[Cryptography] where shall we put the random-seed?

Jason Cooper cryptography at lakedaemon.net
Thu Jan 5 06:50:27 EST 2017


Hi Ted,

On Wed, Jan 04, 2017 at 06:44:48PM -0500, Theodore Ts'o wrote:
> On Wed, Jan 04, 2017 at 07:26:51PM +0000, Jason Cooper wrote:
> > 
> > Ok, I see what you were after.  The random-seed may be no-credit, but
> > once it's been saved with entropy pool >128 bits, then the system is no
> > longer in a bad state.  I can buy that.
> > 
> > While pondering this, I hit on a slightly different idea.  Right now,
> > the init scripts save the seed at boot up regardless of amount of
> > entropy gathered.  This is in case of unclean shutdown.
> > 
> > Why not trigger a KOBJ_UEVENT_CHANGE when the entropy crosses a given
> > threshold?  Userspace can save to random-seed then.
> 
> We can do that, but we want to rewrite the random file right after we
> use it anyway.  The reason is to deny attackers who manage to penetrate root
> from have access to the state of the random used to initialize the
> pool.  It's a minor point, since it only really helps in the case
> where the privilege escalation attack happens soon after the boot
> (when access to the data dumpted into the pool might help), but
> rewriting the random state file is cheap.

Agreed.

> One caution of using using the KOBJ_UEVENT_CHANGE idea --- very often
> the entropy pool is initialized before the root file system is
> mounted, so the event may never trigger before the userspace daemon is
> started.  Of course, in that case, rewriting the random state file by
> the init script or systemd should serve the purpose nicely.

Ack.

> We just need to make sure that nothing bad happens if the userspace
> daemon ends up waiting for Godot....

$ sudo grep "random: non" /var/log/messages*
/var/log/messages:Jan  1 15:10:20 omega kernel: [  578.970315] random: nonblocking pool is initialized
/var/log/messages:Jan  2 13:46:42 omega kernel: [  663.739780] random: nonblocking pool is initialized
/var/log/messages:Jan  5 02:23:08 omega kernel: [  337.980131] random: nonblocking pool is initialized
/var/log/messages.1:Dec 25 13:54:38 omega kernel: [  307.997681] random: nonblocking pool is initialized

$ uname -r
4.7.5

$ cat /proc/device-tree/compatible | tr '\00' '\n'
plathome,openblocks-ax3-4
marvell,armadaxp-mv78260
marvell,armadaxp
marvell,armada-370-xp

thx,

Jason.


More information about the cryptography mailing list