From: Theodore Ts'o <tytso@mit.edu>
To: Eric Dumazet <eric.dumazet@gmail.com>,
Tom Herbert <therbert@google.com>,
davem@davemloft.net, netdev@vger.kernel.org,
jesse.brandeburg@intel.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH RFC] random: introduce get_random_bytes_busy_wait_initialized
Date: Wed, 2 Oct 2013 11:10:18 -0400 [thread overview]
Message-ID: <20131002151018.GA31579@thunk.org> (raw)
In-Reply-To: <20130925090034.GC4904@order.stressinduktion.org>
On Wed, Sep 25, 2013 at 11:00:34AM +0200, Hannes Frederic Sowa wrote:
> [PATCH RFC] random: introduce get_random_bytes_busy_wait_initialized
>
> We want to use good entropy for initializing the secret keys used for
> hashing in the core network stack. So busy wait before extracting random
> data until the nonblocking_pool is initialized.
>
> Further entropy is also gathered by interrupts, so we are guaranteed to
> make progress here.
One thing that makes me a bit worried is that on certain
architectures, it may take quite a while before we get enough entropy
such that the non-blocking pool gets initialized.
Speaking more generally, there are many different reasons why
different parts of the kernel needs randomness. I've found a number
of places (mostly in various file systems so far because I know that
subsystem better) because we are trying to use a random number
generator with a higher level of guarantees than what was really
required.
What's not completely clear to me is what's the potential danger if
build_ehash_secret() is initialized with a value that might be known
to an adversary. I'll note that inet_ehash_secret() is a 32-bit uint.
A 32-bit number isn't all that hard for an adversary to brute force.
If the answer is there's now oracle that can be used so an adversary
can tell whether or not they have correctly figured out the ehash
secret, then it's not that clear that it's worth blocking until the
urandom pool has 128 bits of entropy, when ehash_secret is only a
32-bit value.
Speaking even more generally, any time you have subsystems grabbing
random entropy very shortly after boot, especially if it's less than
64 bits, it's really good idea of the secret gets periodically
rekeyed. I understand why that may be hard in this case, since it
would require rehashing all of the currently open sockets, and maybe
in this case the security requirements are such that it's not really
necessary. But it's something we should definitely keep in mind for
situations where we are generating random session keys for CIFS,
ipsec, etc.
Regards,
- Ted
next prev parent reply other threads:[~2013-10-02 15:10 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-23 22:41 [PATCH 1/2] net: Toeplitz library functions Tom Herbert
2013-09-24 0:03 ` Eric Dumazet
2013-09-24 1:39 ` David Miller
2013-09-24 2:30 ` Hannes Frederic Sowa
2013-09-24 3:35 ` Hannes Frederic Sowa
2013-09-24 5:38 ` Eric Dumazet
2013-09-24 5:45 ` Hannes Frederic Sowa
2013-09-24 13:19 ` [PATCH] net: net_secret should not depend on TCP Eric Dumazet
2013-09-24 15:13 ` Hannes Frederic Sowa
2013-09-24 15:22 ` Eric Dumazet
2013-09-24 15:28 ` Hannes Frederic Sowa
2013-09-24 15:46 ` Eric Dumazet
2013-09-24 23:51 ` Hannes Frederic Sowa
2013-09-28 22:20 ` David Miller
2013-09-25 9:00 ` [PATCH RFC] random: introduce get_random_bytes_busy_wait_initialized Hannes Frederic Sowa
2013-09-25 12:06 ` Eric Dumazet
2013-09-25 13:35 ` Hannes Frederic Sowa
2013-10-02 15:10 ` Theodore Ts'o [this message]
2013-10-02 17:18 ` Hannes Frederic Sowa
2013-10-02 19:40 ` Theodore Ts'o
2013-09-24 16:01 ` [PATCH 1/2] net: Toeplitz library functions Hannes Frederic Sowa
2013-09-24 16:14 ` Eric Dumazet
2013-09-24 16:35 ` Tom Herbert
2013-09-24 16:46 ` Eric Dumazet
2013-09-24 17:02 ` Ben Hutchings
2013-09-24 17:03 ` Tom Herbert
2013-09-24 17:34 ` Eric Dumazet
2013-09-24 17:37 ` Rick Jones
2013-09-24 17:44 ` Eric Dumazet
2013-09-24 18:02 ` Tom Herbert
2013-09-24 18:48 ` David Miller
2013-09-24 19:42 ` Hannes Frederic Sowa
2013-09-24 8:32 ` David Laight
2013-09-24 12:24 ` Eric Dumazet
2013-09-24 15:22 ` Tom Herbert
2013-09-24 15:29 ` Eric Dumazet
2013-09-24 15:39 ` David Miller
2013-09-24 15:54 ` Tom Herbert
2013-09-24 16:00 ` Hannes Frederic Sowa
2013-09-24 16:10 ` Eric Dumazet
2013-09-24 18:03 ` David Miller
2013-09-24 18:06 ` Tom Herbert
2013-09-24 18:10 ` Ben Hutchings
2013-09-24 18:24 ` Tom Herbert
2013-09-24 19:14 ` Eric Dumazet
2013-09-24 18:49 ` David Miller
2013-09-24 18:48 ` Jesse Brandeburg
2013-09-24 19:04 ` Tom Herbert
2013-09-24 16:38 ` Ben Hutchings
2013-09-24 16:32 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131002151018.GA31579@thunk.org \
--to=tytso@mit.edu \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=jesse.brandeburg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=therbert@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).