From: Theodore Tso <tytso@mit.edu>
To: Andi Kleen <andi@firstfloor.org>
Cc: Arjan van de Ven <arjan@infradead.org>,
Chris Peterson <cpeterso@cpeterso.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Jeff Garzik <jeff@garzik.org>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
"Brandeburg, Jesse" <jesse.brandeburg@intel.com>,
tpmdd-devel@lists.sourceforge.net, tpm@selhorst.net
Subject: Re: [PATCH] Re: [PATCH] drivers/net: remove network drivers' last few uses of IRQF_SAMPLE_RANDOM
Date: Sun, 18 May 2008 07:26:57 -0400 [thread overview]
Message-ID: <20080518112657.GK16496@mit.edu> (raw)
In-Reply-To: <4830014F.9040800@firstfloor.org>
On Sun, May 18, 2008 at 12:13:35PM +0200, Andi Kleen wrote:
> We don't use it for most long term keys, e.g. ssh host keys. That is
> because even on high entropy systems /dev/random usually doesn't work
> during distribution installation because the system has not run long
> enough to collect significant entropy yet.
One thing which I'm not sure most people understand is that there
isn't that much difference between /dev/random and /dev/urandom. They
are fed by the same sources, at the high level. There is a single
large entropy pool which gets fed by whatever entropy sources the
kernel can get its hands on, which periodically catastrophically seeds
separate smaller pools used by /dev/random and /dev/urandom. The only
difference is that /dev/random does entropy tracking; /dev/urandom
doesn't.
Hence, if you don't think the system hasn't run long enough to collect
significant entropy, you need to distinguish between "has run long
enough to collect entropy which is causes the entropy credits using a
somewhat estimation system where we try to be conservative such that
/dev/random will let you extract the number of bits you need", and
"has run long enough to collect entropy which is unpredictable by an
outside attacker such that host keys generated by /dev/urandom really
are secure".
See why the qualifying statements is so important? If you really
believe that there isn't enough entropy after installing a
distribution, THEN YOU SHOULDN'T BE GENERATING SSH HOST KEYS. The
problem is that the server scenario with no keyboard case is a really
nasty one.
> See also the distinction between "user controlled visible cryptography"
> and "background cryptography" I introduced in a earlier mail on that
> topic. gpg can only get away with it because they rely on a high level
> of user education (so requiring banging on keys is ok), but that's
> not really an option for your normal "everyday background crypto",
> including longer term keys.
No, this distinction is a specious one, I think. It's really more a
level of paranoia. People tend to be much more paranoid about their
own personal keys, at leasts if they are well trained. Most people
don't bother verifying ssh host keys the first time they contact a
host, making them subject to a man-in-the-middle attack. But most
people don't mind, by which we can deduce that most folks aren't as
careful about their ssh key.
If distributions really cared, they could very well introduce keyboard
banging as part of the install process; but no, being able to do an
unmanned, "turnkey" install is considered more important. That says
something about how much they care about security right there. (By
the way, if you are at least forcing the user to type in a root
password, having the distribution installer mix in the root password
into /dev/random would be a Really Good Idea; also, mixing in whatever
randomness it can get from the mouse during the install is also a
Really Good Idea.)
> Instead I think just both urandom and random should try to rely
> on TPMs and other hardware rngs and always get high quality bit noise.
Sure, if you can get access to a TPM or a hardware rng, that's
*always* a better choice. But the reason for /dev/random and
/dev/urandom's existence is that hardware manufacturers have either
not included a real hardware RNG, or made it impossible to get to it.
(I *still* haven't figured out how to access my TPM on my Lenovo
laptops. Anyone who can send me turn-key instructions, let me know
off-line.) Intel used to provide a true hardware RNG in their
chipsets a few years ago (props to them), but then stopped after one
generation (boo, hiss).
If there is a way that we can at least seed /dev/random from the TPM
(without needing any magic enabling keys, etc.) once at boot time, and
then rely on what we can get from the environment, maybe we can do it
in the kernel without needing to move all of the TPM access/contention
control logic from userspace into the kernel.
Of course, even if we did this, it wouldn't solve the distro problem
(at least for distro's who truly care about the security of ssh host
keys), since not all systems have TPM's.
- Ted
next prev parent reply other threads:[~2008-05-18 11:28 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-15 7:11 [PATCH] drivers/net: remove network drivers' last few uses of IRQF_SAMPLE_RANDOM Chris Peterson
2008-05-15 13:21 ` Alan Cox
2008-05-15 16:07 ` Brandeburg, Jesse
2008-05-15 16:39 ` Alan Cox
2008-05-15 18:14 ` Jeff Garzik
2008-05-15 18:47 ` Kok, Auke
2008-05-15 19:10 ` Jeff Garzik
2008-05-15 18:50 ` Rick Jones
2008-05-15 19:11 ` Jeff Garzik
2008-05-15 19:55 ` [PATCH] " Jeff Garzik
2008-05-16 0:27 ` Andi Kleen
2008-05-16 9:56 ` Alan Cox
2008-05-16 10:19 ` Andi Kleen
2008-05-16 12:12 ` Herbert Xu
2008-05-16 16:25 ` Andi Kleen
2008-05-17 1:01 ` Herbert Xu
2008-05-17 10:59 ` Andi Kleen
2008-05-17 19:54 ` Chris Peterson
2008-05-17 20:05 ` Arjan van de Ven
2008-05-18 10:13 ` Andi Kleen
2008-05-18 11:26 ` Theodore Tso [this message]
2008-05-18 12:57 ` Joe Korty
2008-05-18 17:53 ` Andi Kleen
2008-05-25 15:26 ` Glen Turner
2008-05-19 12:29 ` Benny Amorsen
2008-05-18 10:08 ` Andi Kleen
2008-05-22 9:28 ` Helge Hafting
2008-05-16 13:20 ` Adrian Bunk
2008-05-16 16:20 ` Andi Kleen
2008-05-16 19:47 ` David Miller
2008-05-16 23:28 ` Rick Jones
2008-05-15 18:04 ` Jeff Garzik
2008-05-15 18:17 ` Rick Jones
2008-05-15 18:31 ` Jeff Garzik
2008-05-15 18:47 ` Kok, Auke
2008-05-15 19:21 ` Jeff Garzik
2008-05-15 20:01 ` Chris Peterson
2008-05-15 20:16 ` Jeff Garzik
2008-05-15 20:39 ` Kok, Auke
2008-05-15 21:47 ` Theodore Tso
2008-05-15 21:58 ` Jeff Garzik
2008-05-15 22:29 ` Henrique de Moraes Holschuh
2008-05-15 22:44 ` Jeff Garzik
2008-05-15 23:02 ` Henrique de Moraes Holschuh
2008-05-15 23:36 ` Theodore Tso
2008-05-15 23:46 ` Henrique de Moraes Holschuh
2008-05-15 23:33 ` Theodore Tso
2008-05-15 23:58 ` Henrique de Moraes Holschuh
2008-05-16 13:21 ` Lennart Sorensen
2008-05-16 13:40 ` Jeff Garzik
2008-05-16 13:59 ` Will Newton
2008-05-16 14:15 ` Lennart Sorensen
2008-05-16 14:27 ` Jeff Garzik
2008-05-16 15:10 ` Alan Cox
2008-05-16 17:36 ` Lennart Sorensen
2008-05-16 18:11 ` Alan Cox
2008-05-16 18:40 ` Kok, Auke
2008-05-18 10:59 ` Matthias Andree
2008-05-16 18:41 ` Lennart Sorensen
2008-05-16 18:42 ` Lennart Sorensen
2008-05-16 20:04 ` Alan Cox
2008-05-16 20:39 ` Lennart Sorensen
2008-05-16 20:46 ` Alan Cox
2008-05-16 20:34 ` Benny Amorsen
2008-05-25 15:02 ` Glen Turner
2008-05-25 19:33 ` Benny Amorsen
2008-05-17 4:55 ` Chris Peterson
2008-05-25 15:09 ` Glen Turner
2008-05-25 23:27 ` Theodore Tso
2008-05-26 13:43 ` Alejandro Riveira Fernández
2008-05-26 15:14 ` Bill Fink
2008-05-26 21:07 ` Krzysztof Halasa
2008-05-26 21:52 ` Bill Fink
2008-05-26 22:11 ` Ben Hutchings
2008-05-27 16:44 ` Rick Jones
2008-05-30 19:50 ` Pavel Machek
[not found] ` <20080516191125.46 <20080525232712.GF5970@mit.edu>
2008-05-26 21:08 ` Gilles Espinasse
2008-05-25 14:55 ` Glen Turner
[not found] ` <482C8550 <20080516161029.44ded734@core>
2008-05-16 20:08 ` Gilles Espinasse
2008-05-17 22:02 ` Adrian Bunk
2008-05-18 6:41 ` [PATCH] drivers/net: remove network drivers' last few uses ofIRQF_SAMPLE_RANDOM Gilles Espinasse
2008-05-18 9:54 ` Alan Cox
2008-05-18 12:02 ` Adrian Bunk
2008-05-18 12:24 ` Theodore Tso
2008-05-18 14:43 ` Adrian Bunk
2008-05-15 21:55 ` [PATCH] drivers/net: remove network drivers' last few uses of IRQF_SAMPLE_RANDOM Adrian Bunk
2008-05-15 22:04 ` Jeff Garzik
2008-05-15 22:27 ` Theodore Tso
2008-05-15 22:13 ` Jesper Juhl
2008-05-15 22:34 ` Theodore Tso
2008-05-15 22:57 ` Jesper Juhl
2008-05-18 0:36 ` Matt Mackall
2008-05-18 11:03 ` Matthias Andree
2008-05-15 22:42 ` Jeff Garzik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080518112657.GK16496@mit.edu \
--to=tytso@mit.edu \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=andi@firstfloor.org \
--cc=arjan@infradead.org \
--cc=cpeterso@cpeterso.com \
--cc=herbert@gondor.apana.org.au \
--cc=jeff@garzik.org \
--cc=jesse.brandeburg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=tpm@selhorst.net \
--cc=tpmdd-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox