Modular BIG_KEYS (was: Re: [PATCH v4] security/keys: rewrite all of big_key crypto)
From: Geert Uytterhoeven
Date: Mon Oct 02 2017 - 03:14:46 EST
Hi Jason,
On Sat, Sep 16, 2017 at 3:00 PM, Jason A. Donenfeld <Jason@xxxxxxxxx> wrote:
> This started out as just replacing the use of crypto/rng with
> get_random_bytes_wait, so that we wouldn't use bad randomness at boot time.
> But, upon looking further, it appears that there were even deeper
> underlying cryptographic problems, and that this seems to have been
> committed with very little crypto review. So, I rewrote the whole thing,
> trying to keep to the conventions introduced by the previous author, to
> fix these cryptographic flaws.
>
> It makes no sense to seed crypto/rng at boot time and then keep
> using it like this, when in fact there's already get_random_bytes_wait,
> which can ensure there's enough entropy and be a much more standard way
> of generating keys. Since this sensitive material is being stored untrusted,
> using ECB and no authentication is simply not okay at all. I find it
> surprising and a bit horrifying that this code even made it past basic
> crypto review, which perhaps points to some larger issues. This patch
> moves from using AES-ECB to using AES-GCM. Since keys are uniquely generated
> each time, we can set the nonce to zero. There was also a race condition in
> which the same key would be reused at the same time in different threads. A
> mutex fixes this issue now. And, some error paths forgot to zero out sensitive
> material, so this patch changes a kfree into a kzfree.
>
> So, to summarize, this commit fixes the following vulnerabilities:
>
> * Low entropy key generation, allowing an attacker to potentially
> guess or predict keys.
> * Unauthenticated encryption, allowing an attacker to modify the
> cipher text in particular ways in order to manipulate the plaintext,
> which is is even more frightening considering the next point.
> * Use of ECB mode, allowing an attacker to trivially swap blocks or
> compare identical plaintext blocks.
> * Key re-use.
> * Faulty memory zeroing.
>
> Signed-off-by: Jason A. Donenfeld <Jason@xxxxxxxxx>
> --- a/security/keys/Kconfig
> +++ b/security/keys/Kconfig
> @@ -45,10 +45,8 @@ config BIG_KEYS
> bool "Large payload keys"
> depends on KEYS
> depends on TMPFS
> - depends on (CRYPTO_ANSI_CPRNG = y || CRYPTO_DRBG = y)
> select CRYPTO_AES
> - select CRYPTO_ECB
> - select CRYPTO_RNG
> + select CRYPTO_GCM
> help
> This option provides support for holding large keys within the kernel
> (for example Kerberos ticket caches). The data may be stored out to
Now this has hit mainline, the "BIG_KEYS" Kconfig symbol appeared on my
radar. Is there any reason this cannot be tristate?
The help text says:
This option provides support for holding large keys within the kernel
(for example Kerberos ticket caches). The data may be stored out to
swapspace by tmpfs.
If you are unsure as to whether this is required, answer N.
So to save kernel size, I wan't to save N, but for a distro kernel that might
have Kerberos users, you currently need to say Y, while M would be nicer.
The symbol seems to just control the build of security/keys/big_key.c,
which could use module_init() in the modular case.
I'm not sending a patch to change BIG_KEYS from bool to tristate, as this is
crypto, and I don't understand the full implications.
Thanks!
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@xxxxxxxxxxxxxx
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds