Re: [kernel-hardening] Re: [PATCH v3 04/13] crypto/rng: ensure that the RNG is ready before using

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Biggers <ebiggers3@gmail.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Theodore Ts'o <tytso@mit.edu>,
	Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	kernel-hardening@lists.openwall.com,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	David Miller <davem@davemloft.net>,
	Herbert Xu <herbert@gondor.apana.org.au>
Subject: Re: [kernel-hardening] Re: [PATCH v3 04/13] crypto/rng: ensure that the RNG is ready before using
Date: Mon, 5 Jun 2017 21:44:04 -0700	[thread overview]
Message-ID: <20170606044404.GA3469@zzz> (raw)
In-Reply-To: <CAHmME9qZUEMDjQGNOBC7PrCTcanOxohVHcED+Xyg_3jR64Q7VQ@mail.gmail.com>

On Tue, Jun 06, 2017 at 05:56:20AM +0200, Jason A. Donenfeld wrote:
> Hey Ted,
> 
> On Tue, Jun 6, 2017 at 5:00 AM, Theodore Ts'o <tytso@mit.edu> wrote:
> > Note that crypto_rng_reset() is called by big_key_init() in
> > security/keys/big_key.c as a late_initcall().  So if we are on a
> > system where the crng doesn't get initialized until during the system
> > boot scripts, and big_key is compiled directly into the kernel, the
> > boot could end up deadlocking.
> >
> > There may be other instances of where crypto_rng_reset() is called by
> > an initcall, so big_key_init() may not be an exhaustive enumeration of
> > potential problems.  But this is an example of why the synchronous
> > API, although definitely much more convenient, can end up being a trap
> > for the unwary....
> 
> Thanks for pointing this out. I'll look more closely into it and see
> if I can figure out a good way of approaching this.

I don't think big_key even needs randomness at init time.  The 'big_key_rng'
could just be removed and big_key_gen_enckey() changed to call
get_random_bytes().  (Or get_random_bytes_wait(), I guess; it's only reachable
via the keyring syscalls.)

It's going to take a while to go through all 217 users of get_random_bytes()
like this, though...  It's really a shame there's no way to guarantee good
randomness at boot time.

Eric

next prev parent reply	other threads:[~2017-06-06  4:44 UTC|newest]

Thread overview: 65+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-06  0:50 [kernel-hardening] [PATCH v3 00/13] Unseeded In-Kernel Randomness Fixes Jason A. Donenfeld
2017-06-06  0:50 ` Jason A. Donenfeld
2017-06-06  0:50 ` [kernel-hardening] [PATCH v3 01/13] random: add synchronous API for the urandom pool Jason A. Donenfeld
2017-06-06  0:50   ` Jason A. Donenfeld
2017-06-06  0:50 ` [kernel-hardening] [PATCH v3 02/13] random: add get_random_{bytes,u32,u64,int,long,once}_wait family Jason A. Donenfeld
2017-06-06  0:50   ` Jason A. Donenfeld
2017-06-06  5:11   ` [kernel-hardening] " Jeffrey Walton
2017-06-06  5:11     ` Jeffrey Walton
2017-06-06 12:21     ` [kernel-hardening] " Jason A. Donenfeld
2017-06-06 12:21       ` Jason A. Donenfeld
2017-06-06  0:50 ` [kernel-hardening] [PATCH v3 03/13] random: invalidate batched entropy after crng init Jason A. Donenfeld
2017-06-06  0:50   ` Jason A. Donenfeld
2017-06-07 17:42   ` [kernel-hardening] " kbuild test robot
2017-06-07 17:42     ` kbuild test robot
2017-06-07 18:16     ` [kernel-hardening] " Jason A. Donenfeld
2017-06-07 18:16       ` Jason A. Donenfeld
2017-06-06  0:50 ` [kernel-hardening] [PATCH v3 04/13] crypto/rng: ensure that the RNG is ready before using Jason A. Donenfeld
2017-06-06  0:50   ` Jason A. Donenfeld
2017-06-06  3:00   ` [kernel-hardening] " Theodore Ts'o
2017-06-06  3:00     ` Theodore Ts'o
2017-06-06  3:56     ` [kernel-hardening] " Jason A. Donenfeld
2017-06-06  3:56       ` Jason A. Donenfeld
2017-06-06  4:44       ` Eric Biggers [this message]
2017-06-06 12:34         ` [kernel-hardening] " Jason A. Donenfeld
2017-06-06 15:23           ` Jason A. Donenfeld
2017-06-06 17:26             ` Eric Biggers
2017-06-06 17:30               ` Jason A. Donenfeld
2017-06-06 17:03           ` Theodore Ts'o
2017-06-06 17:28             ` Jason A. Donenfeld
2017-06-06 17:57             ` Stephan Müller
2017-06-06 18:01               ` Jason A. Donenfeld
2017-06-06 22:19             ` Henrique de Moraes Holschuh
2017-06-06 23:14               ` Theodore Ts'o
2017-06-07  5:00               ` Stephan Müller
2017-06-07 14:42                 ` Henrique de Moraes Holschuh
2017-06-07 14:42                   ` Henrique de Moraes Holschuh
2017-06-07 21:27                 ` [kernel-hardening] " Theodore Ts'o
2017-06-07 17:00               ` Daniel Micay
2017-06-07 17:26                 ` Mark Rutland
2017-06-08  3:59                   ` Daniel Micay
2017-06-07 17:37             ` Mark Rutland
2017-06-08 12:02       ` Kevin Easton
2017-06-08 12:02         ` Kevin Easton
2017-06-06  0:51 ` [kernel-hardening] [PATCH v3 05/13] security/keys: ensure RNG is seeded before use Jason A. Donenfeld
2017-06-06  0:51   ` Jason A. Donenfeld
2017-06-06 10:08   ` [kernel-hardening] " David Howells
2017-06-06 10:08     ` David Howells
2017-06-06 12:23     ` [kernel-hardening] " Jason A. Donenfeld
2017-06-06 12:23       ` Jason A. Donenfeld
2017-06-06  0:51 ` [kernel-hardening] [PATCH v3 06/13] iscsi: " Jason A. Donenfeld
2017-06-06  0:51   ` Jason A. Donenfeld
2017-06-06  0:51 ` [kernel-hardening] [PATCH v3 07/13] ceph: ensure RNG is seeded before using Jason A. Donenfeld
2017-06-06  0:51   ` Jason A. Donenfeld
2017-06-06  0:51 ` [kernel-hardening] [PATCH v3 08/13] cifs: use get_random_u32 for 32-bit lock random Jason A. Donenfeld
2017-06-06  0:51   ` Jason A. Donenfeld
2017-06-06  0:51 ` [kernel-hardening] [PATCH v3 09/13] rhashtable: use get_random_u32 for hash_rnd Jason A. Donenfeld
2017-06-06  0:51   ` Jason A. Donenfeld
2017-06-06  0:51 ` [kernel-hardening] [PATCH v3 10/13] net/neighbor: use get_random_u32 for 32-bit hash random Jason A. Donenfeld
2017-06-06  0:51   ` Jason A. Donenfeld
2017-06-06  0:51 ` [kernel-hardening] [PATCH v3 11/13] net/route: use get_random_int for random counter Jason A. Donenfeld
2017-06-06  0:51   ` Jason A. Donenfeld
2017-06-06  0:51 ` [kernel-hardening] [PATCH v3 12/13] bluetooth/smp: ensure RNG is properly seeded before ECDH use Jason A. Donenfeld
2017-06-06  0:51   ` Jason A. Donenfeld
2017-06-06  0:51 ` [kernel-hardening] [PATCH v3 13/13] random: warn when kernel uses unseeded randomness Jason A. Donenfeld
2017-06-06  0:51   ` Jason A. Donenfeld

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170606044404.GA3469@zzz \
    --to=ebiggers3@gmail.com \
    --cc=Jason@zx2c4.com \
    --cc=davem@davemloft.net \
    --cc=gregkh@linuxfoundation.org \
    --cc=herbert@gondor.apana.org.au \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.