[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <01000163186628e6-3fe4abfc-eaaf-470c-90c8-2d8ad91db8f1-000000@email.amazonses.com>
Date: Mon, 30 Apr 2018 21:12:18 +0000
From: Jeremy Cline <jeremy@...ine.org>
To: "Theodore Y. Ts'o" <tytso@....edu>,
Sultan Alsawaf <sultanxda@...il.com>,
Pavel Machek <pavel@....cz>, linux-kernel@...r.kernel.org,
Jann Horn <jannh@...gle.com>
Subject: Re: Linux messages full of `random: get_random_u32 called from`
On 04/29/2018 06:05 PM, Theodore Y. Ts'o wrote:
> On Sun, Apr 29, 2018 at 01:20:33PM -0700, Sultan Alsawaf wrote:
>> On Sun, Apr 29, 2018 at 08:41:01PM +0200, Pavel Machek wrote:
>>> Umm. No. https://www.youtube.com/watch?v=xneBjc8z0DE
>>
>> Okay, but /dev/urandom isn't a solution to this problem because it isn't usable
>> until crng init is complete, so it suffers from the same init lag as
>> /dev/random.
>
> It's more accurate to say that using /dev/urandom is no worse than
> before (from a few years ago). There are, alas, plenty of
> distributions and user space application programmers that basically
> got lazy using /dev/urandom, and assumed that there would be plenty of
> entropy during early system startup.
>
> When they switched over the getrandom(2), the most egregious examples
> of this caused pain (and they got fixed), but due to a bug in
> drivers/char/random.c, if getrandom(2) was called after the entropy
> pool was "half initialized", it would not block, but proceed.
>
> Is that exploitable? Well, Jann and I didn't find an _obvious_ way to
> exploit the short coming, which is this wasn't treated like an
> emergency situation ala the embarassing situation we had five years
> ago[1].
>
> [1] https://factorable.net/paper.html
>
> However, it was enough to make us be uncomfortable, which is why I
> pushed the changes that I did. At least on the devices we had at
> hand, using the distributions that we typically use, the impact seemed
> minimal. Unfortuantely, there is no way to know for sure without
> rolling out change and seeing who screams. In the ideal world,
> software would not require cryptographic randomness immediately after
> boot, before the user logs in. And ***really***, as in [1], softwaret
> should not be generating long-term public keys that are essential to
> the security of the box a few seconds immediately after the device is
> first unboxed and plugged in.i
>
> What would be useful is if people gave reports that listed exactly
> what laptop and distributions they are using. Just "a high spec x86
> laptop" isn't terribly useful, because *my* brand-new Dell XPS 13
> running Debian testing is working just fine. The year, model, make,
> and CPU type plus what distribution (and distro version number) you
> are running is useful, so I can assess how wide spread the unhappiness
> is going to be, and what mitigation steps make sense.
Fedora has started seeing some bug reports on this for Fedora 27[0] and
I've asked reporters to include their hardware details.
[0] https://bugzilla.redhat.com/show_bug.cgi?id=1572944
Regards,
Jeremy
Powered by blists - more mailing lists