lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1648138746.2zrnsqdlu7.none@localhost>
Date:   Thu, 24 Mar 2022 12:28:56 -0400
From:   "Alex Xu (Hello71)" <alex_y_xu@...oo.ca>
To:     Jann Horn <jannh@...gle.com>,
        "Jason A. Donenfeld" <Jason@...c4.com>,
        Dominik Brodowski <linux@...inikbrodowski.net>,
        Guenter Roeck <linux@...ck-us.net>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Theodore Ts'o <tytso@....edu>
Cc:     Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] random: allow writes to /dev/urandom to influence fast
 init

Excerpts from Jason A. Donenfeld's message of March 23, 2022 11:18 pm:
> Hi all,
> 
> [...]
>
> In light of that conclusion, I'm going to work with every userspace
> downstream I can find to help them fix their file-based seeding, if it
> has bugs. I've started talking with the buildroot folks, and then I'll
> speak with the OpenRC people (being a Gentoo dev, that should be easy
> going). Systemd does the right thing already.
> 
> I wrote a little utility for potential inclusion in
> busybox/util-linux/whatever when it matures beyond its current age of
> being half hour old:
> - https://git.zx2c4.com/seedrng/about/
> - https://git.zx2c4.com/seedrng/tree/seedrng.c
> So I'll see what the buildroot people think of this and take it from there.
> 
> The plus side of doing all this is that, if the efforts pan out, it
> means there'll actually be proper seeding on devices that don't
> currently do that, which then might lead to a better ecosystem and
> less boot time blocking and all that jazz.
> 
> Jason
> 

The issue, in systemd developers' opinion, is that counting seed file 
towards entropy initialization potentially causes repeated RNG output if 
a system is cloned without resetting the seed file. This is discussed at 
length in https://github.com/systemd/systemd/pull/4513. A few years ago, 
I wrote most of a program to check machine ID, disk ID, DMI ID, and some 
other things in order to avoid this issue. Since then, systemd decided 
to store the random seed in EFI variables, I assume on the basis that 
machine cloning typically does not clone the EFI variables? In my 
opinion, since the same argument applies to machine ID, ssh keys, and 
any other persistent cryptographic (or even non-cryptographic) material, 
this falls outside the scope of random seeding and into a general 
machine cloning "sysprep"-like utility.

Cheers,
Alex.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ