From: Eric Biggers <ebiggers3@gmail.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Theodore Ts'o <tytso@mit.edu>,
Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
kernel-hardening@lists.openwall.com,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
David Miller <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: Re: [kernel-hardening] Re: [PATCH v3 04/13] crypto/rng: ensure that the RNG is ready before using
Date: Mon, 5 Jun 2017 21:44:04 -0700 [thread overview]
Message-ID: <20170606044404.GA3469@zzz> (raw)
In-Reply-To: <CAHmME9qZUEMDjQGNOBC7PrCTcanOxohVHcED+Xyg_3jR64Q7VQ@mail.gmail.com>
On Tue, Jun 06, 2017 at 05:56:20AM +0200, Jason A. Donenfeld wrote:
> Hey Ted,
>
> On Tue, Jun 6, 2017 at 5:00 AM, Theodore Ts'o <tytso@mit.edu> wrote:
> > Note that crypto_rng_reset() is called by big_key_init() in
> > security/keys/big_key.c as a late_initcall(). So if we are on a
> > system where the crng doesn't get initialized until during the system
> > boot scripts, and big_key is compiled directly into the kernel, the
> > boot could end up deadlocking.
> >
> > There may be other instances of where crypto_rng_reset() is called by
> > an initcall, so big_key_init() may not be an exhaustive enumeration of
> > potential problems. But this is an example of why the synchronous
> > API, although definitely much more convenient, can end up being a trap
> > for the unwary....
>
> Thanks for pointing this out. I'll look more closely into it and see
> if I can figure out a good way of approaching this.
I don't think big_key even needs randomness at init time. The 'big_key_rng'
could just be removed and big_key_gen_enckey() changed to call
get_random_bytes(). (Or get_random_bytes_wait(), I guess; it's only reachable
via the keyring syscalls.)
It's going to take a while to go through all 217 users of get_random_bytes()
like this, though... It's really a shame there's no way to guarantee good
randomness at boot time.
Eric
next prev parent reply other threads:[~2017-06-06 4:44 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-06 0:50 [PATCH v3 00/13] Unseeded In-Kernel Randomness Fixes Jason A. Donenfeld
2017-06-06 0:50 ` [PATCH v3 01/13] random: add synchronous API for the urandom pool Jason A. Donenfeld
2017-06-06 0:50 ` [PATCH v3 02/13] random: add get_random_{bytes,u32,u64,int,long,once}_wait family Jason A. Donenfeld
2017-06-06 5:11 ` Jeffrey Walton
2017-06-06 12:21 ` Jason A. Donenfeld
2017-06-06 0:50 ` [PATCH v3 03/13] random: invalidate batched entropy after crng init Jason A. Donenfeld
2017-06-07 17:42 ` kbuild test robot
2017-06-07 18:16 ` Jason A. Donenfeld
2017-06-06 0:50 ` [PATCH v3 04/13] crypto/rng: ensure that the RNG is ready before using Jason A. Donenfeld
2017-06-06 3:00 ` Theodore Ts'o
2017-06-06 3:56 ` Jason A. Donenfeld
2017-06-06 4:44 ` Eric Biggers [this message]
2017-06-06 12:34 ` [kernel-hardening] " Jason A. Donenfeld
2017-06-06 15:23 ` Jason A. Donenfeld
2017-06-06 17:26 ` Eric Biggers
2017-06-06 17:30 ` Jason A. Donenfeld
2017-06-06 17:03 ` Theodore Ts'o
2017-06-06 17:28 ` Jason A. Donenfeld
2017-06-06 17:57 ` Stephan Müller
2017-06-06 18:01 ` Jason A. Donenfeld
2017-06-06 22:19 ` Henrique de Moraes Holschuh
2017-06-06 23:14 ` Theodore Ts'o
2017-06-07 5:00 ` Stephan Müller
2017-06-07 14:42 ` Henrique de Moraes Holschuh
2017-06-07 21:27 ` [kernel-hardening] " Theodore Ts'o
2017-06-07 17:00 ` Daniel Micay
2017-06-07 17:26 ` Mark Rutland
2017-06-08 3:59 ` Daniel Micay
2017-06-07 17:37 ` Mark Rutland
2017-06-08 12:02 ` Kevin Easton
2017-06-06 0:51 ` [PATCH v3 05/13] security/keys: ensure RNG is seeded before use Jason A. Donenfeld
2017-06-06 0:51 ` [PATCH v3 06/13] iscsi: " Jason A. Donenfeld
2017-06-06 0:51 ` [PATCH v3 07/13] ceph: ensure RNG is seeded before using Jason A. Donenfeld
2017-06-06 0:51 ` [PATCH v3 08/13] cifs: use get_random_u32 for 32-bit lock random Jason A. Donenfeld
2017-06-06 0:51 ` [PATCH v3 09/13] rhashtable: use get_random_u32 for hash_rnd Jason A. Donenfeld
2017-06-06 0:51 ` [PATCH v3 10/13] net/neighbor: use get_random_u32 for 32-bit hash random Jason A. Donenfeld
2017-06-06 0:51 ` [PATCH v3 11/13] net/route: use get_random_int for random counter Jason A. Donenfeld
2017-06-06 0:51 ` [PATCH v3 12/13] bluetooth/smp: ensure RNG is properly seeded before ECDH use Jason A. Donenfeld
2017-06-06 0:51 ` [PATCH v3 13/13] random: warn when kernel uses unseeded randomness Jason A. Donenfeld
2017-06-06 10:08 ` [PATCH v3 05/13] security/keys: ensure RNG is seeded before use David Howells
2017-06-06 12:23 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170606044404.GA3469@zzz \
--to=ebiggers3@gmail.com \
--cc=Jason@zx2c4.com \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).