lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <dd488736ab86c0e0b2809b4ce30f1827563b52b2.camel@linux.ibm.com>
Date:   Tue, 17 May 2022 15:49:34 -0400
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     "Jason A. Donenfeld" <Jason@...c4.com>
Cc:     Ahmad Fatoum <a.fatoum@...gutronix.de>,
        James Bottomley <jejb@...ux.ibm.com>,
        Jarkko Sakkinen <jarkko@...nel.org>,
        David Howells <dhowells@...hat.com>, kernel@...gutronix.de,
        Sumit Garg <sumit.garg@...aro.org>,
        Pankaj Gupta <pankaj.gupta@....com>,
        David Gstir <david@...ma-star.at>,
        Michael Walle <michael@...le.cc>,
        John Ernberg <john.ernberg@...ia.se>,
        James Morris <jmorris@...ei.org>,
        "Serge E. Hallyn" <serge@...lyn.com>,
        Horia Geantă <horia.geanta@....com>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        "David S. Miller" <davem@...emloft.net>,
        Jan Luebbe <j.luebbe@...gutronix.de>,
        Eric Biggers <ebiggers@...nel.org>,
        Richard Weinberger <richard@....at>,
        Franck LENORMAND <franck.lenormand@....com>,
        Matthias Schiffer <matthias.schiffer@...tq-group.com>,
        keyrings@...r.kernel.org, linux-crypto@...r.kernel.org,
        linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        Pascal Van Leeuwen <pvanleeuwen@...imatrix.com>
Subject: Re: [PATCH v10 2/7] KEYS: trusted: allow use of kernel RNG for key
 material

On Tue, 2022-05-17 at 20:30 +0200, Jason A. Donenfeld wrote:
> Hi Mimi,
> 
> On Tue, May 17, 2022 at 02:21:08PM -0400, Mimi Zohar wrote:
> > On Tue, 2022-05-17 at 19:38 +0200, Jason A. Donenfeld wrote:
> > > On Tue, May 17, 2022 at 11:52:55AM -0400, Mimi Zohar wrote:
> > > > On Fri, 2022-05-13 at 16:57 +0200, Ahmad Fatoum wrote:
> > > > >  static int __init init_trusted(void)
> > > > >  {
> > > > > +       int (*get_random)(unsigned char *key, size_t key_len);
> > > > >         int i, ret = 0;
> > > > >  
> > > > >         for (i = 0; i < ARRAY_SIZE(trusted_key_sources); i++) {
> > > > > @@ -322,6 +333,28 @@ static int __init init_trusted(void)
> > > > >                             strlen(trusted_key_sources[i].name)))
> > > > >                         continue;
> > > > >  
> > > > > +               /*
> > > > > +                * We always support trusted.rng="kernel" and "default" as
> > > > > +                * well as trusted.rng=$trusted.source if the trust source
> > > > > +                * defines its own get_random callback.
> > > > > +                */
> > > >  
> > > > While TEE trusted keys support was upstreamed, there was a lot of
> > > > discussion about using kernel RNG.  One of the concerns was lack of or
> > > > insuffiencent entropy during early boot on embedded devices.  This
> > > > concern needs to be clearly documented in both Documentation/admin-
> > > > guide/kernel-parameters.txt and Documentation/security/keys/trusted-
> > > > encrypted.rst.
> > > 
> > > Sounds like FUD. Use `get_random_bytes_wait()`, and you'll be fine.
> > 
> > As per the original discussion, there's also certification requirements
> > [1].
> 
> As per countless conversations on this mailing list -- which I really
> really really hope you will not attempt to drown me in again -- I'm not
> too keen on the certification requirements. Let's just leave that
> conversation there.
> 
> There *is* a cryptographic design reason why you might want certain keys
> generated on a TPM rather than in the kernel though: so that the keys
> can be marked as unexportable and never leave the hardware. In that case
> -- I assume -- the kernel just operates on a handle to the key, rather
> than possessing the key material itself. And this is probably a good
> thing. (On the other hand, people who think the TPM might be backdoored
> may prefer the kernel's open source RNG, which in theory is in a
> position to aggregate entropy from many sources, so that one being
> backdoored isn't a problem. So maybe that's the purpose of having this
> switch?)
> 
> So to the extent that this driver (I haven't looked deeply at it) is
> doing the thing where a TPM generates the key and just returns a
> handle to it, that sounds good. But if actually you're implementing some
> wrapper around a hardware rng, it'd be convenient if there was instead a
> hw_random driver for this, so it can be one of the many sources that the
> kernel rng aggregates.
> 
> Apologies in advance if I've missed the mark here; I'm not very familiar
> with this thread or what it's driving at. If the simple question was
> just "is get_random_bytes_wait() good to use?" the answer is just "yes"
> and I can disappear and stop confusing things. :)

My apologies for your having been brought into this discussion without
having properly reviewed and summarized the previous thread.   As you
saw there is a long history.

Jarrko, Ahmad,  "Trusted" keys, by definition, are based on the TPM
RNG.  If CAAM trusted key support wants to use kernel RNG by default,
that's fine.  However defining and allowing a boot command line option
to use kernel RNG instead of the TPM RNG, needs to be configurable.

thanks,

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ