[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <201109071728.31162.sgrubb@redhat.com>
Date: Wed, 7 Sep 2011 17:28:30 -0400
From: Steve Grubb <sgrubb@...hat.com>
To: Sasha Levin <levinsasha928@...il.com>
Cc: "Ted Ts'o" <tytso@....edu>, Jarod Wilson <jarod@...hat.com>,
linux-crypto@...r.kernel.org, Matt Mackall <mpm@...enic.com>,
Neil Horman <nhorman@...hat.com>,
Herbert Xu <herbert.xu@...hat.com>,
Stephan Mueller <stephan.mueller@...ec.com>,
lkml <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] random: add blocking facility to urandom
On Wednesday, September 07, 2011 05:10:27 PM Sasha Levin wrote:
> > > > > Something similar probably happens for getting junk on disks before
> > > > > creating an encrypted filesystem on top of them.
> > > >
> > > > During system install, this sysctl is not likely to be applied.
> > >
> > > It may happen at any time you need to create a new filesystem, which
> > > won't necessarily happen during system install.
> > >
> > > See for example the instructions on how to set up a LUKS filesystem:
> > > https://wiki.archlinux.org/index.php/System_Encryption_with_LUKS#Prepar
> > > atio n_and_mapping
> >
> > Those instructions might need to be changed. That is one way of many to
> > get random numbers on the disk. Anyone really needing the security to
> > have the sysctl on will also probably accept that its doing its job and
> > keeping the numbers random. Again, no effect unless you turn it on.
>
> There are bunch of other places that would need to be changed in that
> case :)
>
> Why not implement it as a user mode CUSE driver that would
> wrap /dev/urandom and make it behave any way you want to? why push it
> into the kernel?
For one, auditing does not work for FUSE or things like that. We have to be able to
audit who is using what. Then there are the FIPS-140 requirements and this will spread
it. There are problems sending crypto audit events from user space, too.
-Steve
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists