Re: [PATCHv2] random: Make /dev/random wait for crng_ready

From: Theodore Y. Ts'o
Date: Sat Feb 16 2019 - 13:24:07 EST


On Fri, Feb 15, 2019 at 01:58:20PM +0000, Bernd Edlinger wrote:
> Reading from /dev/random may return data while the getrandom
> syscall is still blocking.
>
> Those bytes are not yet cryptographically secure.
>
> The first byte from /dev/random can have as little
> as 8 bits entropy estimation. Once a read blocks, it will
> block until /proc/sys/kernel/random/read_wakeup_threshold
> bits are available, which is usually 64 bits, but can be
> configured as low as 8 bits. A select will wake up when
> at least read_wakeup_threshold bits are available.
> Also when constantly reading bytes out of /dev/random
> it will prevent the crng init done event forever.
>
> Fixed by making read and select on /dev/random wait until
> the crng is fully initialized.
>
> Signed-off-by: Bernd Edlinger <bernd.edlinger@xxxxxxxxxx>

This really isn't a correct way to fix things; since the blocking_pool
used for /dev/random and the CRNG state are different things, and are
fed by different sources of entropy.

What we should do is to have a separate flag which indicates that the
blocking_pool has been adequately initialized, and set it only when
the entropy count in the blocking pool is at least 128 bits. When get
woken up by the reader lock, we would transfer entropy from the input
pool to the blocking pool, and if the pool is not yet initializedm,
and the entropy count is less than 128 bits, we wait until it is.

- Ted