lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3851ac8b-357d-3c82-2195-936e3c459212@redhat.com>
Date:   Wed, 2 May 2018 10:49:34 -0700
From:   Laura Abbott <labbott@...hat.com>
To:     "Theodore Y. Ts'o" <tytso@....edu>,
        Justin Forbes <jmforbes@...uxtx.org>,
        Jeremy Cline <jeremy@...ine.org>,
        Sultan Alsawaf <sultanxda@...il.com>,
        Pavel Machek <pavel@....cz>,
        LKML <linux-kernel@...r.kernel.org>, Jann Horn <jannh@...gle.com>
Subject: Re: Linux messages full of `random: get_random_u32 called from`

On 05/02/2018 09:26 AM, Theodore Y. Ts'o wrote:
> On Wed, May 02, 2018 at 07:09:11AM -0500, Justin Forbes wrote:
>> Yes, Fedora libgcrypt is carrying a patch which makes it particularly
>> painful for us, we have reached out to the libgcrypt maintainer to
>> follow up on that end. But as I said before, even without that code
>> path (no dracut-fips) we are seeing some instances of 4 minute boots.
>> This is not really a workable user experience.  And are you sure that
>> every cloud platform and VM platform offers, makes it possible to
>> config virtio-rng?
> 
> Unfortunately, the answer is no.  Google Compute Engine, alas, does
> not currently support virtio-rng.  With my Google hat on, I can't
> comment on future product features.  With my upstream developer hat
> on, I'll give you three guesses what I have been advocating and
> pushing for internally, and the first two don't count.  :-)
> 
> That being said, I just booted a Debian 9 (Stable, aka Stretch)
> standard kernel, and then installed 4.17-rc3 (which has the
> CVE-2018-1108 patches).  The crng_init=2 message doesn't appear
> immediately, and it does appear quite a bit later comapred to
> the standard 4.9.0-6-amd64 Debian 9 kernel.  However, the lack of a
> fully initialized random pool doesn't prevent the standard Debian 9
> image from booting:
> 
> May  2 15:33:42 localhost kernel: [    0.000000] Linux version 4.17.0-rc3-xfstests (tytso@...c) (gcc version 7.3.0 (Debian 7.3.0-16)) #169 SMP Wed May 2 11:28:17 EDT 2018
> May  2 15:33:42 localhost kernel: [    1.456883] random: fast init done
> May  2 15:33:46 rng-testing systemd[1]: Startup finished in 3.202s (kernel) + 5.963s (userspace) = 9.166s.
> May  2 15:33:46 rng-testing google-accounts: INFO Starting Google Accounts daemon.
> May  2 15:44:39 rng-testing kernel: [  661.436664] random: crng init done
> 
> So it really does appear to be something going on with Fedora's
> userspace; can you help try to track down what it is?
> 
> Thanks,
> 
> 						- Ted
> 

It is a Fedora patch we're carrying
https://src.fedoraproject.org/rpms/libgcrypt/blob/master/f/libgcrypt-1.6.2-fips-ctor.patch#_23
so yes, it is a Fedora specific use case.
 From talking to the libgcrypt team, this is a FIPS mode requirement
to run power on self test at the library constructor and the self
test of libgrcypt ends up requiring a fully seeded RNG. Citation
is in section 9.10 of
https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Module-Validation-Program/documents/fips140-2/FIPS1402IG.pdf

The response was this _could_ be fixed in libgcrypt but it needs
to be done carefully to ensure nothing actually gets broken. So in
the mean time we're stuck with userspace getting blocked whenever
some program decides to use libgcrypt too early.

Thanks,
Laura

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ