From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: buildroot@buildroot.org,
"Christoph Müllner" <christoph.muellner@theobroma-systems.com>
Subject: Re: [Buildroot] [PATCH] package/urandom-scripts: hash old seed with new seed when saving
Date: Wed, 23 Mar 2022 10:13:36 +0100 [thread overview]
Message-ID: <20220323091336.GL1566358@scaer> (raw)
In-Reply-To: <20220323035233.140997-1-Jason@zx2c4.com>
Jason, All,
On 2022-03-22 21:52 -0600, Jason A. Donenfeld spake thusly:
> Writing into /dev/urandom doesn't actually credit any entropy bits. And
> while it adds that data to the entropy pool, it won't actually be
> immediately used when reading from /dev/urandom subsequently. This is
> how the kernel's /dev/urandom has always worked, unfortunately.
Thanks for this patch. I will blindly trust whatever you state about the
kernel RNG.
https://www.zx2c4.com/projects/linux-rng-5.17-5.18/
Still, I have a few comments about this change, see below...
> As a result of this behavior, which may be understandably surprising to
> you, writing a good seed file into /dev/urandom and then saving a new
s/to you//
(no "personal" address in a commit message)
> seed file immediately after is dangerous, because the new seed file may
> wind up being entirely deterministic, even if the old seed file was
> quite good.
>
> I fixed this in systemd with
s/I fixed this/This has been fixed/
(but "we" as you used later is ok)
[--SNIP--]
> As a final note, while this commit improves upon the status quo by
> removing a vulnerability, this shell script still does not actually
> initialize the RNG like it says it does. For initialization via a seed
> file, the RNDADDENTROPY ioctl must be used.
Is there a way to do that within a shell script? If so, would you be
kind enough to send a followup patch, please?
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
> ---
> package/urandom-scripts/S20urandom | 30 +++++++++++-------------------
> 1 file changed, 11 insertions(+), 19 deletions(-)
>
> diff --git a/package/urandom-scripts/S20urandom b/package/urandom-scripts/S20urandom
> index e4fd125721..f971ea905a 100644
> --- a/package/urandom-scripts/S20urandom
> +++ b/package/urandom-scripts/S20urandom
[--SNIP--]
> @@ -44,7 +34,9 @@ save_random_seed() {
> if touch "$URANDOM_SEED" 2> /dev/null; then
> old_umask=$(umask)
> umask 077
> - dd if=/dev/urandom of="$URANDOM_SEED" bs="$pool_size" count=1 2> /dev/null
> + dd if=/dev/urandom of="$URANDOM_SEED.new" bs="$pool_size" count=1 2> /dev/null
> + cat "$URANDOM_SEED" "$URANDOM_SEED.new" 2>/dev/null | sha256sum | cut -d ' ' -f 1 > "$URANDOM_SEED"
$ shellcheck package/urandom-scripts/S20urandom
In package/urandom-scripts/S20urandom line 38:
cat "$URANDOM_SEED" "$URANDOM_SEED.new" 2>/dev/null | sha256sum | cut -d ' ' -f 1 > "$URANDOM_SEED"
^-------------^ SC2094: Make sure not to read and write the same file in the same pipeline.
> + rm "$URANDOM_SEED.new"
> status=$?
This status now only gets the result of the 'rm', which is not very
interesting. I guess what we really need is whether the initial 'dd'
that extracts from the pool succeeded. If that fails, then we should
probably not update the saved seed, should we?
Here's what I suggest instead:
save_random_seed() {
printf 'Saving random seed: '
status=1
if touch "$URANDOM_SEED" 2> /dev/null; then
old_umask=$(umask)
umask 077
dd if=/dev/urandom of="$URANDOM_SEED.tmp" bs="$pool_size" count=1 2> /dev/null
new_seed_len="$(wc -c "$URANDOM_SEED.tmp" 2> /dev/null |cut -d ' ' -f 1)"
if [ "$new_seed_len" -eq "$pool_size" ]; then
cat "$URANDOM_SEED" "$URANDOM_SEED.tmp" 2>/dev/null \
| sha256sum \
| cut -d ' ' -f 1 > "$URANDOM_SEED.new"
mv "$URANDOM_SEED.new" "$URANDOM_SEED"
echo "OK"
status=0
else
echo "FAIL"
fi
rm -f "$URANDOM_SEED.tmp"
umask "$old_umask"
else
echo "SKIP (read-only file system detected)"
fi
return "$status"
}
What do you think about that? Since this is a bit critical, I did not
want to just do that change when applying.
I do note that urandom should always return something, but this script
will also need to work on older kernels, sometimes way back to oldish
3.x series, and my recollection of how urandom worked back then is a bit
fuzzy. Are we sure it will always have returned enough? If so, then we
can ditch the sanity check altogether.
But then, if we failed to read anything from urandom, we'd just hash the
old seed, which should not decrease the entropy it had, as the hash has
the same size as the seed.
Thoughts?
Regards,
Yann E. MORIN.
> umask "$old_umask"
> if [ "$status" -eq 0 ]; then
> --
> 2.35.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2022-03-23 9:13 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-23 3:52 [Buildroot] [PATCH] package/urandom-scripts: hash old seed with new seed when saving Jason A. Donenfeld
2022-03-23 5:10 ` Jason A. Donenfeld
2022-03-23 8:43 ` Nicolas Cavallari
2022-03-23 9:13 ` Yann E. MORIN [this message]
2022-03-23 13:39 ` Nicolas Cavallari
2022-03-23 20:06 ` Jason A. Donenfeld
2022-03-23 20:07 ` [Buildroot] [PATCH v2] " Jason A. Donenfeld
2022-03-24 8:24 ` Yann E. MORIN
2022-03-24 9:15 ` David Laight
2022-03-24 10:09 ` Yann E. MORIN
2022-03-24 10:25 ` David Laight
2022-03-24 10:39 ` Yann E. MORIN
2022-03-24 13:06 ` David Laight
2022-03-24 13:54 ` Jason A. Donenfeld
2022-03-24 14:31 ` David Laight
2022-03-24 14:39 ` Jason A. Donenfeld
2022-03-28 13:17 ` Peter Korsgaard
2022-04-15 10:54 ` Eugen.Hristev--- via buildroot
2022-04-15 12:25 ` Nicolas Cavallari
2022-04-16 11:12 ` Peter Korsgaard
2022-04-16 11:31 ` [Buildroot] [PATCH] package/urandom-scripts: do not seed if initial seed doesn't exist Jason A. Donenfeld
2022-04-16 13:47 ` Peter Korsgaard
2022-04-18 20:19 ` Eugen.Hristev--- via buildroot
2022-04-18 20:36 ` Jason A. Donenfeld
2022-04-19 10:23 ` Eugen.Hristev--- via buildroot
2022-04-18 20:50 ` Peter Korsgaard
2022-05-22 10:11 ` Peter Korsgaard
2022-04-16 8:29 ` [Buildroot] [PATCH v2] package/urandom-scripts: hash old seed with new seed when saving Peter Korsgaard
2022-03-24 2:41 ` [Buildroot] [PATCH] " Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220323091336.GL1566358@scaer \
--to=yann.morin.1998@free.fr \
--cc=Jason@zx2c4.com \
--cc=buildroot@buildroot.org \
--cc=christoph.muellner@theobroma-systems.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox