<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Dec 28, 2016 at 1:31 PM, Ron Garret <span dir="ltr"><<a href="mailto:ron@flownet.com" target="_blank">ron@flownet.com</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="m_5098760680445756495gmail-HOEnZb"><div class="m_5098760680445756495gmail-h5">
On Dec 27, 2016, at 4:18 PM, Theodore Ts'o <<a href="mailto:tytso@mit.edu" target="_blank">tytso@mit.edu</a>> wrote:<br>
> On Tue, Dec 27, 2016 at 03:32:16PM -0700, John Denker wrote:<br>
>><br>
>> The kernel image is already a fancy thing with internal structural<br></div></div></blockquote><div>..... </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="m_5098760680445756495gmail-HOEnZb"><div class="m_5098760680445756495gmail-h5">
>> To refresh the seed, read the System.map to see where it sits.<br></div></div></blockquote><div>..... </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="m_5098760680445756495gmail-HOEnZb"><div class="m_5098760680445756495gmail-h5">
><br>
> It's a lot more complicated than that. <br></div></div></blockquote><div>.... </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="m_5098760680445756495gmail-HOEnZb"><div class="m_5098760680445756495gmail-h5">
<br>
</div></div>What about putting it in the bootloader configuration and passing it to the kernel as a boot-time argument?<br></blockquote><div><br>Yes that can help as can a read with a timeout (pause but not block).<br><span style="color:rgb(36,39,41);font-family:arial,"helvetica neue",helvetica,sans-serif;font-size:13px">'read -t 1 line < /dev/pty' or something asking for jiberish input and timing </span></div><div><span style="color:rgb(36,39,41);font-family:arial,"helvetica neue",helvetica,sans-serif;font-size:13px">events.</span></div><div><font color="#242729" face="arial, helvetica neue, helvetica, sans-serif"><br></font>All installation media has a common problem, the same problem PRNGs have.</div><div>They all do the same thing when unattended. <br><br></div><div>Lacking keyboard or mouse input the install might continue and then after a reboot DHCP </div><div>might then continue and results can be used to some advantage. DHCP is often local and not </div><div>visible to the NSA. A DHCP server can return site specific data that can help this issue at a site </div><div>(factory, company, IT department). The longer the device can postpone the use of random </div><div>bits and postpone connecting to the network the better. </div><div><br>Generating long lasting keys too early and connecting to the world too early</div><div>seems to be the nut of a problem here.</div><div> <br></div><div>Also, we should not ignore the system attributes for files on modern file systems. <br>They imply a lot... From the XATTR man page on macOS. </div><div> Extended attributes are arbitrary metadata stored with a file, but separate from the </div><div> filesystem attributes (such as modification time or file size). The metadata is often a </div><div> null-terminated UTF-8 string, but can also be arbitrary binary data. <br>A reason to not ignore this is a trusted set of processes can control this random data </div><div>problem and exclude root (UID=0) processes. The simple owner/group/other model is too</div><div>simple when loading the OS. Lacing MAC etc.. The UID of the installer process is the only bit</div><div>that needs to be attacked. Once the OS is installed the MAC (SELinux) and stricter environments</div><div>including capability based systems can be adjusted so the system is configured to the purpose </div><div>intended. </div><div><br></div><div>arc4random() should be mentioned. There is a perl package. Apple notes this in the random man page:</div><div> "Applications requiring cryptographic quality randomness should use arc4random(3)"<br>...</div><div>from the arc4random man page"</div><div>
DESCRIPTION<br> These functions use a cryptographic pseudo-random number generator to generate high quality random </div><div> bytes very quickly. One data pool is used for all consumers in a process, so that consumption under program </div><div> flow can act as additional stirring. The subsystem is re-seeded from the kernel random number subsystem on<br> a regular basis, and also upon fork(2).</div><div><p class="m_5098760680445756495gmail-p2"><span class="m_5098760680445756495gmail-s1"> This family of functions provides higher quality random data than those described in rand(3), random(3), and</span><span class="m_5098760680445756495gmail-s1">rand48(3).</span> They can be called in almost environments, including chroot(2) and their use is encouraged over all other standard<br> library functions for random numbers. </p></div>
</div><br clear="all"><div><br></div>-- <br><div class="m_5098760680445756495gmail_signature"><div dir="ltr"> T o m M i t c h e l l</div></div>
</div></div>