linux-crypto.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Simo Sorce <simo@redhat.com>
Cc: linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
	Dominik Brodowski <linux@dominikbrodowski.net>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Theodore Ts'o <tytso@mit.edu>, Alexander Graf <graf@amazon.com>,
	Colm MacCarthaigh <colmmacc@amazon.com>,
	Torben Hansen <htorben@amazon.co.uk>,
	Jann Horn <jannh@google.com>
Subject: Re: [PATCH 2/2] random: add fork_event sysctl for polling VM forks
Date: Wed, 11 May 2022 15:19:32 +0200	[thread overview]
Message-ID: <Ynu35I4KMW7gMZW3@zx2c4.com> (raw)
In-Reply-To: <f6a4a5ccb126053534bebe4b070fc1384839e919.camel@redhat.com>

Hi Simo,

On Wed, May 11, 2022 at 08:59:07AM -0400, Simo Sorce wrote:
> Hi Jason,
> 
> On Wed, 2022-05-11 at 03:18 +0200, Jason A. Donenfeld wrote:
> > My proposal here is made with nonce reuse in mind, for things like
> > session keys that use sequential nonces.
> 
> Although this makes sense the problem is that changing applications to
> do the right thing based on which situation they are in will never be
> done right or soon enough. So I would focus on a solution that makes
> the CSPRNGs in crypto libraries safe.

Please don't dismiss this. I realize you have your one single use case
in mind, but there are others, and the distinction you gave for why we
should dismiss the others to focus on yours doesn't really make any
sense. Here's why:

In my email I pointed out two places where VM forks impact crypto in bad
ways:

- Session keys, wrt nonce reuse.

- Random nonces, wrt nonce reuse.

There are other problems that arise from VM forks too. But these stand
out because they are both quite catastrophic, whether it's duplicated
ECDSA random nonces, or whether it's the same session key used with the
same sequential counter to encrypt different plaintexts with something
like AES-GCM or ChaCha20Poly1305. These are both very, very bad things.

And both things happen in:

- Libraries: crypto lib random number generators (e.g. OpenSSL), crypto
  lib session keys (e.g. any TLS library).

- Applications: application level random number generators (e.g.
  Bitcoin Core *facepalm*), application level session keys (e.g.
  OpenSSH).

So I don't think the "library vs application" distinction is really
meaningful here. Rather, things kind of fall apart all over the place
for a variety of reasons on VM fork.

> > - https://lore.kernel.org/lkml/YnA5CUJKvqmXJxf2@zx2c4.com/
> > - https://lore.kernel.org/lkml/Yh4+9+UpanJWAIyZ@zx2c4.com/
> > - https://lore.kernel.org/lkml/CAHmME9qHGSF8w3DoyCP+ud_N0MAJ5_8zsUWx=rxQB1mFnGcu9w@mail.gmail.com/
> 
> 4c does sound like a decent solution, it is semantically identical to

It does, yeah, but realistically it's never going to happen. I don't
think there's a near- or medium-term chance of changing hypervisor
semantics again. That means for 4-like solutions, there's 4a and 4b.

By the way, that email of mine has inaccuracy in it. I complain about
being in irq context, but it turns out not to be the case; we're inside
of a kthread during the notification, which means we have a lot more
options on what we can do.

If 4 is the solution that appeals to you most, do you want to try your
hand at a RFC patch for it? I don't yet know if that's the best
direction to take, but the devil is kind of in the details, so it might
be interesting to see how it pans out.

Jason

  parent reply	other threads:[~2022-05-11 13:19 UTC|newest]

Thread overview: 40+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-02 14:06 [PATCH 1/2] sysctl: read() must consume poll events, not poll() Jason A. Donenfeld
2022-05-02 14:06 ` [PATCH 2/2] random: add fork_event sysctl for polling VM forks Jason A. Donenfeld
2022-05-02 15:40   ` Lennart Poettering
2022-05-02 16:12     ` Jason A. Donenfeld
2022-05-02 16:51       ` Lennart Poettering
2022-05-02 17:59         ` Alexander Graf
2022-05-02 18:29           ` Jason A. Donenfeld
2022-05-02 18:57             ` Alexander Graf
2022-05-02 20:03               ` Jason A. Donenfeld
2022-05-03  8:29           ` Lennart Poettering
2022-05-03 11:55             ` Jason A. Donenfeld
2022-05-03 12:33               ` Lennart Poettering
2022-05-02 18:04         ` Jason A. Donenfeld
2022-05-02 18:34           ` Alexander Graf
2022-05-02 18:46             ` Jason A. Donenfeld
2022-05-02 18:56               ` Alexander Graf
2022-05-02 19:27                 ` Jason A. Donenfeld
2022-05-02 19:41                   ` Alexander Graf
2022-05-04 15:45             ` Michael Kelley (LINUX)
2022-05-02 18:44           ` Jason A. Donenfeld
2022-05-03  7:42           ` Lennart Poettering
2022-05-03  9:08             ` Jason A. Donenfeld
2022-05-03  9:32               ` Lennart Poettering
2022-05-03 10:07                 ` Jason A. Donenfeld
2022-05-03 12:42                   ` Lennart Poettering
2022-05-11  0:40   ` Simo Sorce
2022-05-11  1:18     ` Jason A. Donenfeld
2022-05-11 12:59       ` Simo Sorce
2022-05-11 13:19         ` Alexander Graf
2022-05-11 13:19         ` Jason A. Donenfeld [this message]
2022-05-11 14:32           ` Simo Sorce
2022-05-11 13:20       ` Alexander Graf
2022-05-02 15:30 ` [PATCH 1/2] sysctl: read() must consume poll events, not poll() Jason A. Donenfeld
2022-05-02 15:43   ` Lennart Poettering
2022-05-03 11:27     ` Jason A. Donenfeld
2022-05-12 17:40       ` Luis Chamberlain
2022-05-12 18:29         ` Eric W. Biederman
2022-05-12 18:32           ` Jason A. Donenfeld
2022-05-12 18:22 ` Lucas De Marchi
2022-05-12 18:27   ` Jason A. Donenfeld

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Ynu35I4KMW7gMZW3@zx2c4.com \
    --to=jason@zx2c4.com \
    --cc=colmmacc@amazon.com \
    --cc=graf@amazon.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=htorben@amazon.co.uk \
    --cc=jannh@google.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@dominikbrodowski.net \
    --cc=simo@redhat.com \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).