
> * The third is new. It addresses a pool size change and a
> write_wakeup_threshold obsoletion. It could have addressed the obsolete
> "urandom_min_reseed_secs" too, but I don't want to hunt down when it appeared
> and when it stopped working.

Thanks!  I don't take patches from bugzilla.  Would you mind sending the
patches following  the instructions in
<https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/tree/CONTRIBUTING>?

Have a lovely day!
Alex

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.