lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sat, 17 Oct 2020 20:14:47 -0700
From:   Colm MacCarthaigh <>
To:     "Jason A. Donenfeld" <>
CC:     Jann Horn <>, Willy Tarreau <>,
        "Catangiu, Adrian Costin" <>,
        Andy Lutomirski <>,
        "Theodore Y. Ts'o" <>,
        Eric Biggers <>,
        "open list:DOCUMENTATION" <>,
        kernel list <>,
        "open list:VIRTIO GPU DRIVER" 
        "Graf (AWS), Alexander" <>,
        "Woodhouse, David" <>, <>,
        "Singh, Balbir" <>,
        "Weiss, Radu" <>, <>,
        <>, Jonathan Corbet <>,
        Greg Kroah-Hartman <>,
        "Michael S. Tsirkin" <>,
        Qemu Developers <>,
        KVM list <>,
        Michal Hocko <>,
        "Rafael J. Wysocki" <>,
        Pavel Machek <>,
        Linux API <>
Subject: Re: [PATCH] drivers/virt: vmgenid: add vm generation id driver

On 17 Oct 2020, at 6:24, Jason A. Donenfeld wrote:

> There are a few design goals of notifying userspace: it should be
> fast, because people who are using userspace RNGs are usually doing so
> in the first place to completely avoid syscall overhead for whatever
> high performance application they have - e.g. I recall conversations
> with Colm about his TLS implementation needing to make random IVs
> _really_ fast.

That’s our old friend TLS1.1 in CBC mode, which needs a random 
explicit IV for every record sent. Speed is still a reason at the 
margins in cases like that, but getrandom() is really fast. A stickier 
problem is that getrandom() is not certified for use with every 
compliance standard, and those often dictate precise use of some NIST 
DRBG or NRBG construction. That keeps people proliferating user-space 
RNGs even when speed isn’t as important.

> It should also happen as early as possible, with no
> race or as minimal as possible race window, so that userspace doesn't
> begin using old randomness and then switch over after the damage is
> already done.

+1 to this, and I’d add that anyone making VM snapshots that they plan 
to restore from multiple times really needs to think this through top to 
bottom. The system would likely need to be put in to some kind of 
quiescent state when the snapshot is taken.

> So, anyway, here are a few options with some pros and cons for the
> kernel notifying userspace that its RNG should reseed.
> 1. SIGRND - a new signal. Lol.
> 2. Userspace opens a file descriptor that it can epoll on. Pros are
> that many notification mechanisms already use this. Cons is that this
> requires syscall and might be more racy than we want. Another con is
> that this a new thing for userspace programs to do.

A library like OpenSSL or BoringSSL also has to account for running 
inside a chroot, which also makes this hard.

> Any thoughts on 4c? Is that utterly insane, or does that actually get
> us somewhere close to what we want?

I still like 4c, and as a user-space crypto-person, and a VM person, 
they have a lot of appeal. Alex and Adrian’s replies get into some of 
the sufficiency challenge. But for user-space libraries like the *SSLs, 
the JVMs, and other runtimes where RNGs show up, it could plug in easily 


Powered by blists - more mailing lists