[Cryptography] where shall we put the random-seed?
Theodore Ts'o
tytso at mit.edu
Wed Jan 4 18:44:48 EST 2017
On Wed, Jan 04, 2017 at 07:26:51PM +0000, Jason Cooper wrote:
>
> Ok, I see what you were after. The random-seed may be no-credit, but
> once it's been saved with entropy pool >128 bits, then the system is no
> longer in a bad state. I can buy that.
>
> While pondering this, I hit on a slightly different idea. Right now,
> the init scripts save the seed at boot up regardless of amount of
> entropy gathered. This is in case of unclean shutdown.
>
> Why not trigger a KOBJ_UEVENT_CHANGE when the entropy crosses a given
> threshold? Userspace can save to random-seed then.
We can do that, but we want to rewrite the random file right after we
use it anyway. The reason is to deny attackers who manage to penetrate root
from have access to the state of the random used to initialize the
pool. It's a minor point, since it only really helps in the case
where the privilege escalation attack happens soon after the boot
(when access to the data dumpted into the pool might help), but
rewriting the random state file is cheap.
One caution of using using the KOBJ_UEVENT_CHANGE idea --- very often
the entropy pool is initialized before the root file system is
mounted, so the event may never trigger before the userspace daemon is
started. Of course, in that case, rewriting the random state file by
the init script or systemd should serve the purpose nicely. We just
need to make sure that nothing bad happens if the userspace daemon
ends up waiting for Godot....
- Ted
More information about the cryptography
mailing list