linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Sam Hartman <hartmans@debian.org>
To: Thorsten Glaser <tg@mirbsd.de>
Cc: Adrian Bunk <bunk@debian.org>,
	Ben Hutchings <ben@decadent.org.uk>,
	Debian release team <debian-release@lists.debian.org>,
	Debian kernel maintainers <debian-kernel@lists.debian.org>,
	krb5@packages.debian.org, libbsd@packages.debian.org,
	systemd@packages.debian.org,
	Michael Kerrisk <mtk.manpages@gmail.com>,
	"Theodore Ts'o" <tytso@mit.edu>,
	linux-kernel@vger.kernel.org
Subject: Re: Fixing Linux getrandom() in stable
Date: Mon, 14 May 2018 09:05:58 -0400	[thread overview]
Message-ID: <tsld0xygzex.fsf@suchdamage.org> (raw)
In-Reply-To: <Pine.BSM.4.64L.1805132113450.15657@herc.mirbsd.org> (Thorsten Glaser's message of "Sun, 13 May 2018 21:23:39 +0000 (UTC)")

>>>>> "Thorsten" == Thorsten Glaser <tg@mirbsd.de> writes:

    Thorsten> Adrian Bunk dixit:
    >> As an example, what happens if I debootstrap and deploy the
    >> resulting filesytem to a large number of identical embedded
    >> systems without entropy sources?

    Thorsten> Just get into a habit of not doing so, for example by
    Thorsten> modifying the image during each writing process.

I'm sorry, but modifying the image before each write is simply not
realistic.

My company has found that it's easy to get suppliers to deploy a static
image to the storage of appliances we're constructing during the
manufacturing process.
They do not have tools for modifying the image.  We do detect first boot
and do things like change filesystem UUIDs.
Mixing in any entropy we can obtain during the first boot is relatively
easy.  However, very quickly, we're going to need to do things like
generate ssh keys for management and generate a few other public keys.

Similar situations show up in cloud environments.  There you can use
virtio-rng or similar.

However, the fact is that when we design systems, we are constrained by
constraints placed by other parts of the process out of our control.
Delivering an image that is static and that will be deployed onto
multiple systems is something that does happen and it happens because
it's the best design tradeoff available.
It does have security implications, and in fact may decrease security of
random numbers overall.  On the other hand, it can increase security of
code integrity and tends to be associated with design methodologies that
create reproducible environments.

So, you can try and sweep static images under the rug, but all you're
doing is dsmissing people with real problems they need to solve.
It would be much more constructive to acknowledge that people will use
static images, discuss the security implications, solve the problems we
can solve, and document the residual security implications so our users
and the broader community are aware of our limitations.

--Sam

  parent reply	other threads:[~2018-05-14 13:15 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <75577b3d2efd01aaf563f1a1400a2c655556b258.camel@decadent.org.uk>
2018-05-13 20:48 ` Fixing Linux getrandom() in stable Adrian Bunk
2018-05-13 21:23   ` Thorsten Glaser
2018-05-14  0:30     ` Theodore Y. Ts'o
2018-05-14  0:50       ` Thorsten Glaser
2018-05-14 13:05     ` Sam Hartman [this message]
2018-05-14  2:11   ` Ben Hutchings
2018-05-22 19:47     ` Adrian Bunk

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=tsld0xygzex.fsf@suchdamage.org \
    --to=hartmans@debian.org \
    --cc=ben@decadent.org.uk \
    --cc=bunk@debian.org \
    --cc=debian-kernel@lists.debian.org \
    --cc=debian-release@lists.debian.org \
    --cc=krb5@packages.debian.org \
    --cc=libbsd@packages.debian.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mtk.manpages@gmail.com \
    --cc=systemd@packages.debian.org \
    --cc=tg@mirbsd.de \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).