[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20191226140423.GB3158@mit.edu>
Date: Thu, 26 Dec 2019 09:04:23 -0500
From: "Theodore Y. Ts'o" <tytso@....edu>
To: Stephan Mueller <smueller@...onox.de>
Cc: Andy Lutomirski <luto@...capital.net>,
Andy Lutomirski <luto@...nel.org>,
LKML <linux-kernel@...r.kernel.org>,
Linux API <linux-api@...r.kernel.org>,
Kees Cook <keescook@...omium.org>,
"Jason A. Donenfeld" <Jason@...c4.com>,
"Ahmed S. Darwish" <darwish.07@...il.com>,
Lennart Poettering <mzxreary@...inter.de>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
"Alexander E. Patrakov" <patrakov@...il.com>,
Michael Kerrisk <mtk.manpages@...il.com>,
Willy Tarreau <w@....eu>,
Matthew Garrett <mjg59@...f.ucam.org>,
Ext4 Developers List <linux-ext4@...r.kernel.org>,
linux-man <linux-man@...r.kernel.org>
Subject: Re: [PATCH v3 0/8] Rework random blocking
On Thu, Dec 26, 2019 at 01:03:34PM +0100, Stephan Mueller wrote:
> Agreed. I was just trying to outline that the removal of the blocking_pool is
> a good thing. Even when we decide that random.c should receive a TRNG, we do
> not need to re-add a blocking pool, but can easily use the existing ChaCha20
> DRNG (most likely with its own instance).
Well, it depends on what you mean by "TRNG" --- the ChaCha20 DRNG only
has a state of 256 bits. So if you want to only depend on "true
entropy" you can't extract more than 256 bits without violating that
assumption, at least if you're using a very strict definition of TRNG.
By getting rid of the blocking pool, and making /dev/random work like
getrandom with flags set to 0, we're effectively abandoning any kind
of assertion that /dev/random is some kind of TRNG. This is not
insane; this is what the *BSD's have always done.
But once we do this, and /dev/random takes on the semantics of "block
until the CRNG has been initialized, and then it won't block after
that", if we change it so that it now has some different semantics,
such as "one you extract a 256-bit key, the read from /dev/random will
block until we can refill it, which might take seconds, minutes or
hours", will be considered a regression, and we can't do that.
Of course, we can hope that people will be using getrandom() and there
will be very few new users of the /dev/random pathname. But nothing
is ever guaranteed..
- Ted
Powered by blists - more mailing lists