[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHmME9oa_wE8_n8e5b=iM5v-s5dgyibm4vXMhwzc8zGd6VWZMQ@mail.gmail.com>
Date: Thu, 24 Feb 2022 01:54:54 +0100
From: "Jason A. Donenfeld" <Jason@...c4.com>
To: Eric Biggers <ebiggers@...nel.org>
Cc: linux-kernel@...r.kernel.org, linux-crypto@...r.kernel.org,
qemu-devel@...gnu.org, kvm@...r.kernel.org,
linux-s390@...r.kernel.org, adrian@...ity.io, dwmw@...zon.co.uk,
acatan@...zon.com, graf@...zon.com, colmmacc@...zon.com,
sblbir@...zon.com, raduweis@...zon.com, jannh@...gle.com,
gregkh@...uxfoundation.org, tytso@....edu
Subject: Re: [PATCH RFC v1 1/2] random: add mechanism for VM forks to
reinitialize crng
On 2/24/22, Eric Biggers <ebiggers@...nel.org> wrote:
> I think we should be removing cases where the base_crng key is changed
> directly
> besides extraction from the input_pool, not adding new ones. Why not
> implement
> this as add_device_randomness() followed by crng_reseed(force=true), where
> the
> 'force' argument forces a reseed to occur even if the entropy_count is too
> low?
Because that induces a "premature next" condition which can let that
entropy, potentially newly acquired by a storm of IRQs at power-on, be
bruteforced by unprivileged userspace. I actually had it exactly the
way you describe at first, but decided that this here is the lesser of
evils and doesn't really complicate things the way an intentional
premature next would. The only thing we care about here is branching
the crng stream, and so this does explicitly that, without having to
interfere with how we collect entropy. Of course we *also* add it as
non-credited "device randomness" so that it's part of the next
reseeding, whenever that might occur.
Powered by blists - more mailing lists