Re: [PATCH v24 00/12] /dev/random - a new approach with full SP800-90B compliance
From: Andy Lutomirski
Date: Tue Nov 12 2019 - 10:34:15 EST
On Mon, Nov 11, 2019 at 11:13 AM Stephan MÃller <smueller@xxxxxxxxxx> wrote:
>
> The following patch set provides a different approach to /dev/random which is
> called Linux Random Number Generator (LRNG) to collect entropy within the Linux
> kernel. The main improvements compared to the existing /dev/random is to provide
> sufficient entropy during boot time as well as in virtual environments and when
> using SSDs. A secondary design goal is to limit the impact of the entropy
> collection on massive parallel systems and also allow the use accelerated
> cryptographic primitives. Also, all steps of the entropic data processing are
> testable.
This is very nice!
>
> The LRNG patch set allows a user to select use of the existing /dev/random or
> the LRNG during compile time. As the LRNG provides API and ABI compatible
> interfaces to the existing /dev/random implementation, the user can freely chose
> the RNG implementation without affecting kernel or user space operations.
>
> This patch set provides early boot-time entropy which implies that no
> additional flags to the getrandom(2) system call discussed recently on
> the LKML is considered to be necessary.
I'm uneasy about this. I fully believe that, *on x86*, this works.
But on embedded systems with in-order CPUs, a single clock, and very
lightweight boot processes, most or all of boot might be too
deterministic for this to work.
I have a somewhat competing patch set here:
https://git.kernel.org/pub/scm/linux/kernel/git/luto/linux.git/log/?h=random/kill-it
(Ignore the "horrible test hack" and the debugfs part.)
The basic summary is that I change /dev/random so that it becomes
functionally identical to getrandom(..., 0) -- in other words, it
blocks until the CRNG is initialized but is then identical to
/dev/urandom. And I add getrandom(...., GRND_INSECURE) that is
functionally identical to the existing /dev/urandom: it always returns
*something* immediately, but it may or may not actually be
cryptographically random or even random at all depending on system
details.
In other words, my series simplifies the ABI that we support. Right
now, we have three ways to ask for random numbers with different
semantics and we need to have to RNGs in the kernel at all time. With
my changes, we have only two ways to ask for random numbers, and the
/dev/random pool is entirely gone.
Would you be amenable to merging this into your series (i.e. either
merging the code or just the ideas)? This would let you get rid of
things like the compile-time selection of the blocking TRNG, since the
blocking TRNG would be entirely gone.
Or do you think that a kernel-provided blocking TRNG is a genuinely
useful thing to keep around?
--Andy