[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190915084802.GB29771@gardel-login>
Date: Sun, 15 Sep 2019 10:48:02 +0200
From: Lennart Poettering <mzxreary@...inter.de>
To: "Ahmed S. Darwish" <darwish.07@...il.com>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
"Theodore Y. Ts'o" <tytso@....edu>,
Andreas Dilger <adilger.kernel@...ger.ca>,
Jan Kara <jack@...e.cz>, Ray Strode <rstrode@...hat.com>,
William Jon McCann <mccann@....edu>,
"Alexander E. Patrakov" <patrakov@...il.com>,
zhangjs <zachary@...shancloud.com>, linux-ext4@...r.kernel.org,
lkml <linux-kernel@...r.kernel.org>
Subject: Re: Linux 5.3-rc8
On So, 15.09.19 09:27, Ahmed S. Darwish (darwish.07@...il.com) wrote:
> On Sun, Sep 15, 2019 at 08:51:42AM +0200, Lennart Poettering wrote:
> > On Sa, 14.09.19 09:30, Linus Torvalds (torvalds@...ux-foundation.org) wrote:
> [...]
> >
> > And please don't break /dev/urandom again. The above code is the ony
> > way I see how we can make /dev/urandom-derived swap encryption safe,
> > and the only way I can see how we can sanely write a valid random seed
> > to disk after boot.
> >
>
> Any hope in making systemd-random-seed(8) credit that "random seed
> from previous boot" file, through RNDADDENTROPY, *by default*?
No. For two reasons:
a) It's way too late. We shouldn't credit entropy from the disk seed
if we cannot update the disk seed with a new one at the same time,
otherwise we might end up crediting the same seed twice on
subsequent reboots (think: user hard powers off a system after we
credited but before we updated), in which case there would not be a
point in doing that at all. Hence, we have to wait until /var is
writable, but that's relatively late during boot. Long afer the
initrd ran, long after iscsi and what not ran. Long after the
network stack is up and so on. In a time where people load root
images from the initrd via HTTPS thats's generally too late to be
useful.
b) Golden images are a problem. There are probably more systems
running off golden images in the wild, than those not running off
them. This means: a random seed on disk is only safe to credit if
it gets purged when the image is distributed to the systems it's
supposed to be used on, because otherwise these systems will all
come up with the very same seed, which makes it useless. So, by
requesting people to explicitly acknowledge that they are aware of
this problem (and either don't use golden images, or safely wipe
the seed off the image before shipping it), by setting the env var,
we protect ourselves from this.
Last time I looked at it most popular distro's live images didn't wipe
the random seed properly before distributing it to users...
This is all documented btw:
https://systemd.io/RANDOM_SEEDS#systemds-support-for-filling-the-kernel-entropy-pool
See point #2.
> I know that by v243, just released 12 days ago, this can be optionally
> done through SYSTEMD_RANDOM_SEED_CREDIT=1. I wonder though if it can
> ever be done by default, just like what the BSDs does... This would
> solve a big part of the current problem.
I think the best approach would be to do this in the boot loader. In
fact systemd does this in its own boot loader (sd-boot): it reads a
seed off the ESP, updates it (via a SHA256 hashed from the old one)
and passes that to the OS. PID 1 very early on then credits this to
the kernel's pool (ideally the kernel would just do this on its own
btw). The trick we employ to make this generally safe is that we
persistently store a "system token" as EFI var too, and include it in
the SHA sum. The "system token" is a per-system random blob. It is
created the first time it's needed and a good random source exists,
and then stays on the system, for all future live images to use. This
makes sure that even if sloppily put together live images are used
(which do not reset any random seed) every system will use a different
series of RNG seeds.
This then solves both problems: the golden image problem, and the
early-on problem. But of course only on ESP. Other systems should be
able to provide similar mechanisms though, it's not rocket science.
This is also documented here:
https://systemd.io/RANDOM_SEEDS#systemds-support-for-filling-the-kernel-entropy-pool
See point #3...
Ideally other boot loaders (grub, …) would support the same scheme,
but I am not sure the problem set is known to them.
Lennart
--
Lennart Poettering, Berlin
Powered by blists - more mailing lists