[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190916230217.vmgvsm6o2o4uq5j7@srcf.ucam.org>
Date: Tue, 17 Sep 2019 00:02:18 +0100
From: Matthew Garrett <mjg59@...f.ucam.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: "Theodore Y. Ts'o" <tytso@....edu>, Willy Tarreau <w@....eu>,
Vito Caputo <vcaputo@...garu.com>,
"Ahmed S. Darwish" <darwish.07@...il.com>,
Lennart Poettering <mzxreary@...inter.de>,
Andreas Dilger <adilger.kernel@...ger.ca>,
Jan Kara <jack@...e.cz>, Ray Strode <rstrode@...hat.com>,
William Jon McCann <mccann@....edu>,
"Alexander E. Patrakov" <patrakov@...il.com>,
zhangjs <zachary@...shancloud.com>, linux-ext4@...r.kernel.org,
lkml <linux-kernel@...r.kernel.org>
Subject: Re: Linux 5.3-rc8
On Mon, Sep 16, 2019 at 10:44:31AM -0700, Linus Torvalds wrote:
> - admit that the current situation actually causes problems, and has
> _existing_ bugs.
>
> - throw it out the window, with the timeout and big BIG warning when
> the problem cases trigger
The semantics many people want for secure key generation is urandom, but
with a guarantee that it's seeded. getrandom()'s default behaviour at
present provides that, and as a result it's used for a bunch of key
generation. Changing the default (even with kernel warnings) seems like
it risks people generating keys from an unseeded prng, and that seems
like a bad thing?
It's definitely unfortunate that getrandom() doesn't have a GRND_URANDOM
flag that would make it useful for the "I want some vaguely random
numbers but I don't care that much and I don't necessarily have access
to /dev/urandom" case, but at the moment we have no way of
distinguishing between applications that are making this call because
they want the semantics of urandom but need it to be seeded (which is
one of the usecases getrandom() was introduced for in the first place)
and applications that are making this call because it was convenient and
the kernel usually ended up generating enough entropy in the first
place. Given the ambiguity, I don't see an easy way to solve for the
latter without breaking the former - and that could have some *very* bad
outcomes.
--
Matthew Garrett | mjg59@...f.ucam.org
Powered by blists - more mailing lists