[Cryptography] randomness +- entropy
Theodore Ts'o
tytso at mit.edu
Tue Nov 5 22:14:16 EST 2013
On Wed, Nov 06, 2013 at 12:38:32AM +0100, Hannes Frederic Sowa wrote:
>
> Why not always print a warning once if someone tried to extract
> randomness before the pool was fully initialized? I would even consider
> adding a WARN_ONCE there so that it is really visible to the user. Maybe
> kernelooops.org or some other distro infrastructure could uncover which
> devices have their nonblocking random pool initialized too late.
What, you mean like this?
http://git.kernel.org/cgit/linux/kernel/git/tytso/random.git/commit/?h=dev&id=392a546dc8368d1745f9891ef3f8f7c380de8650
Actually, things aren't too bad. The primary problematical caller
that I noted was:
random: rc80211_minstrel_ht_init+0x2b/0x6a get_random_bytes called with 23 bits of entropy available
... however, this looks like it's not a security problem, since as
near as I can tell the code in question doesn't actually need
cryptographic randomness. It simply dates back to before
prandum_u32() existed in the kernel. (We have a similar use case in
ext4, where we're we only need a PRNG, and not a CSRNG. Although
fortunately, by the time the file system is remounted r/w, urandom is
typically already initialized, so we're not actually triggering this
warning.)
Regards,
- Ted
More information about the cryptography
mailing list