From: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Simo Sorce <simo@redhat.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jeffrey Walton <noloader@gmail.com>,
Stephan Mueller <smueller@chronox.de>, Tso Ted <tytso@mit.edu>,
Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
Willy Tarreau <w@1wt.eu>, Nicolai Stange <nstange@suse.de>,
LKML <linux-kernel@vger.kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"Alexander E. Patrakov" <patrakov@gmail.com>,
"Ahmed S. Darwish" <darwish.07@gmail.com>,
Matthew Garrett <mjg59@srcf.ucam.org>,
Vito Caputo <vcaputo@pengaru.com>,
Andreas Dilger <adilger.kernel@dilger.ca>,
Jan Kara <jack@suse.cz>, Ray Strode <rstrode@redhat.com>,
William Jon McCann <mccann@jhu.edu>,
zhangjs <zachary@baishancloud.com>,
Andy Lutomirski <luto@kernel.org>,
Florian Weimer <fweimer@redhat.com>,
Lennart Poettering <mzxreary@0pointer.de>,
Peter Matthias <matthias.peter@bsi.bund.de>,
Eric Biggers <ebiggers@kernel.org>,
Neil Horman <nhorman@redhat.com>,
Randy Dunlap <rdunlap@infradead.org>,
Julia Lawall <julia.lawall@inria.fr>,
Dan Carpenter <dan.carpenter@oracle.com>,
Andy Lavr <andy.lavr@gmail.com>, Petr Tesarik <ptesarik@suse.cz>,
John Haxby <john.haxby@oracle.com>,
Alexander Lobakin <alobakin@mailbox.org>,
Jirka Hladky <jhladky@redhat.com>
Subject: Re: [PATCH v43 01/15] Linux Random Number Generator
Date: Mon, 10 Jan 2022 10:23:49 -0300 [thread overview]
Message-ID: <20220110132349.siplwka7yhe2tmwc@valinor> (raw)
In-Reply-To: <20211210014337.xmin2lu5rhhe3b3t@valinor>
[-- Attachment #1: Type: text/plain, Size: 7689 bytes --]
On Thu, Dec 09, 2021 at 10:43:37PM -0300, Marcelo Henrique Cerri wrote:
> On Wed, Dec 01, 2021 at 11:02:38AM -0500, Jason A. Donenfeld wrote:
> > Hi Simo,
> >
> > I think various folks have said this during the various discussions on this
> > topic over the years, in addition to myself, but I suppose I'll reiterate my
> > general views on FIPS in this context.
> >
> > FIPS is about compliance and certification. From a cryptographic point of
> > view, there might be some good ideas, some dated ideas, some superfluous but
> > harmless ideas, and so forth. But the reason that you want it for your
> > customers is because you think your product will become more valuable or
> > useful to customers if it checks that green compliance checkbox. I don't think
> > we disagree about this being the motivation.
> >
> > Now typically the kernel interoperates with lots of things and implements many
> > different specifications. It supports scores of network protocols, IPsec
> > cipher suites, USB quirks, SCSI hacks, you name it. The implementation of
> > these drivers is always up to the author and hopefully kernel developers at
> > large do the best job they can with the implementation, but the hardware or
> > protocol they're interfacing with is not up to the author, by virtue of it
> > being external to the kernel. It's not like instantiating IPsec with single
> > DES and MD4, or SM3 and SM4, etc. is so great, and it's not like the
> > compendium of brilliant hacks in drivers/usb/host/pci-quirks.c is so great
> > either. But these things all exist to talk to something *outside* of the
> > kernel, and so we grit our teeth, and as I said, do the best we can to
> > implement it well.
> >
> > But the RNG isn't like that. In fact, the RNG is logically *required* to be
> > not anything like that: it returns random bytes, and they must not have any
> > distinguishing quality with other random bytes; otherwise we have a serious
> > problem that needs fixing. And so, we carry things out according to the usual
> > kernel developer mindset: we implement it as best as we can, using the best
> > algorithms we can find, in a way most suitable for the kernel.
> >
> > Then FIPS comes along and starts dictating things about *how* we implement it,
> > and those things it dictates might not be exactly the same as what we would
> > would be doing when doing best that we can, using the best algorithms we can
> > find, and in the most suitable way for the kernel. And so it would seem that
> > the goal of implementing the RNG as best as we can might potentially be at
> > odds with the goal of getting that green compliance checkbox, because that
> > checkbox oversteps its bounds a bit.
> >
> > That's not to say, of course, that we shouldn't accept input on how we
> > implement our algorithms from elsewhere. On the contrary, I think random.c has
> > a *lot* to gain from incorporating newer ideas, and that the formalism and
> > guidance from academic cryptographers is less "academic" than it once was and
> > much more real world, implementable, and suitable for our uses. But, again,
> > incorporating new ideas and accepting input on how to improve our code is very
> > much not the same thing as following the FIPS laundry list for that green
> > compliance checkbox. Maybe some parts do overlap -- and I'd love patches that
> > improve the code alongside compelling cryptographic arguments -- but, again,
> > we're talking about compliance here, and not a more welcome, "hey check out
> > this document I found with a bunch of great ideas we should implement."
> >
> > I would like the kernel to have an excellent CSPRNG, from a cryptographic
> > point of view, from a performance point of view, from an API point of view. I
> > think these motivations are consistent with how the kernel is generally
> > developed. And I think front loading the motivations with an external
> > compliance goal greatly deviates and even detracts from the way the kernel is
> > generally developed.
> >
> > Now the above is somewhat negative on FIPS, but the question can still be
> > posed: does FIPS have a path forward in the RNG in the kernel? It's obviously
> > not a resounding "yes", but I don't think it's a totally certain "no" either.
> > It might be possible to find some wiggle room. I'm not saying that it is
> > certainly possible to do that, but it might be.
> >
> > Specifically, I think that if you change your perspective from, "how can we
> > change the algorithms of the RNG to be FIPS" to "how can we bend FIPS within
> > its limits so that having what customers want would minimally impact the
> > quality of the RNG implementation or introduce undue maintenance burdens."
> > This means: not refactoring the RNG into some large abstraction layer that's
> > pluggable and supports multiple different implementations, not rewriting the
> > world in a massive patchset, not adding clutter. Instead, perhaps there's a
> > very, very minimal set of things that can be done that would be considerably
> > less controversial. That will probably require from you and other FIPS
> > enthusiasts some study and discussion at what the truly most minimal set of
> > things required are to get you that green compliance checkbox. And hey --
> > maybe it's still way too much and it doesn't work out here. But maybe it's not
> > that much, or, as Greg suggested, maybe it winds up that your needs are
> > actually satisfied just fine by something in userspace or userspace-adjacent.
> >
> > So I don't know whether the FIPS has a path forward here, but if it does, I
> > think the above is the general shape it would take. And in the mean time, I'm
> > of course open to reviewing patches that improve the RNG in a cryptographic or
> > algorithmic sense, rather than a purely compliance one.
>
> Hi, Jason. How do you think we could approach that then?
>
> Are you willing to discuss the FIPS 140-3 requirements that random.c
> doesn't currently meet so we can dive deeper on how we could implement
> them in a way that would improve the kernel other then simply
> providing compliance to FIPS?
>
> I believe that several requirements would be beneficial to random.c
> (ie, health test, oversampling, entropy data collection). But so far
> we lack proper direction on how to proceed and it would be better for
> us to have a clear notion of what could be accepted before putting
> more effort on yet another patch set.
>
> I believe all the distros are interested in making progress on that,
> but without a general guidance it makes very hard for us to
> collaborate and we end up in the current situation in which each
> distro is carrying its own "hack", as Simo mentioned before. Canonical
> is in the same situation as the other distros and we are carrying an
> workaround to wire up the crypto DRBG to random.c in order to archive
> compliance.
>
Hoping that might help with the discussion and to explain why I do
consider those solutions a "hack", that's the patch we've been using
so far to achieve SP 800-90B compliance:
https://kernel.ubuntu.com/~mhcerri/0001-UBUNTU-SAUCE-random-Use-Crypto-API-DRBG-for-urandom-.patch
> We could also concentrate all the discussion in the linux-crypto
> mailing list to facilitate this process, since right now I believe the
> MAINTAINERS file doesn't have a specific mailing list associate to
> random.c
>
> >
> > Hopefully that helps you understand more about where we're coming from.
> >
> > Regards,
> > Jason
>
> --
> Regards,
> Marcelo
>
--
Regards,
Marcelo
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
next prev parent reply other threads:[~2022-01-10 13:24 UTC|newest]
Thread overview: 101+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-21 16:39 [PATCH v43 00/15] /dev/random - a new approach Stephan Müller
2021-11-21 16:40 ` [PATCH v43 01/15] Linux Random Number Generator Stephan Müller
2021-11-21 17:23 ` Joe Perches
2021-11-21 22:42 ` Jason A. Donenfeld
2021-11-22 5:34 ` Stephan Mueller
2021-11-22 6:02 ` Greg Kroah-Hartman
2021-11-22 6:42 ` Stephan Mueller
2021-11-22 6:55 ` Greg Kroah-Hartman
2021-11-22 15:09 ` Simo Sorce
2021-11-22 21:06 ` Jeffrey Walton
2021-11-23 5:38 ` Stephan Mueller
2021-11-26 15:42 ` Greg Kroah-Hartman
2021-11-22 16:56 ` John Haxby
2021-11-26 15:40 ` Greg Kroah-Hartman
2021-11-22 14:59 ` Simo Sorce
2021-11-26 15:44 ` Greg Kroah-Hartman
2021-11-26 16:15 ` Stephan Mueller
2021-11-26 16:22 ` Greg Kroah-Hartman
2021-11-29 15:31 ` Stephan Mueller
2021-11-29 16:25 ` Greg Kroah-Hartman
2021-11-29 16:50 ` Stephan Mueller
2021-11-30 12:24 ` Jeffrey Walton
2021-11-30 14:04 ` Greg Kroah-Hartman
2021-11-30 14:31 ` Simo Sorce
2021-11-30 15:45 ` Greg Kroah-Hartman
2021-11-30 17:05 ` Willy Tarreau
2021-11-30 17:08 ` Simo Sorce
2021-11-30 18:15 ` Eric Biggers
2021-11-30 18:39 ` Jason A. Donenfeld
2021-11-30 19:41 ` Simo Sorce
2021-12-01 16:02 ` Jason A. Donenfeld
2021-12-01 17:19 ` Simo Sorce
2021-12-01 17:55 ` Boris Krasnovskiy
2021-12-01 18:05 ` Greg Kroah-Hartman
2021-12-01 18:24 ` Jason A. Donenfeld
2021-12-02 0:24 ` Jeffrey Walton
2021-12-02 7:12 ` Greg Kroah-Hartman
2021-12-02 15:50 ` John Haxby
2021-12-01 18:29 ` Jason A. Donenfeld
[not found] ` <BY5PR14MB3416DF44172D8F47D0B078A986689@BY5PR14MB3416.namprd14.prod.outlook.com>
2021-12-01 18:05 ` Greg Kroah-Hartman
2021-12-10 1:43 ` Marcelo Henrique Cerri
2021-12-10 6:46 ` Greg Kroah-Hartman
2021-12-10 9:30 ` Marcelo Henrique Cerri
2021-12-10 9:48 ` Greg Kroah-Hartman
2021-12-10 17:02 ` Simo Sorce
2021-12-11 7:06 ` Willy Tarreau
2021-12-11 8:09 ` Stephan Müller
2021-12-11 8:57 ` Willy Tarreau
2022-01-10 13:23 ` Marcelo Henrique Cerri [this message]
2022-01-10 14:11 ` Jason A. Donenfeld
2022-01-10 14:29 ` Theodore Ts'o
2022-01-10 14:38 ` Jason A. Donenfeld
2022-01-10 17:38 ` Theodore Ts'o
2022-01-10 18:29 ` Eric Biggers
2022-01-10 18:44 ` Jason A. Donenfeld
2022-01-10 19:41 ` Simo Sorce
2022-01-10 20:05 ` Eric Biggers
2022-01-10 19:49 ` Theodore Ts'o
2022-01-10 22:19 ` Jason A. Donenfeld
2022-01-11 1:44 ` Andy Lutomirski
2022-01-11 3:10 ` Theodore Ts'o
2022-01-11 4:04 ` Willy Tarreau
2022-01-11 4:13 ` Matthew Garrett
2022-01-11 10:01 ` Alexander E. Patrakov
[not found] ` <CAN_LGv0CTDi9k=t=TGHvaHZz5YVT+OUEBaRXjP=Xv=kousHY1w@mail.gmail.com>
2022-01-11 17:10 ` Matthew Garrett
2022-01-11 13:16 ` Jason A. Donenfeld
2022-01-11 16:08 ` Theodore Ts'o
2022-01-11 13:06 ` Jason A. Donenfeld
2022-01-11 15:10 ` Andy Lutomirski
2022-01-10 21:38 ` Jason A. Donenfeld
2022-01-10 15:07 ` Marcelo Henrique Cerri
2021-11-30 15:13 ` Jeffrey Walton
2021-11-30 15:39 ` Greg Kroah-Hartman
2021-11-30 7:32 ` Sandy Harris
2021-11-30 7:55 ` Greg Kroah-Hartman
2021-11-30 8:56 ` Stephan Mueller
2021-11-30 9:12 ` Greg Kroah-Hartman
2021-12-04 9:53 ` Sandy Harris
2021-11-22 10:33 ` kernel test robot
2021-11-22 11:47 ` Stephan Mueller
2021-11-25 5:25 ` [kbuild-all] " Chen, Rong A
2021-11-30 2:55 ` Sandy Harris
2021-11-30 6:06 ` Stephan Müller
2021-11-21 16:40 ` [PATCH v43 02/15] LRNG - IRQ entropy source Stephan Müller
2021-11-21 16:40 ` [PATCH v43 03/15] LRNG - sysctls and /proc interface Stephan Müller
2021-11-21 16:41 ` [PATCH v43 04/15] LRNG - allocate one DRNG instance per NUMA node Stephan Müller
2021-11-21 16:42 ` [PATCH v43 05/15] LRNG - CPU entropy source Stephan Müller
2021-11-22 7:09 ` kernel test robot
2021-11-22 11:48 ` Stephan Mueller
2021-11-21 16:42 ` [PATCH v43 06/15] LRNG - add switchable DRNG support Stephan Müller
2021-11-21 16:43 ` [PATCH v43 07/15] LRNG - add common generic hash support Stephan Müller
2021-11-21 16:43 ` [PATCH v43 08/15] crypto: DRBG - externalize DRBG functions for LRNG Stephan Müller
2021-11-21 16:44 ` [PATCH v43 09/15] LRNG - add SP800-90A DRBG extension Stephan Müller
2021-11-21 16:45 ` [PATCH v43 10/15] LRNG - add kernel crypto API PRNG extension Stephan Müller
2021-11-21 16:45 ` [PATCH v43 11/15] crypto: move Jitter RNG header include dir Stephan Müller
2021-11-21 16:46 ` [PATCH v43 12/15] LRNG - add Jitter RNG fast noise source Stephan Müller
2021-11-21 16:46 ` [PATCH v43 13/15] LRNG - add SP800-90B compliant health tests Stephan Müller
2021-11-21 16:47 ` [PATCH v43 14/15] LRNG - add interface for gathering of raw entropy Stephan Müller
2021-11-21 16:47 ` [PATCH v43 15/15] LRNG - add power-on and runtime self-tests Stephan Müller
2021-12-11 15:45 ` [PATCH v43 00/15] /dev/random - a new approach Thomas Schoebel-Theuer
2021-12-11 16:04 ` Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220110132349.siplwka7yhe2tmwc@valinor \
--to=marcelo.cerri@canonical.com \
--cc=Jason@zx2c4.com \
--cc=adilger.kernel@dilger.ca \
--cc=alobakin@mailbox.org \
--cc=andy.lavr@gmail.com \
--cc=arnd@arndb.de \
--cc=dan.carpenter@oracle.com \
--cc=darwish.07@gmail.com \
--cc=ebiederm@xmission.com \
--cc=ebiggers@kernel.org \
--cc=fweimer@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=jack@suse.cz \
--cc=jhladky@redhat.com \
--cc=john.haxby@oracle.com \
--cc=julia.lawall@inria.fr \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=matthias.peter@bsi.bund.de \
--cc=mccann@jhu.edu \
--cc=mjg59@srcf.ucam.org \
--cc=mzxreary@0pointer.de \
--cc=nhorman@redhat.com \
--cc=noloader@gmail.com \
--cc=nstange@suse.de \
--cc=patrakov@gmail.com \
--cc=ptesarik@suse.cz \
--cc=rdunlap@infradead.org \
--cc=rstrode@redhat.com \
--cc=simo@redhat.com \
--cc=smueller@chronox.de \
--cc=tytso@mit.edu \
--cc=vcaputo@pengaru.com \
--cc=w@1wt.eu \
--cc=zachary@baishancloud.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).