[Cryptography] randomness +- entropy

Hannes Frederic Sowa hannes at stressinduktion.org
Tue Nov 5 22:39:17 EST 2013 

On Tue, Nov 05, 2013 at 10:14:16PM -0500, Theodore Ts'o wrote:
> On Wed, Nov 06, 2013 at 12:38:32AM +0100, Hannes Frederic Sowa wrote:
> > 
> > Why not always print a warning once if someone tried to extract
> > randomness before the pool was fully initialized? I would even consider
> > adding a WARN_ONCE there so that it is really visible to the user. Maybe
> > kernelooops.org or some other distro infrastructure could uncover which
> > devices have their nonblocking random pool initialized too late.
> 
> What, you mean like this?
> 
> http://git.kernel.org/cgit/linux/kernel/git/tytso/random.git/commit/?h=dev&id=392a546dc8368d1745f9891ef3f8f7c380de8650

Yep, that was the commit I was referring to. I would leave out the
DEBUG_RANDOM_BOOT and make that a WARN_ONCE, so users would actually
report that. But maybe there will be too many bug reports, I don't
know. It would certainly be interesting! Maybe just for the rc-window and
switch back just before the release. ;)

> Actually, things aren't too bad.  The primary problematical caller
> that I noted was:

Ok, then it is presumably not worth to make the check so noisy.

> random: rc80211_minstrel_ht_init+0x2b/0x6a get_random_bytes called with 23 bits of entropy available
> 
> ... however, this looks like it's not a security problem, since as
> near as I can tell the code in question doesn't actually need
> cryptographic randomness.  It simply dates back to before
> prandum_u32() existed in the kernel.  (We have a similar use case in
> ext4, where we're we only need a PRNG, and not a CSRNG.  Although
> fortunately, by the time the file system is remounted r/w, urandom is
> typically already initialized, so we're not actually triggering this
> warning.)

I introduced net_get_random_once (currently in net-next) to delay the
initialization of such secrets for as long as possible and switched some
network stack random secret initialization functions over to use it:
<https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git/commit/?id=a48e42920ff38bc90bbf75143fff4555723d4540>

I am looking for other candidates which could be migrated (and are worth
it, given my limited time to work on this).  rc80211_minstrel_ht_init does
not look like a perfect fit, but I will have a fresh look tomorrow.

(In some follow-up commits I made this irq save. It could see usage
outside of networking, too. Important is, that the code path does not
hit net_get_random_once before jump_label_init gets called, which is very
early in the boot process.)

Greetings,

  Hannes

More information about the cryptography mailing list