[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20191002165533.GA18282@roeckx.be>
Date: Wed, 2 Oct 2019 18:55:33 +0200
From: Kurt Roeckx <kurt@...ckx.be>
To: linux-kernel@...r.kernel.org
Cc: Theodore Ts'o <tytso@....edu>
Subject: Stop breaking the CSRNG
Hi,
As OpenSSL, we want cryptograhic secure random numbers. Before
getrandom(), Linux never provided a good API for that, both
/dev/random and /dev/urandom have problems. getrandom() fixed
that, so we switched to it were available.
It was possible to combine /dev/random and /dev/urandom, and get
something that worked properly. You could call select() on
/dev/random and know that both were initialized when it returned.
But then select() started returning before /dev/random was
initialized, so that if you switch to /dev/urnadom, it's still
uninitialized.
A solution for that was that you could instead read 1 byte from
/dev/random, and then switch to /dev/urandom. But that also stopped
working, /dev/urandom can still be uninitialized when you can read from
/dev/random. So there no longer is a way to wait for /dev/urandom
to be initialized.
As a result of that, we now refuse to use /dev/urandom on recent
kernels, and require to use of getrandom(). (To make this work with
older userspace, this means we need to import all the different
__NR_getrandom defines, and do the system call ourself.)
But it seems people are now thinking about breaking getrandom() too,
to let it return data when it's not initialized by default. Please
don't.
If you think such a mode is useful for some applications, let them set
a flag, instead of the reverse.
Kurt
Powered by blists - more mailing lists