From: "Theodore Y. Ts'o" <tytso@mit.edu> To: Linus Torvalds <torvalds@linux-foundation.org> Cc: "Ahmed S. Darwish" <darwish.07@gmail.com>, Lennart Poettering <mzxreary@0pointer.de>, "Eric W. Biederman" <ebiederm@xmission.com>, "Alexander E. Patrakov" <patrakov@gmail.com>, Michael Kerrisk <mtk.manpages@gmail.com>, lkml <linux-kernel@vger.kernel.org>, linux-ext4@vger.kernel.org, linux-man@vger.kernel.org Subject: Re: [PATCH RFC v4 1/1] random: WARN on large getrandom() waits and introduce getrandom2() Date: Thu, 19 Sep 2019 10:34:27 -0400 Message-ID: <20190919143427.GQ6762@mit.edu> (raw) In-Reply-To: <CAHk-=wiCqDiU7SE3FLn2W26MS_voUAuqj5XFa1V_tiGTrrW-zQ@mail.gmail.com> (Adding linux-api since this patch proposes an API change; both by changing the existing behavior, and adding new flags and possibly a new system call.) On Wed, Sep 18, 2019 at 04:57:58PM -0700, Linus Torvalds wrote: > On Wed, Sep 18, 2019 at 2:17 PM Ahmed S. Darwish <darwish.07@gmail.com> wrote: > > > > Since Linux v3.17, getrandom(2) has been created as a new and more > > secure interface for pseudorandom data requests. It attempted to > > solve three problems, as compared to /dev/urandom: > > I don't think your patch is really _wrong_, but I think it's silly to > introduce a new system call, when we have 30 bits left in the flags of > the old one, and the old system call checked them. The only reason to introduce a new system call is if we were going to keep the existing behavior of getrandom. Given that the patch changes what getrandom(0), I agree there's no point to adding a new system call. > There is *one* other small semantic change: The old code did > urandom_read() which added warnings, but each warning also _reset_ the > crng_init_cnt. Until it decided not to warn any more, at which point > it also stops that resetting of crng_init_cnt. > > And that reset of crng_init_cnt, btw, is some cray cray. > > It's basically a "we used up entropy" thing, which is very > questionable to begin with as the whole discussion has shown, but > since it stops doing it after 10 cases, it's not even good security > assuming the "use up entropy" case makes sense in the first place. It was a bug that it stopped doing it after 10 tries, and there's a really good reason for it. Yes, the "using up entropy" thing doesn't make much sense in the general case. But we still need some threshold for deciding whether or not it's been sufficiently initialized such that we consider the CRNG initialized. The reason for zeroing it after we expose state is because otherwise if the pool starts in a known state (the attacker knows the starting configuration, knows the DMI table that we're mixing into the pool since that's a constant, etc.), then after we've injected a small amount of uncertainty in the pool --- say, we started with a single known state of the pool, and after injecting some randomness, there are 64 possible states of the pool. If the attacker can read from /dev/urandom, the attacker can know which of the 64 possible states of the pool it's in. Now suppose we inject more uncertainty, so that there's another 64 unknown states, and the attacker is able to constantly read from /dev/urandom in a tight loop; it'll be able to keep up with the injection of entropy insertion, and so even though we've injected 256 "bits" of uncertainty, the attacker will still know the state of the pool. That's why when we read from the pool, we need to clear the entropy bits. This is sometimes called a "state extension attack", and there have been attacks that have been carried out against RNG's that's don't protect against it. What happened is when I added the rate-limiting to the uninitialized /dev/urandom warning, I accidentally wiped out the protection. But it was there for a reason. > And the new cases are defined to *not* warn. In particular, > GRND_INSECURE very much does *not* warn about early urandom access > when crng isn't ready. Because the whole point of that new mode is > that the user knows it isn't secure. > > So that should make getrandom(GRND_INSECURE) palatable to the systemd > kind of use that wanted to avoid the pointless kernel warning. Yes, that's clearly the right thing to do. I do think we need to restore the state extension attack protections, though. > + /* > + * People are really confused about whether > + * this is secure or insecure. Traditional > + * behavior is secure, but there are users > + * who clearly didn't want that, and just > + * never thought about it. > + */ > + case 0: > ret = wait_for_random_bytes(); > - if (unlikely(ret)) > + if (ret) > return ret; > + break; I'm happy this proposed is not changing the behavior of getrandom(0). Why not just remap 0 to GRND_EXPLICIT | GRND_WAIT_ENTROPY, though? It will have the same effect, and it's make it clear what we're doing. Later on, when we rip out /dev/random pool code (and make reading from /dev/random the equivalent of getrandom(GRND_SECURE)), we'll need to similarly map the legacy combination of flags for GRND_RANDOM and GRND_RANDOM | GRND_NONBLOCK. - Ted
next prev parent reply index Thread overview: 211+ messages / expand[flat|nested] mbox.gz Atom feed top [not found] <CAHk-=whBQ+6c-h+htiv6pp8ndtv97+45AH9WvdZougDRM6M4VQ@mail.gmail.com> 2019-09-10 4:21 ` Linux 5.3-rc8 Ahmed S. Darwish 2019-09-10 11:33 ` Linus Torvalds 2019-09-10 12:21 ` Linus Torvalds 2019-09-10 17:33 ` Ahmed S. Darwish 2019-09-10 17:47 ` Reindl Harald 2019-09-10 18:21 ` Linus Torvalds 2019-09-11 16:07 ` Theodore Y. Ts'o 2019-09-11 16:45 ` Linus Torvalds 2019-09-11 17:00 ` Linus Torvalds 2019-09-11 17:36 ` Theodore Y. Ts'o 2019-09-12 3:44 ` Ahmed S. Darwish 2019-09-12 8:25 ` Theodore Y. Ts'o 2019-09-12 11:34 ` Linus Torvalds 2019-09-12 11:58 ` Willy Tarreau 2019-09-14 12:25 ` [PATCH RFC] random: getrandom(2): don't block on non-initialized entropy pool Ahmed S. Darwish 2019-09-14 14:08 ` Alexander E. Patrakov 2019-09-15 5:22 ` [PATCH RFC v2] random: optionally block in getrandom(2) when the CRNG is uninitialized Theodore Y. Ts'o 2019-09-15 8:17 ` [PATCH RFC v3] random: getrandom(2): optionally block when " Ahmed S. Darwish 2019-09-15 8:59 ` Lennart Poettering 2019-09-15 9:30 ` Willy Tarreau 2019-09-15 10:02 ` Ahmed S. Darwish 2019-09-15 10:40 ` Willy Tarreau 2019-09-15 10:55 ` Ahmed S. Darwish 2019-09-15 11:17 ` Willy Tarreau 2019-09-15 17:32 ` [PATCH RFC v2] random: optionally block in getrandom(2) when the " Linus Torvalds 2019-09-15 18:32 ` Willy Tarreau 2019-09-15 18:36 ` Willy Tarreau 2019-09-15 19:08 ` Linus Torvalds 2019-09-15 19:18 ` Willy Tarreau 2019-09-15 19:31 ` Linus Torvalds 2019-09-15 19:54 ` Willy Tarreau 2019-09-15 18:59 ` Linus Torvalds 2019-09-15 19:12 ` Willy Tarreau 2019-09-16 2:45 ` Ahmed S. Darwish 2019-09-16 18:08 ` Lennart Poettering 2019-09-16 19:16 ` Willy Tarreau 2019-09-18 21:15 ` [PATCH RFC v4 0/1] random: WARN on large getrandom() waits and introduce getrandom2() Ahmed S. Darwish 2019-09-18 21:17 ` [PATCH RFC v4 1/1] " Ahmed S. Darwish 2019-09-18 23:57 ` Linus Torvalds 2019-09-19 14:34 ` Theodore Y. Ts'o [this message] 2019-09-19 15:20 ` Linus Torvalds 2019-09-19 15:50 ` Linus Torvalds 2019-09-20 13:13 ` Theodore Y. Ts'o 2019-09-19 20:04 ` Linus Torvalds 2019-09-19 20:45 ` Alexander E. Patrakov 2019-09-19 21:47 ` Linus Torvalds 2019-09-19 22:23 ` Alexander E. Patrakov 2019-09-19 23:44 ` Alexander E. Patrakov 2019-09-20 13:16 ` Theodore Y. Ts'o 2019-09-23 11:55 ` David Laight 2019-09-20 13:08 ` Theodore Y. Ts'o 2019-09-20 13:46 ` Ahmed S. Darwish 2019-09-20 14:33 ` Andy Lutomirski 2019-09-20 16:29 ` Linus Torvalds 2019-09-20 17:52 ` Andy Lutomirski 2019-09-20 18:09 ` Linus Torvalds 2019-09-20 18:16 ` Willy Tarreau 2019-09-20 19:12 ` Andy Lutomirski 2019-09-20 19:51 ` Linus Torvalds 2019-09-20 20:11 ` Alexander E. Patrakov 2019-09-20 20:17 ` Matthew Garrett 2019-09-20 20:51 ` Andy Lutomirski 2019-09-20 22:44 ` Linus Torvalds 2019-09-20 23:30 ` Andy Lutomirski 2019-09-21 3:05 ` Willy Tarreau 2019-09-21 6:07 ` Florian Weimer 2019-09-23 18:33 ` Andy Lutomirski 2019-09-26 21:11 ` Ahmed S. Darwish 2019-09-20 18:12 ` Willy Tarreau 2019-09-20 19:22 ` Andy Lutomirski 2019-09-20 19:37 ` Willy Tarreau 2019-09-20 19:52 ` Andy Lutomirski 2019-09-20 20:02 ` Linus Torvalds 2019-09-20 18:15 ` Alexander E. Patrakov 2019-09-20 18:29 ` Andy Lutomirski 2019-09-20 17:26 ` Willy Tarreau 2019-09-20 17:56 ` Ahmed S. Darwish 2019-09-26 20:42 ` [PATCH v5 0/1] random: getrandom(2): warn on large CRNG waits, introduce new flags Ahmed S. Darwish 2019-09-26 20:44 ` [PATCH v5 1/1] " Ahmed S. Darwish 2019-09-26 21:39 ` Andy Lutomirski 2019-09-28 9:30 ` Ahmed S. Darwish 2019-09-14 15:02 ` Linux 5.3-rc8 Ahmed S. Darwish 2019-09-14 16:30 ` Linus Torvalds 2019-09-14 16:35 ` Alexander E. Patrakov 2019-09-14 16:52 ` Linus Torvalds 2019-09-14 17:09 ` Alexander E. Patrakov 2019-09-14 19:19 ` Linus Torvalds 2019-09-15 6:56 ` Lennart Poettering 2019-09-15 7:01 ` Willy Tarreau 2019-09-15 7:05 ` Lennart Poettering 2019-09-15 7:07 ` Willy Tarreau 2019-09-15 8:34 ` Lennart Poettering 2019-09-15 17:02 ` Linus Torvalds 2019-09-16 3:23 ` Theodore Y. Ts'o 2019-09-16 3:40 ` Linus Torvalds 2019-09-16 3:56 ` Linus Torvalds 2019-09-16 17:00 ` Theodore Y. Ts'o 2019-09-16 17:07 ` Linus Torvalds 2019-09-14 21:11 ` Ahmed S. Darwish 2019-09-14 22:05 ` Martin Steigerwald 2019-09-14 22:24 ` Theodore Y. Ts'o 2019-09-14 22:32 ` Linus Torvalds 2019-09-15 1:00 ` Theodore Y. Ts'o 2019-09-15 1:10 ` Linus Torvalds 2019-09-15 2:05 ` Theodore Y. Ts'o 2019-09-15 2:11 ` Linus Torvalds 2019-09-15 6:33 ` Willy Tarreau 2019-09-15 6:53 ` Willy Tarreau 2019-09-15 6:51 ` Lennart Poettering 2019-09-15 7:27 ` Ahmed S. Darwish 2019-09-15 8:48 ` Lennart Poettering 2019-09-15 16:29 ` Linus Torvalds 2019-09-16 1:40 ` Ahmed S. Darwish 2019-09-16 1:48 ` Vito Caputo 2019-09-16 2:49 ` Theodore Y. Ts'o 2019-09-16 4:29 ` Willy Tarreau 2019-09-16 5:02 ` Linus Torvalds 2019-09-16 6:12 ` Willy Tarreau 2019-09-16 16:17 ` Linus Torvalds 2019-09-16 17:21 ` Theodore Y. Ts'o 2019-09-16 17:44 ` Linus Torvalds 2019-09-16 17:55 ` Serge Belyshev 2019-09-16 19:08 ` Willy Tarreau 2019-09-16 23:02 ` Matthew Garrett 2019-09-16 23:05 ` Linus Torvalds 2019-09-16 23:11 ` Matthew Garrett 2019-09-16 23:13 ` Alexander E. Patrakov 2019-09-16 23:15 ` Matthew Garrett 2019-09-16 23:18 ` Linus Torvalds 2019-09-16 23:29 ` Ahmed S. Darwish 2019-09-17 1:05 ` Linus Torvalds 2019-09-17 1:23 ` Matthew Garrett 2019-09-17 1:41 ` Linus Torvalds 2019-09-17 1:46 ` Matthew Garrett 2019-09-17 5:24 ` Willy Tarreau 2019-09-17 7:33 ` Martin Steigerwald 2019-09-17 8:35 ` Willy Tarreau 2019-09-17 8:44 ` Martin Steigerwald 2019-09-17 12:11 ` Theodore Y. Ts'o 2019-09-17 12:30 ` Ahmed S. Darwish 2019-09-17 12:46 ` Alexander E. Patrakov 2019-09-17 12:47 ` Willy Tarreau 2019-09-17 16:08 ` Lennart Poettering 2019-09-17 16:23 ` Linus Torvalds 2019-09-17 16:34 ` Reindl Harald 2019-09-17 17:42 ` Lennart Poettering 2019-09-17 18:01 ` Linus Torvalds 2019-09-17 20:28 ` Martin Steigerwald 2019-09-17 20:52 ` Ahmed S. Darwish 2019-09-17 21:38 ` Martin Steigerwald 2019-09-17 21:52 ` Matthew Garrett 2019-09-17 22:10 ` Martin Steigerwald 2019-09-18 13:53 ` Lennart Poettering 2019-09-19 7:28 ` Martin Steigerwald 2019-09-17 23:08 ` Linus Torvalds 2019-09-18 13:40 ` Lennart Poettering 2019-09-17 20:58 ` Linus Torvalds 2019-09-18 9:33 ` Rasmus Villemoes 2019-09-18 10:16 ` Willy Tarreau 2019-09-18 10:25 ` Alexander E. Patrakov 2019-09-18 10:42 ` Willy Tarreau 2019-09-18 19:31 ` Linus Torvalds 2019-09-18 19:56 ` Eric W. Biederman 2019-09-18 20:13 ` Linus Torvalds 2019-09-18 20:15 ` Alexander E. Patrakov 2019-09-18 20:26 ` Linus Torvalds 2019-09-18 22:12 ` Willy Tarreau 2019-09-27 13:57 ` Lennart Poettering 2019-09-27 15:58 ` Linus Torvalds 2019-09-29 9:05 ` Lennart Poettering 2019-09-17 13:11 ` Alexander E. Patrakov 2019-09-17 13:37 ` Alexander E. Patrakov 2019-09-17 15:57 ` Lennart Poettering 2019-09-17 16:21 ` Willy Tarreau 2019-09-17 17:13 ` Lennart Poettering 2019-09-17 17:29 ` Willy Tarreau 2019-09-17 20:42 ` Martin Steigerwald 2019-09-18 13:38 ` Lennart Poettering 2019-09-18 13:59 ` Alexander E. Patrakov 2019-09-18 14:50 ` Alexander E. Patrakov 2019-09-17 20:36 ` Martin Steigerwald 2019-09-17 16:27 ` Linus Torvalds 2019-09-17 16:34 ` Matthew Garrett 2019-09-17 17:16 ` Willy Tarreau 2019-09-17 17:20 ` Matthew Garrett 2019-09-17 17:23 ` Matthew Garrett 2019-09-17 17:57 ` Willy Tarreau 2019-09-17 16:58 ` Alexander E. Patrakov 2019-09-17 17:30 ` Lennart Poettering 2019-09-17 17:32 ` Willy Tarreau 2019-09-17 17:41 ` Alexander E. Patrakov 2019-09-17 17:28 ` Lennart Poettering 2019-09-17 0:03 ` Matthew Garrett 2019-09-17 0:40 ` Matthew Garrett 2019-09-17 7:15 ` a sane approach to random numbers (was: Re: Linux 5.3-rc8) Martin Steigerwald 2019-09-16 18:00 ` Linux 5.3-rc8 Alexander E. Patrakov 2019-09-16 19:53 ` Ahmed S. Darwish 2019-09-17 15:32 ` Lennart Poettering 2019-09-16 3:31 ` Linus Torvalds 2019-09-23 20:49 ` chaos generating driver was " Pavel Machek 2019-09-14 9:25 ` Ahmed S. Darwish 2019-09-14 16:27 ` Theodore Y. Ts'o 2019-09-11 21:41 ` Ahmed S. Darwish 2019-09-11 22:37 ` Ahmed S. Darwish 2019-09-16 3:52 ` Herbert Xu 2019-09-16 4:21 ` Linus Torvalds 2019-09-16 4:53 ` Willy Tarreau 2019-09-10 11:56 ` Theodore Y. Ts'o 2019-09-16 10:33 ` Christoph Hellwig 2019-10-03 21:10 ` Jon Masters 2019-10-03 21:31 ` Jon Masters
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190919143427.GQ6762@mit.edu \ --to=tytso@mit.edu \ --cc=darwish.07@gmail.com \ --cc=ebiederm@xmission.com \ --cc=linux-ext4@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-man@vger.kernel.org \ --cc=mtk.manpages@gmail.com \ --cc=mzxreary@0pointer.de \ --cc=patrakov@gmail.com \ --cc=torvalds@linux-foundation.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Linux-ext4 Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/linux-ext4/0 linux-ext4/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 linux-ext4 linux-ext4/ https://lore.kernel.org/linux-ext4 \ linux-ext4@vger.kernel.org public-inbox-index linux-ext4 Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.linux-ext4 AGPL code for this site: git clone https://public-inbox.org/public-inbox.git