From: "Andy Lutomirski" <luto@kernel.org>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>,
"Linux Kernel Mailing List" <linux-kernel@vger.kernel.org>,
"Linux Crypto Mailing List" <linux-crypto@vger.kernel.org>
Cc: "Paul Walmsley" <paul.walmsley@sifive.com>,
"Palmer Dabbelt" <palmer@dabbelt.com>,
"Albert Ou" <aou@eecs.berkeley.edu>,
linux-riscv@lists.infradead.org,
"Geert Uytterhoeven" <geert@linux-m68k.org>,
linux-m68k@lists.linux-m68k.org,
"Thomas Bogendoerfer" <tsbogend@alpha.franken.de>,
linux-mips@vger.kernel.org,
"Dominik Brodowski" <linux@dominikbrodowski.net>,
"Eric Biggers" <ebiggers@google.com>,
"Ard Biesheuvel" <ardb@kernel.org>,
"Arnd Bergmann" <arnd@arndb.de>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Kees Cook" <keescook@chromium.org>,
"Lennart Poettering" <mzxreary@0pointer.de>,
"Linus Torvalds" <torvalds@linux-foundation.org>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Theodore Ts'o" <tytso@mit.edu>
Subject: Re: [PATCH RFC v0] random: block in /dev/urandom
Date: Sat, 12 Feb 2022 19:15:31 -0800 [thread overview]
Message-ID: <fbdd43e1-a305-48d1-8ccb-2deffcb715f7@www.fastmail.com> (raw)
In-Reply-To: <20220211210757.612595-1-Jason@zx2c4.com>
On Fri, Feb 11, 2022, at 1:07 PM, Jason A. Donenfeld wrote:
> This is very much an RFC patch, or maybe even an RFG -- request for
> grumbles. This topic has come up a million times, and usually doesn't go
> anywhere. This time I thought I'd bring it up with a slightly narrower
> focus. Before you read further, realize that I do not intend to merge
> this without there being an appropriate amount of consensus for it and
> discussion about it.
>
> Ever since Linus' 50ee7529ec45 ("random: try to actively add entropy
> rather than passively wait for it"), the RNG does a haveged-style jitter
> dance around the scheduler, in order to produce entropy (and credit it)
> for the case when we're stuck in wait_for_random_bytes(). How ever you
> feel about the Linus Jitter Dance is beside the point: it's been there
> for three years and usually gets the RNG initialized in a second or so.
I dislike this patch for a reason that has nothing to do with security. Somewhere there’s a Linux machine that boots straight to Nethack in a glorious 50ms. If Nethack gets 256 bits of amazing entropy from /dev/urandom, then the machine’s owner has to play for real. If it repeats the same game on occasion, the owner can be disappointed or amused. If it gets a weak seed that can be brute forced, then the owner can have fun brute forcing it.
If, on the other hand, it waits 750ms for enough jitter entropy to be perfect, it’s a complete fail. No one wants to wait 750ms to play Nethack.
Replace Nethack with something with a backup camera or a lightbulb, both of which have regulations related to startup time, and there may be a real problem. Keep in mind that some language runtimes randomize their hash table seeds at startup, possibly using /dev/urandom. This patch may break actual, correct, working code.
next prev parent reply other threads:[~2022-02-13 3:16 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-11 21:07 [PATCH RFC v0] random: block in /dev/urandom Jason A. Donenfeld
2022-02-11 21:29 ` Linus Torvalds
2022-02-11 21:56 ` Jason A. Donenfeld
2022-02-11 22:01 ` Finn Thain
2022-02-12 23:05 ` Joshua Kinard
2022-02-12 23:13 ` Maciej W. Rozycki
2022-02-14 14:05 ` Jason A. Donenfeld
2022-02-14 14:26 ` Geert Uytterhoeven
2022-02-14 14:57 ` David Laight
2022-02-14 22:53 ` Finn Thain
2022-03-01 19:27 ` 10maurycy10
2022-02-13 3:15 ` Andy Lutomirski [this message]
2022-02-14 8:53 ` Lennart Poettering
2022-02-14 14:13 ` Jason A. Donenfeld
2022-02-14 14:53 ` Lennart Poettering
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fbdd43e1-a305-48d1-8ccb-2deffcb715f7@www.fastmail.com \
--to=luto@kernel.org \
--cc=Jason@zx2c4.com \
--cc=aou@eecs.berkeley.edu \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=ebiggers@google.com \
--cc=geert@linux-m68k.org \
--cc=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-m68k@lists.linux-m68k.org \
--cc=linux-mips@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linux@dominikbrodowski.net \
--cc=mzxreary@0pointer.de \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=tsbogend@alpha.franken.de \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).