Linux-ext4 Archive on lore.kernel.org
 help / color / Atom feed
From: Linus Torvalds <torvalds@linux-foundation.org>
To: "Theodore Y. Ts'o" <tytso@mit.edu>
Cc: "Ahmed S. Darwish" <darwish.07@gmail.com>,
	Lennart Poettering <mzxreary@0pointer.de>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	"Alexander E. Patrakov" <patrakov@gmail.com>,
	Michael Kerrisk <mtk.manpages@gmail.com>,
	lkml <linux-kernel@vger.kernel.org>,
	linux-ext4@vger.kernel.org, linux-man@vger.kernel.org
Subject: Re: [PATCH RFC v4 1/1] random: WARN on large getrandom() waits and introduce getrandom2()
Date: Thu, 19 Sep 2019 08:20:57 -0700
Message-ID: <CAHk-=wgqbBy84ovtr8wPFqRo6U8jvp59rvQ8a6TvXuoyb-4L-Q@mail.gmail.com> (raw)
In-Reply-To: <20190919143427.GQ6762@mit.edu>

On Thu, Sep 19, 2019 at 7:34 AM Theodore Y. Ts'o <tytso@mit.edu> wrote:
>
> > It's basically a "we used up entropy" thing, which is very
> > questionable to begin with as the whole discussion has shown, but
> > since it stops doing it after 10 cases, it's not even good security
> > assuming the "use up entropy" case makes sense in the first place.
>
> It was a bug that it stopped doing it after 10 tries, and there's a
> really good reason for it.

I really doubt that.

> The reason for zeroing it after we expose state is because otherwise
> if the pool starts in a known state (the attacker knows the starting
> configuration, knows the DMI table that we're mixing into the pool
> since that's a constant, etc.),

That's at least partly because our pool hashing has what looks a
fairly sad property.

Yes, it hashes it using a good hash, but it does so in a way that
makes it largely possible to follow the hashing and repeat it and
analyze it.

That breaks if we have hw randomness, because it does the

        if (arch_get_random_long(&v))
                crng->state[14] ^= v;

so it always mixes in hardware randomness as part of the extraction,
but we don't mix anything else unpredictable - or even
process-specific - state in. So without hw randomness, you can try to
get a lot of data over a lot of boots - and for long times during
boots - and maybe find the pattern.

But honestly, this isn't realistic. I can point to emails where *you*
are  arguing against other hashing algorithms because the whole state
extension attack simply isn't realistic.

And I think it's also pretty questionable how we don't try to mix in
anything timing/process-specific when extracting, which is what makes
that "do lots of boots" possible.

The silly "reset crng_init_cnt" does absolutely nothing to help that,
but in fact what it does is to basically give the attacker a way to
get an infinite stream of data without any reseeding (because that
only happens after crng_read()), and able to extend that "block at
boot" time indefinitely while doing so.

Also honestly, if the attacker already has access to the system at
boot, you have some fairly big problems to begin with.

So a much bigger issue than the state extension attack (pretty much
purely theoretical, given any entropy at all, which we _will_ have
even without the crng_init_cnt clearing) is the fact that right now we
really are predictable if there are no hardware interrupts, and people
have used /dev/urandom because other sources weren't useful.

And the fact is, we *know* people use /dev/urandom exactly because
other sources haven't been useful.

And unlike your theoretical state extension attack, I can point you to
black hat presentations that literally talk about using the fact that
we delay m,ixing in the input pull hash to know what's going on:

  https://www.blackhat.com/docs/eu-14/materials/eu-14-Kedmi-Attacking-The-Linux-PRNG-On-Android-Weaknesses-In-Seeding-Of-Entropic-Pools-And-Low-Boot-Time-Entropy.pdf

That's a real attack. Based on the REAL fact that we currently have to
use the urandom logic because the entropy-waiting one is useless, and
in fact depends on the re-seeding happening too late.

Yes, yes, our urandom has changed since that attack, and we use chacha
instead of sha1 these days. We have other changes too. But I don't see
anything fundamentally different.

And all your arguments seem to make that _real_ security issue just
worse, exactly because we also avoid reseeding while crng_init is
zero.

> I'm happy this proposed is not changing the behavior of getrandom(0).
> Why not just remap 0 to GRND_EXPLICIT | GRND_WAIT_ENTROPY, though?  It
> will have the same effect, and it's make it clear what we're doing.

Have you you not followed the whole discussion? Didn't you read the comment?

People use "getrandom(0)" not because they want secure randomness, but
because that's the default.

And we *will* do something about it. This patch didn't, because I want
to be able to backport it to stable, so that everybody is happier with
saying "ok, I'll use the new getrandom(GRND_INSECURE)".

Because getrandom(0) will NOT be the the same as GRND_EXPLICIT |
GRND_WAIT_ENTROPY.

getrandom(0) is the "I don't know what I am doing" thing. It could be
somebody that wants real secure random numbers. Or it could *not* be
one of those, and need the timeout.

> Later on, when we rip out /dev/random pool code (and make reading from
> /dev/random the equivalent of getrandom(GRND_SECURE)), we'll need to
> similarly map the legacy combination of flags for GRND_RANDOM and
> GRND_RANDOM | GRND_NONBLOCK.

And that is completely immaterial, because the "I'm confused" case
isn't about GRND_RANDOM. Nobody uses that anyway, and more importantly
it's not the case that has caused bugs. That one blocks even during
normal execution, so that one - despite being completely useless -
actually has the one good thing going for it that it's testable.
People will see the "oh, that took a long time" during testing. And
then they'll stop using it.

Ted - you really don't seem to be making any distinction between
"these are real problems that should be fixed" vs "this is theory that
isn't relevant".

The "getrandom(0)" is a real problem that needs to be fixed.

The warnings from /dev/urandom are real problems that people
apparently have worked around by (incorrectly) using getrandom(0).

The "hashing the random pool still leaves identities in place" is a
real problem that had a real attack.

The state extension attack? Complete theory (again, I can point to you
saying the same thing in other threads), and the "fix" of resetting
the counter and not reseeding seems to be anything but.

            Linus

  reply index

Thread overview: 211+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CAHk-=whBQ+6c-h+htiv6pp8ndtv97+45AH9WvdZougDRM6M4VQ@mail.gmail.com>
2019-09-10  4:21 ` Linux 5.3-rc8 Ahmed S. Darwish
2019-09-10 11:33   ` Linus Torvalds
2019-09-10 12:21     ` Linus Torvalds
2019-09-10 17:33     ` Ahmed S. Darwish
2019-09-10 17:47       ` Reindl Harald
2019-09-10 18:21       ` Linus Torvalds
2019-09-11 16:07         ` Theodore Y. Ts'o
2019-09-11 16:45           ` Linus Torvalds
2019-09-11 17:00             ` Linus Torvalds
2019-09-11 17:36               ` Theodore Y. Ts'o
2019-09-12  3:44                 ` Ahmed S. Darwish
2019-09-12  8:25                   ` Theodore Y. Ts'o
2019-09-12 11:34                     ` Linus Torvalds
2019-09-12 11:58                       ` Willy Tarreau
2019-09-14 12:25                       ` [PATCH RFC] random: getrandom(2): don't block on non-initialized entropy pool Ahmed S. Darwish
2019-09-14 14:08                         ` Alexander E. Patrakov
2019-09-15  5:22                           ` [PATCH RFC v2] random: optionally block in getrandom(2) when the CRNG is uninitialized Theodore Y. Ts'o
2019-09-15  8:17                             ` [PATCH RFC v3] random: getrandom(2): optionally block when " Ahmed S. Darwish
2019-09-15  8:59                               ` Lennart Poettering
2019-09-15  9:30                                 ` Willy Tarreau
2019-09-15 10:02                                   ` Ahmed S. Darwish
2019-09-15 10:40                                     ` Willy Tarreau
2019-09-15 10:55                                       ` Ahmed S. Darwish
2019-09-15 11:17                                         ` Willy Tarreau
2019-09-15 17:32                             ` [PATCH RFC v2] random: optionally block in getrandom(2) when the " Linus Torvalds
2019-09-15 18:32                               ` Willy Tarreau
2019-09-15 18:36                                 ` Willy Tarreau
2019-09-15 19:08                                   ` Linus Torvalds
2019-09-15 19:18                                     ` Willy Tarreau
2019-09-15 19:31                                       ` Linus Torvalds
2019-09-15 19:54                                         ` Willy Tarreau
2019-09-15 18:59                                 ` Linus Torvalds
2019-09-15 19:12                                   ` Willy Tarreau
2019-09-16  2:45                                   ` Ahmed S. Darwish
2019-09-16 18:08                               ` Lennart Poettering
2019-09-16 19:16                                 ` Willy Tarreau
2019-09-18 21:15                               ` [PATCH RFC v4 0/1] random: WARN on large getrandom() waits and introduce getrandom2() Ahmed S. Darwish
2019-09-18 21:17                                 ` [PATCH RFC v4 1/1] " Ahmed S. Darwish
2019-09-18 23:57                                   ` Linus Torvalds
2019-09-19 14:34                                     ` Theodore Y. Ts'o
2019-09-19 15:20                                       ` Linus Torvalds [this message]
2019-09-19 15:50                                         ` Linus Torvalds
2019-09-20 13:13                                           ` Theodore Y. Ts'o
2019-09-19 20:04                                         ` Linus Torvalds
2019-09-19 20:45                                           ` Alexander E. Patrakov
2019-09-19 21:47                                             ` Linus Torvalds
2019-09-19 22:23                                               ` Alexander E. Patrakov
2019-09-19 23:44                                                 ` Alexander E. Patrakov
2019-09-20 13:16                                                 ` Theodore Y. Ts'o
2019-09-23 11:55                                           ` David Laight
2019-09-20 13:08                                         ` Theodore Y. Ts'o
2019-09-20 13:46                                     ` Ahmed S. Darwish
2019-09-20 14:33                                       ` Andy Lutomirski
2019-09-20 16:29                                         ` Linus Torvalds
2019-09-20 17:52                                           ` Andy Lutomirski
2019-09-20 18:09                                             ` Linus Torvalds
2019-09-20 18:16                                               ` Willy Tarreau
2019-09-20 19:12                                               ` Andy Lutomirski
2019-09-20 19:51                                                 ` Linus Torvalds
2019-09-20 20:11                                                   ` Alexander E. Patrakov
2019-09-20 20:17                                                   ` Matthew Garrett
2019-09-20 20:51                                                   ` Andy Lutomirski
2019-09-20 22:44                                                     ` Linus Torvalds
2019-09-20 23:30                                                       ` Andy Lutomirski
2019-09-21  3:05                                                         ` Willy Tarreau
2019-09-21  6:07                                               ` Florian Weimer
2019-09-23 18:33                                                 ` Andy Lutomirski
2019-09-26 21:11                                                   ` Ahmed S. Darwish
2019-09-20 18:12                                             ` Willy Tarreau
2019-09-20 19:22                                               ` Andy Lutomirski
2019-09-20 19:37                                                 ` Willy Tarreau
2019-09-20 19:52                                                   ` Andy Lutomirski
2019-09-20 20:02                                                 ` Linus Torvalds
2019-09-20 18:15                                             ` Alexander E. Patrakov
2019-09-20 18:29                                               ` Andy Lutomirski
2019-09-20 17:26                                       ` Willy Tarreau
2019-09-20 17:56                                         ` Ahmed S. Darwish
2019-09-26 20:42                                     ` [PATCH v5 0/1] random: getrandom(2): warn on large CRNG waits, introduce new flags Ahmed S. Darwish
2019-09-26 20:44                                       ` [PATCH v5 1/1] " Ahmed S. Darwish
2019-09-26 21:39                                         ` Andy Lutomirski
2019-09-28  9:30                                           ` Ahmed S. Darwish
2019-09-14 15:02                       ` Linux 5.3-rc8 Ahmed S. Darwish
2019-09-14 16:30                         ` Linus Torvalds
2019-09-14 16:35                           ` Alexander E. Patrakov
2019-09-14 16:52                             ` Linus Torvalds
2019-09-14 17:09                               ` Alexander E. Patrakov
2019-09-14 19:19                                 ` Linus Torvalds
2019-09-15  6:56                               ` Lennart Poettering
2019-09-15  7:01                                 ` Willy Tarreau
2019-09-15  7:05                                   ` Lennart Poettering
2019-09-15  7:07                                     ` Willy Tarreau
2019-09-15  8:34                                       ` Lennart Poettering
2019-09-15 17:02                                 ` Linus Torvalds
2019-09-16  3:23                                   ` Theodore Y. Ts'o
2019-09-16  3:40                                     ` Linus Torvalds
2019-09-16  3:56                                       ` Linus Torvalds
2019-09-16 17:00                                       ` Theodore Y. Ts'o
2019-09-16 17:07                                         ` Linus Torvalds
2019-09-14 21:11                           ` Ahmed S. Darwish
2019-09-14 22:05                             ` Martin Steigerwald
2019-09-14 22:24                             ` Theodore Y. Ts'o
2019-09-14 22:32                               ` Linus Torvalds
2019-09-15  1:00                                 ` Theodore Y. Ts'o
2019-09-15  1:10                                   ` Linus Torvalds
2019-09-15  2:05                                     ` Theodore Y. Ts'o
2019-09-15  2:11                                       ` Linus Torvalds
2019-09-15  6:33                                       ` Willy Tarreau
2019-09-15  6:53                                       ` Willy Tarreau
2019-09-15  6:51                           ` Lennart Poettering
2019-09-15  7:27                             ` Ahmed S. Darwish
2019-09-15  8:48                               ` Lennart Poettering
2019-09-15 16:29                             ` Linus Torvalds
2019-09-16  1:40                               ` Ahmed S. Darwish
2019-09-16  1:48                                 ` Vito Caputo
2019-09-16  2:49                                   ` Theodore Y. Ts'o
2019-09-16  4:29                                     ` Willy Tarreau
2019-09-16  5:02                                       ` Linus Torvalds
2019-09-16  6:12                                         ` Willy Tarreau
2019-09-16 16:17                                           ` Linus Torvalds
2019-09-16 17:21                                             ` Theodore Y. Ts'o
2019-09-16 17:44                                               ` Linus Torvalds
2019-09-16 17:55                                                 ` Serge Belyshev
2019-09-16 19:08                                                 ` Willy Tarreau
2019-09-16 23:02                                                 ` Matthew Garrett
2019-09-16 23:05                                                   ` Linus Torvalds
2019-09-16 23:11                                                     ` Matthew Garrett
2019-09-16 23:13                                                       ` Alexander E. Patrakov
2019-09-16 23:15                                                         ` Matthew Garrett
2019-09-16 23:18                                                       ` Linus Torvalds
2019-09-16 23:29                                                         ` Ahmed S. Darwish
2019-09-17  1:05                                                           ` Linus Torvalds
2019-09-17  1:23                                                             ` Matthew Garrett
2019-09-17  1:41                                                               ` Linus Torvalds
2019-09-17  1:46                                                                 ` Matthew Garrett
2019-09-17  5:24                                                                   ` Willy Tarreau
2019-09-17  7:33                                                                     ` Martin Steigerwald
2019-09-17  8:35                                                                       ` Willy Tarreau
2019-09-17  8:44                                                                         ` Martin Steigerwald
2019-09-17 12:11                                                                       ` Theodore Y. Ts'o
2019-09-17 12:30                                                                         ` Ahmed S. Darwish
2019-09-17 12:46                                                                           ` Alexander E. Patrakov
2019-09-17 12:47                                                                           ` Willy Tarreau
2019-09-17 16:08                                                                           ` Lennart Poettering
2019-09-17 16:23                                                                             ` Linus Torvalds
2019-09-17 16:34                                                                               ` Reindl Harald
2019-09-17 17:42                                                                               ` Lennart Poettering
2019-09-17 18:01                                                                                 ` Linus Torvalds
2019-09-17 20:28                                                                                   ` Martin Steigerwald
2019-09-17 20:52                                                                                     ` Ahmed S. Darwish
2019-09-17 21:38                                                                                       ` Martin Steigerwald
2019-09-17 21:52                                                                                         ` Matthew Garrett
2019-09-17 22:10                                                                                           ` Martin Steigerwald
2019-09-18 13:53                                                                                             ` Lennart Poettering
2019-09-19  7:28                                                                                               ` Martin Steigerwald
2019-09-17 23:08                                                                                           ` Linus Torvalds
2019-09-18 13:40                                                                                         ` Lennart Poettering
2019-09-17 20:58                                                                                   ` Linus Torvalds
2019-09-18  9:33                                                                                     ` Rasmus Villemoes
2019-09-18 10:16                                                                                       ` Willy Tarreau
2019-09-18 10:25                                                                                         ` Alexander E. Patrakov
2019-09-18 10:42                                                                                           ` Willy Tarreau
2019-09-18 19:31                                                                                       ` Linus Torvalds
2019-09-18 19:56                                                                                 ` Eric W. Biederman
2019-09-18 20:13                                                                                   ` Linus Torvalds
2019-09-18 20:15                                                                                   ` Alexander E. Patrakov
2019-09-18 20:26                                                                                     ` Linus Torvalds
2019-09-18 22:12                                                                                       ` Willy Tarreau
2019-09-27 13:57                                                                                       ` Lennart Poettering
2019-09-27 15:58                                                                                         ` Linus Torvalds
2019-09-29  9:05                                                                                           ` Lennart Poettering
2019-09-17 13:11                                                                         ` Alexander E. Patrakov
2019-09-17 13:37                                                                           ` Alexander E. Patrakov
2019-09-17 15:57                                                                         ` Lennart Poettering
2019-09-17 16:21                                                                           ` Willy Tarreau
2019-09-17 17:13                                                                             ` Lennart Poettering
2019-09-17 17:29                                                                               ` Willy Tarreau
2019-09-17 20:42                                                                                 ` Martin Steigerwald
2019-09-18 13:38                                                                                 ` Lennart Poettering
2019-09-18 13:59                                                                                   ` Alexander E. Patrakov
2019-09-18 14:50                                                                                     ` Alexander E. Patrakov
2019-09-17 20:36                                                                             ` Martin Steigerwald
2019-09-17 16:27                                                                       ` Linus Torvalds
2019-09-17 16:34                                                                         ` Matthew Garrett
2019-09-17 17:16                                                                           ` Willy Tarreau
2019-09-17 17:20                                                                             ` Matthew Garrett
2019-09-17 17:23                                                                               ` Matthew Garrett
2019-09-17 17:57                                                                               ` Willy Tarreau
2019-09-17 16:58                                                                         ` Alexander E. Patrakov
2019-09-17 17:30                                                                           ` Lennart Poettering
2019-09-17 17:32                                                                             ` Willy Tarreau
2019-09-17 17:41                                                                               ` Alexander E. Patrakov
2019-09-17 17:28                                                                         ` Lennart Poettering
2019-09-17  0:03                                                         ` Matthew Garrett
2019-09-17  0:40                                                         ` Matthew Garrett
2019-09-17  7:15                                                     ` a sane approach to random numbers (was: Re: Linux 5.3-rc8) Martin Steigerwald
2019-09-16 18:00                                               ` Linux 5.3-rc8 Alexander E. Patrakov
2019-09-16 19:53                                               ` Ahmed S. Darwish
2019-09-17 15:32                                               ` Lennart Poettering
2019-09-16  3:31                                 ` Linus Torvalds
2019-09-23 20:49                           ` chaos generating driver was " Pavel Machek
2019-09-14  9:25                     ` Ahmed S. Darwish
2019-09-14 16:27                       ` Theodore Y. Ts'o
2019-09-11 21:41             ` Ahmed S. Darwish
2019-09-11 22:37               ` Ahmed S. Darwish
2019-09-16  3:52           ` Herbert Xu
2019-09-16  4:21             ` Linus Torvalds
2019-09-16  4:53               ` Willy Tarreau
2019-09-10 11:56   ` Theodore Y. Ts'o
2019-09-16 10:33     ` Christoph Hellwig
2019-10-03 21:10   ` Jon Masters
2019-10-03 21:31   ` Jon Masters

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAHk-=wgqbBy84ovtr8wPFqRo6U8jvp59rvQ8a6TvXuoyb-4L-Q@mail.gmail.com' \
    --to=torvalds@linux-foundation.org \
    --cc=darwish.07@gmail.com \
    --cc=ebiederm@xmission.com \
    --cc=linux-ext4@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-man@vger.kernel.org \
    --cc=mtk.manpages@gmail.com \
    --cc=mzxreary@0pointer.de \
    --cc=patrakov@gmail.com \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-ext4 Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-ext4/0 linux-ext4/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-ext4 linux-ext4/ https://lore.kernel.org/linux-ext4 \
		linux-ext4@vger.kernel.org
	public-inbox-index linux-ext4

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-ext4


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git