From: Stephan Mueller <smueller@chronox.de>
To: "David Jaša" <djasa@redhat.com>
Cc: Andi Kleen <andi@firstfloor.org>,
sandyinchina@gmail.com,
Jason Cooper <cryptography@lakedaemon.net>,
John Denker <jsd@av8n.com>,
"H. Peter Anvin" <hpa@linux.intel.com>,
Joe Perches <joe@perches.com>, Pavel Machek <pavel@ucw.cz>,
George Spelvin <linux@horizon.com>,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v4 0/5] /dev/random - a new approach
Date: Sat, 18 Jun 2016 10:21:16 +0200 [thread overview]
Message-ID: <1883152.WnWCHsqf2W@positron.chronox.de> (raw)
In-Reply-To: <1466171773.20087.66.camel@redhat.com>
Am Freitag, 17. Juni 2016, 15:56:13 schrieb David Jaša:
Hi David,
> Hi Stephan,
>
> thank you for your thorough reply,
>
> On St, 2016-06-15 at 18:58 +0200, Stephan Mueller wrote:
> > Am Mittwoch, 15. Juni 2016, 18:17:43 schrieb David Jaša:
> >
> > Hi David,
> >
> > > Hello Stephan,
> > >
> > > Did you consider blocking urandom output or returning error until
> > > initialized? Given the speed of initialization you report, it shouldn't
> > > break any userspace apps while making sure that nobody uses predictable
> > > pseudoranom numbers.
> >
> > My LRNG will definitely touch the beginning of the initramfs booting until
> > it is fully seeded. As these days the initramfs is driven by systemd
> > which always pulls from /dev/urandom, we cannot block as this would block
> > systemd. In Ted's last patch, he mentioned that he tried to make
> > /dev/urandom block which caused user space pain.
>
> I was thinking along the lines that "almost every important package
> supports FreeBSD as well where they have to handle the condition so
> option to switch to Rather Break Than Generate Weak Keys would be nice"
> - but I didn't expect that systemd could be a roadblock here. :-/
>
> I was also thinking of little devices where OpenWRT or proprietary
> Linux-based systems run that ended up with predictable keys way too
> ofter (or as in OpenWRT's case, with cumbersome tutorials how to
> generate keys elsewhere).
I have some ideas on how to handle that issue -- let me run some tests and I
will report back.
>
> > But if you use the getrandom system call, it works like /dev/urandom but
> > blocks until the DRBG behind /dev/urandom is fully initialized.
> >
> > > I was considering asking for patch (or even trying to write it myself)
> > > to make current urandom block/fail when not initialized but that would
> > > surely have to be off by default over "never break userspace" rule (even
> > > if it means way too easy security problem with both random and urandom).
> > > Properties of your urandom implementation makes this point moot and it
> > > could make the random/urandom wars over.
> >
> > That patch unfortunately will not work. But if you are interested in that
> > blocking /dev/urandom behavior for your application, use getrandom.
>
> I'm QA with a touch of sysadmin so the numbers of apps to fix is large
> and I don't have neither control over the projects nor abilities to
> patch them all myself. :)
Sure, I can understand that :-)
>
> > > Best Regards,
> > >
> > > David Jaša
> >
> > Ciao
> > Stephan
>
> BTW when looking at an old BSI's issue with Linux urandom that Jarod
> Wilson tried to solve with this series:
> https://www.spinics.net/lists/linux-crypto/msg06113.html
> I was thinking:
> 1) wouldn't it help for large urandom consumers if kernel created a DRBG
> instance for each of them? It would likely enhance performance and solve
> BSI's concern of predicting what numbers could other urandom consumers
> obtain at cost of memory footprint
That issue is partly solved with my patch set: I have one DRBG per NUMA node
where all DRBG instances are equally treated. Surely that patch could be
expanded on a per-CPU instance. But let us try to use the per-NUMA
implementation and see whether that helps.
Besides, the legacy /dev/urandom delivers about 12 MB/s on my system whereas
the DRBG delivers more than 800MB/s. So, we have quite some performance
improvement.
Note, Ted's patch has a similar implementation.
> and then, after reading paper associated with this series:
> 2) did you evaluate use of intermediate DRBG fed by primary generator to
> instantiate per-node DRBG's? It would allow initialization of all
> secondary DRBGs right after primary generator initialization.
That is exactly what I do.
>
> Cheers,
>
> David
Ciao
Stephan
next prev parent reply other threads:[~2016-06-18 8:21 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-31 18:37 [PATCH v4 0/5] /dev/random - a new approach Stephan Mueller
2016-05-31 18:37 ` [PATCH v4 1/5] crypto: DRBG - externalize DRBG functions for LRNG Stephan Mueller
2016-05-31 18:38 ` [PATCH v4 2/5] random: conditionally compile code depending on LRNG Stephan Mueller
2016-05-31 18:39 ` [PATCH v4 3/5] crypto: Linux Random Number Generator Stephan Mueller
2016-05-31 18:39 ` [PATCH v4 4/5] crypto: LRNG - enable compile Stephan Mueller
2016-05-31 18:39 ` [PATCH v4 5/5] random: add interrupt callback to VMBus IRQ handler Stephan Mueller
2016-05-31 22:34 ` [PATCH v4 0/5] /dev/random - a new approach George Spelvin
2016-06-15 16:17 ` David Jaša
2016-06-15 16:58 ` Stephan Mueller
2016-06-17 13:56 ` David Jaša
2016-06-17 15:26 ` Sandy Harris
2016-06-18 8:22 ` Stephan Mueller
2016-06-18 8:21 ` Stephan Mueller [this message]
2016-06-18 14:44 ` Theodore Ts'o
2016-06-18 16:31 ` Stephan Mueller
2016-06-20 17:07 ` Austin S. Hemmelgarn
2016-06-20 18:32 ` Stephan Mueller
2016-06-21 13:05 ` Austin S. Hemmelgarn
2016-06-21 13:19 ` Tomas Mraz
2016-06-21 17:18 ` Austin S. Hemmelgarn
2016-06-21 17:23 ` Stephan Mueller
2016-06-21 17:54 ` Austin S. Hemmelgarn
2016-06-21 18:05 ` Stephan Mueller
2016-06-21 13:20 ` Stephan Mueller
2016-06-21 17:51 ` Austin S. Hemmelgarn
2016-06-21 18:04 ` Stephan Mueller
2016-06-21 19:31 ` Austin S. Hemmelgarn
2016-06-22 5:16 ` Stephan Mueller
2016-06-22 12:54 ` Austin S. Hemmelgarn
2016-06-22 13:25 ` Stephan Mueller
2016-06-21 13:42 ` Pavel Machek
2016-06-21 17:17 ` Austin S. Hemmelgarn
2016-06-21 12:25 ` David Jaša
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1883152.WnWCHsqf2W@positron.chronox.de \
--to=smueller@chronox.de \
--cc=andi@firstfloor.org \
--cc=cryptography@lakedaemon.net \
--cc=djasa@redhat.com \
--cc=hpa@linux.intel.com \
--cc=joe@perches.com \
--cc=jsd@av8n.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@horizon.com \
--cc=pavel@ucw.cz \
--cc=sandyinchina@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).