From: "Theodore Ts'o" <tytso@mit.edu>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Andy Lutomirski <luto@kernel.org>,
Marcelo Henrique Cerri <marcelo.cerri@canonical.com>,
Simo Sorce <simo@redhat.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jeffrey Walton <noloader@gmail.com>,
Stephan Mueller <smueller@chronox.de>,
Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
Willy Tarreau <w@1wt.eu>, Nicolai Stange <nstange@suse.de>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"Alexander E. Patrakov" <patrakov@gmail.com>,
"Ahmed S. Darwish" <darwish.07@gmail.com>,
Matthew Garrett <mjg59@srcf.ucam.org>,
Vito Caputo <vcaputo@pengaru.com>,
Andreas Dilger <adilger.kernel@dilger.ca>,
Jan Kara <jack@suse.cz>, Ray Strode <rstrode@redhat.com>,
William Jon McCann <mccann@jhu.edu>,
zhangjs <zachary@baishancloud.com>,
Florian Weimer <fweimer@redhat.com>,
Lennart Poettering <mzxreary@0pointer.de>,
Peter Matthias <matthias.peter@bsi.bund.de>,
Neil Horman <nhorman@redhat.com>,
Randy Dunlap <rdunlap@infradead.org>,
Julia Lawall <julia.lawall@inria.fr>,
Dan Carpenter <dan.carpenter@oracle.com>,
Andy Lavr <andy.lavr@gmail.com>, Petr Tesarik <ptesarik@suse.cz>,
John Haxby <john.haxby@oracle.com>,
Alexander Lobakin <alobakin@mailbox.org>,
Jirka Hladky <jhladky@redhat.com>,
Eric Biggers <ebiggers@kernel.org>
Subject: Re: [PATCH v43 01/15] Linux Random Number Generator
Date: Tue, 11 Jan 2022 11:08:45 -0500 [thread overview]
Message-ID: <Yd2rjQhK71L2vwgb@mit.edu> (raw)
In-Reply-To: <CAHmME9o8FFLC3vvTN0cNzdzoYvBFwJMUCTaxOhnXfTaEELbBeg@mail.gmail.com>
On Tue, Jan 11, 2022 at 02:16:30PM +0100, Jason A. Donenfeld wrote:
> I spent some time reading about FIPS certification, compliance, and
> the requirements of various customers. One thing in particular leapt
> out at me, which I think you've been saying over and over in this
> thread but I didn't fully understand until this morning:
>
> The goal is generally to have particular pieces of software or
> particular solutions FIPS certified. And to do this, they start from
> the top of the stack and move onward down. Most OSS software out there
> today isn't really FIPS ready and oftentimes a full solution needs
> modifications in one place or another. Other times, it's enough to
> plug in the right userspace crypto libraries. And I noticed in looking
> at things that are FIPS certified that random number generation tends
> to go through a userspace abstraction layer. And, it looks like these
> abstraction layers all have FIPS-able RNG hooks. You mentioned OpenSSL
> earlier, and it looks like even libgcrypt and wolfSSL have an
> abstraction layer for this.
I know this thread is about security theatre, not real security, but
there's an even more important reason why the FIPS cryptographic
module should be as high in the stack as possible (e.g., in
userspace). Let's consider as, Albert Einstein would put it, the
following gedanken experiment:
Let's presume that in 2008, there was a FIPS-140 certified OS
designating the Linux kernel as the "cryptographic module", and so
/dev/urandom was hacked to be "FIPS certified". Huzzah! Now let's
assume that OS was using Ubuntu, which, being derived from Debian, was
subject to a distribution "value add" where in blind obedience to a
valgrind warning, there was a distro-level change which resulted in
OpenSSL on Debian and Debian derivitives generating extremely
predictable keys[1]. This caused fairly massive security problems for
any use of OpenSSL, including ssh, certificate generation, etc. ---
despite the FIPS 140 certification of the OS. Oops!
[1] https://en.wikinews.org/wiki/Predictable_random_number_generator_discovered_in_the_Debian_version_of_OpenSSL
It might be *cheaper* to claim that your OS is FIPS 140 certified by
hacking /dev/urandom. Otherwise, you might have to have a responsible
security engineer audit the various userspace cryptographic libraries,
and that would be way more expensive. It's much easier for a product
manager to say, "my work here is done" after applying a patch to the
Linux kernel for /dev/urandom, and not bothering to get an engineer to
certify the rest of the cryptographic stack.
And, if enterprise customers just care that an enterprise distro can
claim "FIPS 140 compliance", and they can push that claim of FIPS
compliance to the PCI certification authorities, they're happy. So
ultimately, this is really an economic requirement, not a security
requirement. And given that enterprise distros are the ones getting
paid $$$ in order to claim FIPS 140 compliance, then from an upstream
perspective, if our gaols is to optimzie the speed of getrandom(2) and
/dev/urandom, and to encourage application programmers to do the right
thing --- and *not* security theare for the sake of economic goals, we
should make technical decisions accordingly.
Cheers,
- Ted
next prev parent reply other threads:[~2022-01-11 16:10 UTC|newest]
Thread overview: 101+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-21 16:39 [PATCH v43 00/15] /dev/random - a new approach Stephan Müller
2021-11-21 16:40 ` [PATCH v43 01/15] Linux Random Number Generator Stephan Müller
2021-11-21 17:23 ` Joe Perches
2021-11-21 22:42 ` Jason A. Donenfeld
2021-11-22 5:34 ` Stephan Mueller
2021-11-22 6:02 ` Greg Kroah-Hartman
2021-11-22 6:42 ` Stephan Mueller
2021-11-22 6:55 ` Greg Kroah-Hartman
2021-11-22 15:09 ` Simo Sorce
2021-11-22 21:06 ` Jeffrey Walton
2021-11-23 5:38 ` Stephan Mueller
2021-11-26 15:42 ` Greg Kroah-Hartman
2021-11-22 16:56 ` John Haxby
2021-11-26 15:40 ` Greg Kroah-Hartman
2021-11-22 14:59 ` Simo Sorce
2021-11-26 15:44 ` Greg Kroah-Hartman
2021-11-26 16:15 ` Stephan Mueller
2021-11-26 16:22 ` Greg Kroah-Hartman
2021-11-29 15:31 ` Stephan Mueller
2021-11-29 16:25 ` Greg Kroah-Hartman
2021-11-29 16:50 ` Stephan Mueller
2021-11-30 12:24 ` Jeffrey Walton
2021-11-30 14:04 ` Greg Kroah-Hartman
2021-11-30 14:31 ` Simo Sorce
2021-11-30 15:45 ` Greg Kroah-Hartman
2021-11-30 17:05 ` Willy Tarreau
2021-11-30 17:08 ` Simo Sorce
2021-11-30 18:15 ` Eric Biggers
2021-11-30 18:39 ` Jason A. Donenfeld
2021-11-30 19:41 ` Simo Sorce
2021-12-01 16:02 ` Jason A. Donenfeld
2021-12-01 17:19 ` Simo Sorce
2021-12-01 17:55 ` Boris Krasnovskiy
2021-12-01 18:05 ` Greg Kroah-Hartman
2021-12-01 18:24 ` Jason A. Donenfeld
2021-12-02 0:24 ` Jeffrey Walton
2021-12-02 7:12 ` Greg Kroah-Hartman
2021-12-02 15:50 ` John Haxby
2021-12-01 18:29 ` Jason A. Donenfeld
[not found] ` <BY5PR14MB3416DF44172D8F47D0B078A986689@BY5PR14MB3416.namprd14.prod.outlook.com>
2021-12-01 18:05 ` Greg Kroah-Hartman
2021-12-10 1:43 ` Marcelo Henrique Cerri
2021-12-10 6:46 ` Greg Kroah-Hartman
2021-12-10 9:30 ` Marcelo Henrique Cerri
2021-12-10 9:48 ` Greg Kroah-Hartman
2021-12-10 17:02 ` Simo Sorce
2021-12-11 7:06 ` Willy Tarreau
2021-12-11 8:09 ` Stephan Müller
2021-12-11 8:57 ` Willy Tarreau
2022-01-10 13:23 ` Marcelo Henrique Cerri
2022-01-10 14:11 ` Jason A. Donenfeld
2022-01-10 14:29 ` Theodore Ts'o
2022-01-10 14:38 ` Jason A. Donenfeld
2022-01-10 17:38 ` Theodore Ts'o
2022-01-10 18:29 ` Eric Biggers
2022-01-10 18:44 ` Jason A. Donenfeld
2022-01-10 19:41 ` Simo Sorce
2022-01-10 20:05 ` Eric Biggers
2022-01-10 19:49 ` Theodore Ts'o
2022-01-10 22:19 ` Jason A. Donenfeld
2022-01-11 1:44 ` Andy Lutomirski
2022-01-11 3:10 ` Theodore Ts'o
2022-01-11 4:04 ` Willy Tarreau
2022-01-11 4:13 ` Matthew Garrett
2022-01-11 10:01 ` Alexander E. Patrakov
[not found] ` <CAN_LGv0CTDi9k=t=TGHvaHZz5YVT+OUEBaRXjP=Xv=kousHY1w@mail.gmail.com>
2022-01-11 17:10 ` Matthew Garrett
2022-01-11 13:16 ` Jason A. Donenfeld
2022-01-11 16:08 ` Theodore Ts'o [this message]
2022-01-11 13:06 ` Jason A. Donenfeld
2022-01-11 15:10 ` Andy Lutomirski
2022-01-10 21:38 ` Jason A. Donenfeld
2022-01-10 15:07 ` Marcelo Henrique Cerri
2021-11-30 15:13 ` Jeffrey Walton
2021-11-30 15:39 ` Greg Kroah-Hartman
2021-11-30 7:32 ` Sandy Harris
2021-11-30 7:55 ` Greg Kroah-Hartman
2021-11-30 8:56 ` Stephan Mueller
2021-11-30 9:12 ` Greg Kroah-Hartman
2021-12-04 9:53 ` Sandy Harris
2021-11-22 10:33 ` kernel test robot
2021-11-22 11:47 ` Stephan Mueller
2021-11-25 5:25 ` [kbuild-all] " Chen, Rong A
2021-11-30 2:55 ` Sandy Harris
2021-11-30 6:06 ` Stephan Müller
2021-11-21 16:40 ` [PATCH v43 02/15] LRNG - IRQ entropy source Stephan Müller
2021-11-21 16:40 ` [PATCH v43 03/15] LRNG - sysctls and /proc interface Stephan Müller
2021-11-21 16:41 ` [PATCH v43 04/15] LRNG - allocate one DRNG instance per NUMA node Stephan Müller
2021-11-21 16:42 ` [PATCH v43 05/15] LRNG - CPU entropy source Stephan Müller
2021-11-22 7:09 ` kernel test robot
2021-11-22 11:48 ` Stephan Mueller
2021-11-21 16:42 ` [PATCH v43 06/15] LRNG - add switchable DRNG support Stephan Müller
2021-11-21 16:43 ` [PATCH v43 07/15] LRNG - add common generic hash support Stephan Müller
2021-11-21 16:43 ` [PATCH v43 08/15] crypto: DRBG - externalize DRBG functions for LRNG Stephan Müller
2021-11-21 16:44 ` [PATCH v43 09/15] LRNG - add SP800-90A DRBG extension Stephan Müller
2021-11-21 16:45 ` [PATCH v43 10/15] LRNG - add kernel crypto API PRNG extension Stephan Müller
2021-11-21 16:45 ` [PATCH v43 11/15] crypto: move Jitter RNG header include dir Stephan Müller
2021-11-21 16:46 ` [PATCH v43 12/15] LRNG - add Jitter RNG fast noise source Stephan Müller
2021-11-21 16:46 ` [PATCH v43 13/15] LRNG - add SP800-90B compliant health tests Stephan Müller
2021-11-21 16:47 ` [PATCH v43 14/15] LRNG - add interface for gathering of raw entropy Stephan Müller
2021-11-21 16:47 ` [PATCH v43 15/15] LRNG - add power-on and runtime self-tests Stephan Müller
2021-12-11 15:45 ` [PATCH v43 00/15] /dev/random - a new approach Thomas Schoebel-Theuer
2021-12-11 16:04 ` Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yd2rjQhK71L2vwgb@mit.edu \
--to=tytso@mit.edu \
--cc=Jason@zx2c4.com \
--cc=adilger.kernel@dilger.ca \
--cc=alobakin@mailbox.org \
--cc=andy.lavr@gmail.com \
--cc=arnd@arndb.de \
--cc=dan.carpenter@oracle.com \
--cc=darwish.07@gmail.com \
--cc=ebiederm@xmission.com \
--cc=ebiggers@kernel.org \
--cc=fweimer@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=jack@suse.cz \
--cc=jhladky@redhat.com \
--cc=john.haxby@oracle.com \
--cc=julia.lawall@inria.fr \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=marcelo.cerri@canonical.com \
--cc=matthias.peter@bsi.bund.de \
--cc=mccann@jhu.edu \
--cc=mjg59@srcf.ucam.org \
--cc=mzxreary@0pointer.de \
--cc=nhorman@redhat.com \
--cc=noloader@gmail.com \
--cc=nstange@suse.de \
--cc=patrakov@gmail.com \
--cc=ptesarik@suse.cz \
--cc=rdunlap@infradead.org \
--cc=rstrode@redhat.com \
--cc=simo@redhat.com \
--cc=smueller@chronox.de \
--cc=vcaputo@pengaru.com \
--cc=w@1wt.eu \
--cc=zachary@baishancloud.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).