lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 18 Jul 2014 12:25:17 +0200
From:	Richard Weinberger <richard.weinberger@...il.com>
To:	"Theodore Ts'o" <tytso@....edu>
Cc:	LKML <linux-kernel@...r.kernel.org>, linux-abi@...r.kernel.org,
	linux-crypto@...r.kernel.org, beck@...nbsd.org,
	deraadt@....openbsd.org
Subject: Re: [PATCH, RFC -v3] random: introduce getrandom(2) system call

On Fri, Jul 18, 2014 at 11:59 AM, Theodore Ts'o <tytso@....edu> wrote:
> The getrandom(2) system call was requested by the LibreSSL Portable
> developers.  It is analoguous to the getentropy(2) system call in
> OpenBSD.
>
> The rationale of this system call is to provide resiliance against
> file descriptor exhaustion attacks, where the attacker consumes all
> available file descriptors, forcing the use of the fallback code where
> /dev/[u]random is not available.  Since the fallback code is often not
> well-tested, it is better to eliminate this potential failure mode
> entirely.
>
> The other feature provided by this new system call is the ability to
> request randomness from the /dev/urandom entropy pool, but to block
> until at least 128 bits of entropy has been accumulated in the
> /dev/urandom entropy pool.  Historically, the emphasis in the
> /dev/urandom development has been to ensure that urandom pool is
> initialized as quickly as possible after system boot, and preferably
> before the init scripts start execution.
>
> This is because changing /dev/urandom reads to block represents an
> interface change that could potentially break userspace which is not
> acceptable.  In practice, on most x86 desktop and server systems, in
> general the entropy pool can be initialized before it is needed (and
> in modern kernels, we will printk a warning message if not).  However,
> on an embedded system, this may not be the case.  And so with this new
> interface, we can provide the functionality of blocking until the
> urandom pool has been initialized.  Any userspace program which uses
> this new functionality must take care to assure that if it is used
> during the boot process, that it will not cause the init scripts or
> other portions of the system startup to hang indefinitely.
>
> SYNOPSIS
>         #include <linux/random.h>
>
>         int getrandom(void *buf, size_t buflen, unsigned int flags);
>
> DESCRIPTION
>         The system call getrandom() fills the buffer pointed to by buf
>         with up to buflen random bytes which can be used to seed user
>         space random number generators (i.e., DRBG's) or for other
>         cryptographic processes.  It should not be used Monte Carlo
>         simulations or for other probabilistic sampling applications.
>
>         If the GRND_RANDOM flags bit is set, then draw from the
>         /dev/random pool instead of the /dev/urandom pool.  The
>         /dev/random pool is limited based on the entropy that can be
>         obtained from environmental noise, so if there is insufficient
>         entropy, the requested number of bytes may not be returned.
>         If there is no entropy available at all, getrandom(2) will
>         either block, or return an error with errno set to EAGAIN if
>         the GRND_NONBLOCK bit is set in flags.
>
>         If the GRND_RANDOM bit is not set, then the /dev/urandom pool
>         will be used.  Unlike using read(2) to fetch data from
>         /dev/urandom, if the urandom pool has not been sufficiently
>         initialized, getrandom(2) will block or return -1 with the
>         errno set to EGAIN if the GRND_NONBLOCK bit is set in flags.
>
>         The getentropy(2) system call in OpenBSD can be emulated using
>         the following function:
>
>             int getentropy(void *buf, size_t buflen)
>             {
>                     int     ret;
>
>                     if (buflen > 256)
>                             goto failure;
>
>                     ret = getrandom(buf, buflen, 0);
>                     if (ret < 0)
>                             return ret;
>                     if (ret != buflen)

A small nit-pick, missing "{".

>                     failure:
>                             errno = EIO;
>                             return -1;
>                     }
>                     return 0;
>             }
>
> RETURN VALUE
>        On success, the number of bytes that was filled in the buf is
>        returned.  This may not be all the bytes requested by the
>        caller via buflen if insufficient entropy was present in the
>        /dev/random pool, or if the system call was interrupted by a
>        signal.
>
>        On error, -1 is returned, and errno is set appropriately.
>
> ERRORS
>         EINVAL          An invalid flag was passed to getrandom(2)
>
>         EFAULT          buf is outside the accessible address space.
>
>         EAGAIN          The requested entropy was not available, and the
>                         getentropy(2) would have blocked if GRND_BLOCK flag
>                         was set.
>
>         EINTR           While blocked waiting for entropy, the call was
>                         interrupted by a signal handler; see the description
>                         of how interrupted read(2) calls on "slow" devices
>                         are handled with and without the SA_RESTART flag
>                         in the signal(7) man page.
>
> NOTES
>         For small requests (buflen <= 256) getrandom(2) will not
>         return EINTR when reading from the urandom pool once the
>         entropy pool has been initialized, and it will return all of
>         the bytes that have been requested.  This is the recommended
>         way to use getrandom(2), and is designed for compatibility
>         with OpenBSD's getentropy() system call.
>
>         However, if you are using GRND_RANDOM, then getrandom(2) may
>         block until the entropy accounting determines that sufficient
>         environmental noise has been gathered such that getrandom(2)
>         will be operating as a NRBG instead of a DRBG for those people
>         who are working in the NIST SP 800-90 regime.  Since it may
>         block for a long time, these guarantees do *not* apply.  The
>         user may want to interrupt a hanging process using a signal,
>         so blocking until all of the requested bytes are returned
>         would be unfriendly.
>
>         For this reason, the user of getrandom(2) MUST always check
>         the return value, in case it returns some error, or if fewer
>         bytes than requested was returned.  In the case of
>         !GRND_RANDOM and small request, the latter should never
>         happen, but the careful userspace code (and all crypto code
>         should be careful) should check for this anyway!
>
> Signed-off-by: Theodore Ts'o <tytso@....edu>
> Reviewed-by: Zach Brown <zab@...bo.net>
> ---
>
> The change in the v3 version of the commit was to eliminate potential
> short reads and EINTR returns when reading from urandom (once the
> urandom pool is initialized).  This was based on comments and requests
> from Theo de Raadt.  See the NOTES section in the suggested man page for
> a more in-depth discussion of the issues involved.
>
>  arch/x86/syscalls/syscall_32.tbl  |  1 +
>  arch/x86/syscalls/syscall_64.tbl  |  1 +
>  drivers/char/random.c             | 42 ++++++++++++++++++++++++++++++++++++---
>  include/linux/syscalls.h          |  3 +++
>  include/uapi/asm-generic/unistd.h |  4 +++-
>  include/uapi/linux/random.h       |  9 +++++++++
>  6 files changed, 56 insertions(+), 4 deletions(-)
>
> diff --git a/arch/x86/syscalls/syscall_32.tbl b/arch/x86/syscalls/syscall_32.tbl
> index d6b8679..f484e39 100644
> --- a/arch/x86/syscalls/syscall_32.tbl
> +++ b/arch/x86/syscalls/syscall_32.tbl
> @@ -360,3 +360,4 @@
>  351    i386    sched_setattr           sys_sched_setattr
>  352    i386    sched_getattr           sys_sched_getattr
>  353    i386    renameat2               sys_renameat2
> +354    i386    getrandom               sys_getrandom
> diff --git a/arch/x86/syscalls/syscall_64.tbl b/arch/x86/syscalls/syscall_64.tbl
> index ec255a1..6705032 100644
> --- a/arch/x86/syscalls/syscall_64.tbl
> +++ b/arch/x86/syscalls/syscall_64.tbl
> @@ -323,6 +323,7 @@
>  314    common  sched_setattr           sys_sched_setattr
>  315    common  sched_getattr           sys_sched_getattr
>  316    common  renameat2               sys_renameat2
> +317    common  getrandom               sys_getrandom
>
>  #
>  # x32-specific system call numbers start at 512 to avoid cache impact
> diff --git a/drivers/char/random.c b/drivers/char/random.c
> index aa22fe5..91dd57e 100644
> --- a/drivers/char/random.c
> +++ b/drivers/char/random.c
> @@ -258,6 +258,8 @@
>  #include <linux/kmemcheck.h>
>  #include <linux/workqueue.h>
>  #include <linux/irq.h>
> +#include <linux/syscalls.h>
> +#include <linux/completion.h>
>
>  #include <asm/processor.h>
>  #include <asm/uaccess.h>
> @@ -469,6 +471,8 @@ static struct entropy_store nonblocking_pool = {
>                                         push_to_pool),
>  };
>
> +static DECLARE_COMPLETION(urandom_initialized);
> +
>  static __u32 const twist_table[8] = {
>         0x00000000, 0x3b6e20c8, 0x76dc4190, 0x4db26158,
>         0xedb88320, 0xd6d6a3e8, 0x9b64c2b0, 0xa00ae278 };
> @@ -657,6 +661,7 @@ retry:
>                 r->entropy_total = 0;
>                 if (r == &nonblocking_pool) {
>                         prandom_reseed_late();
> +                       complete_all(&urandom_initialized);
>                         pr_notice("random: %s pool is initialized\n", r->name);
>                 }
>         }
> @@ -1174,13 +1179,14 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
>  {
>         ssize_t ret = 0, i;
>         __u8 tmp[EXTRACT_SIZE];
> +       int large_request = (nbytes > 256);
>
>         trace_extract_entropy_user(r->name, nbytes, ENTROPY_BITS(r), _RET_IP_);
>         xfer_secondary_pool(r, nbytes);
>         nbytes = account(r, nbytes, 0, 0);
>
>         while (nbytes) {
> -               if (need_resched()) {
> +               if (large_request && need_resched()) {
>                         if (signal_pending(current)) {
>                                 if (ret == 0)
>                                         ret = -ERESTARTSYS;
> @@ -1355,7 +1361,7 @@ static int arch_random_refill(void)
>  }
>
>  static ssize_t
> -random_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
> +_random_read(int nonblock, char __user *buf, size_t nbytes)
>  {
>         ssize_t n;
>
> @@ -1379,7 +1385,7 @@ random_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
>                 if (arch_random_refill())
>                         continue;
>
> -               if (file->f_flags & O_NONBLOCK)
> +               if (nonblock)
>                         return -EAGAIN;
>
>                 wait_event_interruptible(random_read_wait,
> @@ -1391,6 +1397,12 @@ random_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
>  }
>
>  static ssize_t
> +random_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
> +{
> +       return _random_read(file->f_flags & O_NONBLOCK, buf, nbytes);
> +}
> +
> +static ssize_t
>  urandom_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
>  {
>         int ret;
> @@ -1533,6 +1545,30 @@ const struct file_operations urandom_fops = {
>         .llseek = noop_llseek,
>  };
>
> +SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count,
> +               unsigned int, flags)
> +{
> +       int r;
> +
> +       if (flags & ~(GRND_NONBLOCK|GRND_RANDOM))
> +               return -EINVAL;
> +
> +       if (count > INT_MAX)
> +               count = INT_MAX;
> +
> +       if (flags & GRND_RANDOM)
> +               return _random_read(flags & GRND_NONBLOCK, buf, count);
> +       if (flags & GRND_NONBLOCK) {
> +               if (!completion_done(&urandom_initialized))
> +                       return -EAGAIN;
> +       } else {
> +               r = wait_for_completion_interruptible(&urandom_initialized);
> +               if (r)
> +                       return r;
> +       }
> +       return urandom_read(NULL, buf, count, NULL);
> +}
> +
>  /***************************************************************
>   * Random UUID interface
>   *
> diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
> index b0881a0..cd82f72f 100644
> --- a/include/linux/syscalls.h
> +++ b/include/linux/syscalls.h
> @@ -866,4 +866,7 @@ asmlinkage long sys_process_vm_writev(pid_t pid,
>  asmlinkage long sys_kcmp(pid_t pid1, pid_t pid2, int type,
>                          unsigned long idx1, unsigned long idx2);
>  asmlinkage long sys_finit_module(int fd, const char __user *uargs, int flags);
> +asmlinkage long sys_getrandom(char __user * buf, size_t count,
> +                             unsigned int flags);
> +
>  #endif
> diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h
> index 3336406..2926b1d 100644
> --- a/include/uapi/asm-generic/unistd.h
> +++ b/include/uapi/asm-generic/unistd.h
> @@ -699,9 +699,11 @@ __SYSCALL(__NR_sched_setattr, sys_sched_setattr)
>  __SYSCALL(__NR_sched_getattr, sys_sched_getattr)
>  #define __NR_renameat2 276
>  __SYSCALL(__NR_renameat2, sys_renameat2)
> +#define __NR_getrandom 277
> +__SYSCALL(__NR_getrandom, sys_getrandom)
>
>  #undef __NR_syscalls
> -#define __NR_syscalls 277
> +#define __NR_syscalls 278
>
>  /*
>   * All syscalls below here should go away really,
> diff --git a/include/uapi/linux/random.h b/include/uapi/linux/random.h
> index fff3528..3f93d16 100644
> --- a/include/uapi/linux/random.h
> +++ b/include/uapi/linux/random.h
> @@ -40,4 +40,13 @@ struct rand_pool_info {
>         __u32   buf[0];
>  };
>
> +/*
> + * Flags for getrandom(2)
> + *
> + * GRND_NONBLOCK       Don't block and return EAGAIN instead
> + * GRND_RANDOM         Use the /dev/random pool instead of /dev/urandom
> + */
> +#define GRND_NONBLOCK  0x0001
> +#define GRND_RANDOM    0x0002
> +
>  #endif /* _UAPI_LINUX_RANDOM_H */
> --
> 2.0.0
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/



-- 
Thanks,
//richard
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists