Re: [PATCH] random: Don't reset crng_init_cnt on urandom_read()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Theodore Ts'o" <tytso@mit.edu>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Jann Horn <jannh@google.com>, LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] random: Don't reset crng_init_cnt on urandom_read()
Date: Mon, 3 Jan 2022 11:38:54 -0500	[thread overview]
Message-ID: <YdMmnnAkLpk81mYN@mit.edu> (raw)
In-Reply-To: <CAHmME9otnT=XeMPGYW5H8TOu9aLxxKi6_gT-Fnvh5Jy+WM-HGA@mail.gmail.com>

On Mon, Jan 03, 2022 at 05:03:57PM +0100, Jason A. Donenfeld wrote:
> On Mon, Jan 3, 2022 at 4:59 PM Jann Horn <jannh@google.com> wrote:
> > This code was inconsistent, and it probably made things worse - just get
> > rid of it.
> 
> Rather than adding crng_init_cnt=0 if crng_init<1 to extract_crng_user
> and get_random_bytes, getting rid of it like this seems probably okay
> and makes the model simpler. I'll apply this. Thank you.

Ack.  It does mean that we're making a choice that an attacker who is
carrying out a incremental state tracking attack on the CRNG will make
/dev/urandom (and getrandom) to make the crng emit "less secure" in
the period when crng_init is > 0 and < 2.  On the other hand, this
allows us to get to the state of crng_init=2 faster, where as before,
the attacker could delay getting us to the state crng_init=1 forever,
where reads from /dev/urandom would be hence be insecure forever (and
getrandom() would block forever).

						- Ted

next prev parent reply	other threads:[~2022-01-03 16:39 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-03 15:59 [PATCH] random: Don't reset crng_init_cnt on urandom_read() Jann Horn
2022-01-03 16:03 ` Jason A. Donenfeld
2022-01-03 16:38   ` Theodore Ts'o [this message]
2022-01-03 16:42     ` Jason A. Donenfeld

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YdMmnnAkLpk81mYN@mit.edu \
    --to=tytso@mit.edu \
    --cc=Jason@zx2c4.com \
    --cc=jannh@google.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.