Re: Fixing Linux getrandom() in stable
From: Thorsten Glaser
Date: Sun May 13 2018 - 17:46:31 EST
Adrian Bunk dixit:
>As an example, what happens if I debootstrap and deploy the resulting
>filesytem to a large number of identical embedded systems without
>entropy sources?
Just get into a habit of not doing so, for example by modifying the
image during each writing process.
Having the bootloader inject entropy into the kernel would of course
help (something OpenBSD actually did, which Iâd dreamt of only until).
Reuse is only problematic then if the system actually booted, i.e. an
early userspace thing reading and immediately writing to a file will
stave off the remaining issues.
>As far as I can see, any solution above would either give me boot hangs
>or might result in nasty security issues due to the same (known) entropy
>being fed to /dev/random on many machines.
>
>Similar problems for cases like live CDs and installers.
And CPUs, and architectures, without usable boot entropy.
For the âCD imageâ case, though, adding stuff like the MAC addresses
of the onboard NICs and the current time would at least shuffle the
existing (albeit known) entropy around enough for it to begin to differ.
A web service for getting random bits sounds like an idea, until you
get to the privacy implications of that (as well as reliability). But
if itâs inhouse, itâs doable.
>I wonder whether the current issue is just the tip of the iceberg,
>and usage of /dev/urandom is a gazillion CVEs waiting to be reported.
Did you see the fallback code for Linux in OpenBSDâs code for libbsd?
Itâsâ like trying to find randomly-looking things on an 1990s Unix.
This is best fixed in the kernel and earlier, plus an extra read/write
in early userspace. Of course, embedding some entropy into the kernel
image itself will make the reproducible-builds people entirely unhappyâ
(this one *is* implemented in MirBSD, complete with a tool to update
it).
>Due to the gdm bugs mentioned above we know that there are real-life
>situations where gdm currently uses "random" data that might be
>predictable.
The question is which uses actually need entropy estimated good enough?
>> b. Tolerate a longer wait for getrandom() to return
>
>I suspect there might be no guaranteed upper bound for the waiting time.
On a discless system with no hardware sources (possibly no network)
and no keyboard interaction? Infinite.
Of course, if early userspace could reliably update a file, then the
fileâs content could be estimated as good enough and be credited to
the RNG, at least for non-identical/readonly-/shared-media systems.
>never block but might return predictable data in some cases.
âWhat level of predictability?â
>It would then be up to the application to decide whether predictable
>data is acceptable, and what to do in entropy-starved situations.
I guess most application authors have no answer for you here.
Itâs also no solution for the arc4random APIâ seems like a cultural
clash (BSD expectations vs. what Linux can actually deliver).
bye,
//mirabilos
--
âHaving a smoking section in a restaurant is like having
a peeing section in a swimming pool.â
-- Edward Burr