[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0f9b31b346504d28a908d16884df5e02@AcuMS.aculab.com>
Date: Wed, 23 Mar 2022 11:45:55 +0000
From: David Laight <David.Laight@...LAB.COM>
To: "'Jason A. Donenfeld'" <Jason@...c4.com>
CC: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Guenter Roeck <linux@...ck-us.net>,
"Dominik Brodowski" <linux@...inikbrodowski.net>,
Theodore Ts'o <tytso@....edu>, "Jann Horn" <jannh@...gle.com>
Subject: RE: [PATCH] random: allow writes to /dev/urandom to influence fast
init
From: Jason A. Donenfeld
> Sent: 23 March 2022 02:51
>
> On Tue, Mar 22, 2022 at 8:16 PM David Laight <David.Laight@...lab.com> wrote:
> > Never mind scripts that try to immediately save a new seedfile [1].
> >
> > What about code run by later startup scripts that wants random numbers.
> > They really do want the seedfile data to be used.
> > If it isn't used then they are likely to get very weak random numbers.
> >
> > You can't really expect startup scripts to be issuing ioctl requests.
>
> To be clear, this "expect[ation]" of yours is very much a new
> expectation. Crediting bits has required an ioctl since forever. Those
> shell scripts have been broken forever. The proposal here is to add new
> behavior to support those old broken shell scripts.
...
I personally won't have expected the behaviour for long!
I was only trying to get a buildroot system to initialise the
random number generator last year.
But I'm sure I read some of the documentation as well as looking
at the scripts and the kernel sources.
The buildroot scripts actually need fixing so they actually
add entropy on older kernel.
I do remember looking at one of the kernel entropy stores
(probably the Linux one) a few years back and thinking
that it was over-complex and probably didn't actually work
that well in reality.
IIRC it saved 'entropy bytes' and the number of bits of entropy
they represented - and then read out enough bytes to get
the required entropy to reseed the PRNG.
Now if your PRNG has N bits of state. In principle at least
after you've output N bits someone can solve the simultaneous
equations and determine the PRNG state.
But as soon as you use a cryptographic hash function that
is not really possible in any reasonable timeframe.
(Is even MD5 that broken?)
But the 'entropy store' can just stir in new bytes and
count the number of entropy bits.
Then it doesn't really care how random the bytes are.
(Apart from an estimation of how 'full' it is.)
Copy bits to the PRNG and you reduce the number of
bits in the entropy store - but continue just stirring
in new data.
I've often wondered whether the RC5 algorithm would
make a good entropy store.
Just cycle the algorithm with each entropy byte as
is done when setting each key byte.
Clearly you don't want to use the RC5 output as random data.
But it ought to be plenty good enough to keep entropy.
The only real problem is that RC5 is pretty horrid on
the data cache, and probably a bit big for per-cpu data.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
Powered by blists - more mailing lists