[Cryptography] RNG design principles

Ralf Senderek crypto at senderek.ie
Tue Nov 29 06:30:48 EST 2016

>From fedora at senderek.ie Tue Nov 29 12:27:13 2016
Date: Tue, 29 Nov 2016 12:26:52
From: Ralf Senderek <fedora at senderek.ie>
To: Jerry Leichter <leichter at lrw.com>
Cc: Ralf Senderek <crypto at senderek.ie>, Theodore Ts'o <tytso at mit.edu>, cryptography at metzdowd.com, John Denker <jsd at av8n.com>
Subject: Re: [Cryptography] RNG design principles

On Tue, 29 Nov 2016, Jerry Leichter wrote:

> Put another way:
> Imagine there's a named pipe at a known location accessible
> during the early boot sequence. [...]
> That pipe would have the right semantics.
> The conjectural process couldn't be implemented as a normal
> Unix process because
> (a) it would have to run too early;

not necessarily, the file system must be mounted already.

> (b) the only persistent storage available to a Unix process is the file system;


> (c) there's no way to have a file accessible to exactly one process.

And that is what I'd want to have changed and supported by (minimal)
kernel code. I think the running kernel must decide whether or not
an open() succeeds (if it is the first) or fails (until the next boot)
on such a special file structure. It wouldn't matter if the file
must live in a dedicated part of the file system (/var/secure) to
get an easy way of making the distinction between normal files and
these special ones. I don't know if such a distinction imposes an
unacceptable performance hit or not. But the attack surface of
compromising secrets stored in such special files would be greatly
reduced for many services that need secrets, because the attacking
code must be run at boot time and wouldn't see the file content
during normal operation.

> BTW, the Mac OS System Integrity Protection - which makes certain
> parts of the file system accessible only for reading, even to root, 
> except to specifically entitled programs - would, with a minor
> extension (the ability to make some files inaccessible even for read)
> get you close to being able to implement what you want using an actual
> boot-time-started process.

Yes, this sounds like something only the kernel can deliver.


More information about the cryptography mailing list