Re: Linux 5.3-rc8

From: Theodore Y. Ts'o
Date: Mon Sep 16 2019 - 13:01:16 EST


On Sun, Sep 15, 2019 at 08:40:30PM -0700, Linus Torvalds wrote:
> On Sun, Sep 15, 2019 at 8:23 PM Theodore Y. Ts'o <tytso@xxxxxxx> wrote:
> >
> > But not blocking is *precisely* what lead us to weak keys in network
> > devices that were sold by the millions to users in their printers,
> > wifi routers, etc.
>
> Ted, just admit that you are wrong on this, instead of writing the
> above kind of bad fantasy.
>
> We have *always* supported blocking. It's called "/dev/random". And
> guess what? Not blocking wasn't what lead to weak keys like you try to
> imply.
>
> What led to weak keys is that /dev/random is useless and nobody sane
> uses it, exactly because it always blocks.

How /dev/random blocks is very different from how getrandom(2) blocks.
Getrandom(2) blocks until the CRNG, and then it never blocks again.
/dev/random tries to do entropy accounting, and it blocks randomly all
the time. *That* is why it is useless. I agree that /dev/random is
bad, but I think you're taking the wrong message from it. It's not
that blocking is always bad; it's that insisting on entropy accounting
and "true randomness" is bad.

The getrandom(2) system call is modelled after *BSD's getentropy(2)
call, and the fact that everyone is using is because for most use
cases, it really is the right way to go.

I think that's the core of my disagreement with you. I agree that
what /dev/random does is wrong, and to date, we've kept it for
backwards compatibility reasons. Some of these reasons could be
rational, or at least debated. For example, GPG wants to use
/dev/random because it thinks it's more secure, and if they are
generating 4096 bit RSA keys, or something else which might be
"post-quantuum cryptography", it's possible that /dev/random is going
to be better than the CRNG for the hyper-paranoid. Other use cases,
such as some PCI compliance labs who think that getrandom(2) is not
sufficiently secure, are just purely insane --- but that's assuming
today's getrandom(2) is guaranteed to return cryptographically strong
results, or nothing at all.

If we change the existing behavior of getrandom(2) with the default
flags to mean, "we return whatever we feel like, and this includes
something which looks random, but might be trivially reverse
engineered by a research engineer", that is in my mind, a Really Bad
Thing To Do. And no, a big fat warning isn't sufficient, because
there will be some systems integrators and application programmers who
will ignore the kernel warning message. They might not even look at
dmesg, and a system console might not exist.

- Ted