Re: [PATCH v4 0/6] Seeding DRBG with more entropy

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: "Theodore Ts'o" <tytso@mit.edu>
To: Stephan Mueller <smueller@chronox.de>
Cc: herbert@gondor.apana.org.au, Paul Bolle <pebolle@tiscali.it>,
	Andreas Steffen <andreas.steffen@strongswan.org>,
	Sandy Harris <sandyinchina@gmail.com>,
	linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org
Subject: Re: [PATCH v4 0/6] Seeding DRBG with more entropy
Date: Sun, 3 May 2015 16:58:34 -0400	[thread overview]
Message-ID: <20150503205834.GJ10014@thunk.org> (raw)
In-Reply-To: <1626703.0h1HzJAx4d@tachyon.chronox.de>

On Sun, May 03, 2015 at 05:33:00PM +0200, Stephan Mueller wrote:
> The patch set adds an in-kernel /dev/random equivalent that was discussed with
> Ted Ts'o last July -- see [2] and [3]. A test module for testing the
> asynchronous operation of the in-kernel /dev/random is given with the code
> below.
> 
> Ted: shall we really create and maintain a new entropy pool (the kernel_pool),
> or should the in-kernel /dev/random logic draw directly from the input_pool?
> In other words, shall we drop the first patch and update the 2nd patch to
> use input_pool? Also, I would not recommend using the blocking_pool as this
> would mix kernel and user land operation.

I'd drop the 3rd pool, and just simply block until the non-blocking
pool has been initialized.  That's now considered the best practice
for userspace programs, which is to use getrandom(2), which by default
will block until the nonblocking pool has been initialized with an
estimated 128 bits of entropy, and after that point, all of the kernel
users should be quite satisfied with cryptographic entropy.

Certainly from the perspective of the perspective of a NIST evaluator
for a DRBG, using if they're happy using jitterentropy as a noise
source, they should be quite happy using the non-blocking pool as a
noise source, so long as it has been properly initialized.

As far as the concern of user space being able to block a kernel user
"indefinitely", in practice I really don't think that's going to be an
issue as far as boot-time initialization is concerned.  In practice
the urandom pool gets 128 bits of entropy *very* quickly, as in,
before the boot process is finished.

[    1.368585] random: systemd-udevd urandom read with 21 bits of entropy available
[    2.870497] EXT4-fs (sda3): mounted filesystem with ordered data mode. Opts: (null)
[    3.217209] EXT4-fs (sda3): re-mounted. Opts: errors=remount-ro
[    3.497191] random: nonblocking pool is initialized
[    7.705482] EXT4-fs (dm-9): mounted filesystem with ordered data mode. Opts: (null)
[    8.007435] EXT4-fs (dm-10): mounted filesystem with ordered data mode. Opts: (null)
[    8.165517] EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: (null)

(And if the attacker is able to inject arbitrary programs running
during the init sequence, they are almost certainly running as root,
and you've got other problems.)

					- Ted

next prev parent reply	other threads:[~2015-05-03 20:58 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-05-03 15:33 [PATCH v4 0/6] Seeding DRBG with more entropy Stephan Mueller
2015-05-03 15:33 ` [PATCH v4 1/6] random: Addition of kernel_pool Stephan Mueller
2015-05-03 15:33 ` [PATCH v4 2/6] random: Async and sync API for accessing kernel_pool Stephan Mueller
2015-05-04 10:22   ` Sandy Harris
2015-05-03 15:34 ` [PATCH v4 3/6] crypto: drbg - prepare for async seeding Stephan Mueller
2015-05-03 15:34 ` [PATCH v4 4/6] crypto: drbg - add async seeding operation Stephan Mueller
2015-05-03 15:35 ` [PATCH v4 5/6] crypto: drbg - use Jitter RNG to obtain seed Stephan Mueller
2015-05-03 15:36 ` [PATCH v4 6/6] crypto: add jitterentropy RNG Stephan Mueller
2015-05-03 20:58 ` Theodore Ts'o [this message]
2015-05-04  5:40   ` [PATCH v4 0/6] Seeding DRBG with more entropy Stephan Mueller
2015-05-04  6:13     ` Herbert Xu
2015-05-04 23:12     ` Theodore Ts'o

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150503205834.GJ10014@thunk.org \
    --to=tytso@mit.edu \
    --cc=andreas.steffen@strongswan.org \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pebolle@tiscali.it \
    --cc=sandyinchina@gmail.com \
    --cc=smueller@chronox.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox