LKML Archive on lore.kernel.org
 help / Atom feed
From: "Theodore Y. Ts'o" <tytso@mit.edu>
To: Kurt Roeckx <kurt@roeckx.be>
Cc: "Sebastian Andrzej Siewior" <sebastian@breakpoint.cc>,
	912087@bugs.debian.org,
	"Package Development List for OpenSSL packages."
	<pkg-openssl-devel@alioth-lists.debian.net>,
	linux-kernel@vger.kernel.org,
	"Bernhard Übelacker" <bernhardu@mailbox.org>,
	pkg-systemd-maintainers@lists.alioth.debian.org,
	debian-ssh@lists.debian.org, 912087-submitter@bugs.debian.org
Subject: Re: Bug#912087: openssh-server: Slow startup after the upgrade to 7.9p1
Date: Tue, 30 Oct 2018 16:51:36 -0400
Message-ID: <20181030205136.GB6236@thunk.org> (raw)
In-Reply-To: <20181030183723.GI10011@roeckx.be>

On Tue, Oct 30, 2018 at 07:37:23PM +0100, Kurt Roeckx wrote:
> 
> So are you saying that the /var/lib/random/seed is untrusted, and
> should never be used, and we should always wait for fresh entropy?
> 
> Anyway, I think if an attacker somehow has access to that file,
> you have much more serious problems.

So it's complicated.  It's not a binary trusted/untrusted sort of
thing.  We should definitely use it, and the fact we have it saved us
(at least after the system is installed) when there is a kernel bug
such as CVE-2018-1108 where we screwed up and treated the DMI table as
100% random and counted it towards required 256 bits of entropy needed
to consider the CRNG to be fully initialized.

If the attacker has access to the file, whether or not it matters
really depends on how the rest of the system is put together.  So for
example, if you have secure boot (via a secured bootloader and a
signed kernel), and the root file system is protected using dm-verity,
the fact that seed file might be compromisable by an external attacker
is bad, but it's not necessarily catastrophic.  (This is essential the
situation for ChromeOS and modern Android handsets, BTW.)

OTOH, there are definitely scenarios where you are correct, and if the
attacker has access to the files, you probably are toast, and so
therefore relying on it makes sense.  Whether or not you think that is
more or less safer than relying on RDRAND is going to be a judgement
call, and very much depends on your assumptions of the threat
environment.

(Suppose in the future the Chinese come up with a 100% chinese made
CPU, that has a RDRAND equivalent; the US military might not be
comfortable relying on that CPU or its RDRAND unit, but the Chinese
Military might be perfectly comfortable relying on it; what a
Debian-provided kernel should when we're trying to be a "Universal
Operating System" is a very interesting question --- and that's why
random.trust_cpu is a boot command line option.)

In any case, if Debian wants to ship a program which reads a seed file
and uses it to initialize the random pull assuming that it's
trustworthy via the RNDADDENTROPY ioctl, that's not an insane thing to
do.  My recommendation would be to make it be configurable, however,
just as whether we trust RDRAND should be trusted (in isolation) to
initialize the CRNG.

The point is that everyone is going to have a different opinion about
what entropy source is fully trusted, by itself, to initialize the
kernel's CRNG.  We should mix in everything; but what we should
consider as trustworthy enough to give entropy credit is going to vary
from one sysadmin/system designer/system security officer to another.

Personally, I'm comfortable to run my personal kernel with
CONFIG_RANDOM_TRUST_CPU.  I'm not willing to impose my beliefs on the
all Linux users, however.

Cheers,

					- Ted

  reply index

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20181029223334.GH10011@roeckx.be>
2018-10-30  0:18 ` Sebastian Andrzej Siewior
2018-10-30 14:15   ` Theodore Y. Ts'o
2018-10-30 18:37     ` Kurt Roeckx
2018-10-30 20:51       ` Theodore Y. Ts'o [this message]
2018-10-31 11:21         ` Sebastian Andrzej Siewior
2018-10-31 22:41           ` Theodore Y. Ts'o
2018-11-01 22:18             ` Sebastian Andrzej Siewior
2018-11-01 23:50               ` Theodore Y. Ts'o
2018-11-02  0:24                 ` Kurt Roeckx
2018-11-02  2:13                   ` Theodore Y. Ts'o
2018-11-04  0:18                 ` Sebastian Andrzej Siewior

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181030205136.GB6236@thunk.org \
    --to=tytso@mit.edu \
    --cc=912087-submitter@bugs.debian.org \
    --cc=912087@bugs.debian.org \
    --cc=bernhardu@mailbox.org \
    --cc=debian-ssh@lists.debian.org \
    --cc=kurt@roeckx.be \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pkg-openssl-devel@alioth-lists.debian.net \
    --cc=pkg-systemd-maintainers@lists.alioth.debian.org \
    --cc=sebastian@breakpoint.cc \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

LKML Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/lkml/0 lkml/git/0.git
	git clone --mirror https://lore.kernel.org/lkml/1 lkml/git/1.git
	git clone --mirror https://lore.kernel.org/lkml/2 lkml/git/2.git
	git clone --mirror https://lore.kernel.org/lkml/3 lkml/git/3.git
	git clone --mirror https://lore.kernel.org/lkml/4 lkml/git/4.git
	git clone --mirror https://lore.kernel.org/lkml/5 lkml/git/5.git
	git clone --mirror https://lore.kernel.org/lkml/6 lkml/git/6.git
	git clone --mirror https://lore.kernel.org/lkml/7 lkml/git/7.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ https://lore.kernel.org/lkml \
		linux-kernel@vger.kernel.org linux-kernel@archiver.kernel.org
	public-inbox-index lkml


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel


AGPL code for this site: git clone https://public-inbox.org/ public-inbox