From owner-freebsd-security@FreeBSD.ORG Sun Sep 16 13:46:53 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 69CB6106566C; Sun, 16 Sep 2012 13:46:53 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 1B3378FC0C; Sun, 16 Sep 2012 13:46:52 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 0F3986591; Sun, 16 Sep 2012 15:46:52 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id C1D7A814A; Sun, 16 Sep 2012 15:46:51 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Mark Murray References: <50453686.9090100@FreeBSD.org> <20120911082309.GD72584@dragon.NUXI.org> <504F0687.7020309@FreeBSD.org> <201209121628.18088.jhb@freebsd.org> <5050F477.8060409@FreeBSD.org> <20120912213141.GI14077@x96.org> <20120913052431.GA15052@dragon.NUXI.org> Date: Sun, 16 Sep 2012 15:46:51 +0200 In-Reply-To: (Mark Murray's message of "Fri, 14 Sep 2012 22:49:14 +0100") Message-ID: <86fw6iyt9w.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Arthur Mesh , Ian Lepore , Doug Barton , Ben Laurie , freebsd-security@freebsd.org, RW , "Bjoern A. Zeeb" , Mark Murray Subject: Re: svn commit: r239569 - head/etc/rc.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Sep 2012 13:46:53 -0000 Mark Murray writes: > You have to rely on something; Yarrow needs some entropy to cold-start, > and on a freshly installed OS, this is rocking-horse shit. This is > where BIG problems start because it is at this time that (eg) SSH keys > are built. We make some effort to get the user to "kayboard bash", but > experience has shown that annoyed users screw up, and annoyed engineers > are often worse. Look at the code, the "keyboard bash" hasn't worked since someone broke it in 2006. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Sun Sep 16 14:15:32 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9F289106566B for ; Sun, 16 Sep 2012 14:15:32 +0000 (UTC) (envelope-from markm@FreeBSD.org) Received: from gromit.grondar.org (grandfather.grondar.org [93.89.92.32]) by mx1.freebsd.org (Postfix) with ESMTP id 513078FC0A for ; Sun, 16 Sep 2012 14:15:32 +0000 (UTC) Received: from uucp by gromit.grondar.org with local-rmail (Exim 4.77 (FreeBSD)) (envelope-from ) id 1TDFY0-0007vQ-HN for freebsd-security@freebsd.org; Sun, 16 Sep 2012 15:10:08 +0100 Received: from localhost ([127.0.0.1] helo=groundzero.grondar.org) by groundzero.grondar.org with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1TDFVB-000Eyg-Pr; Sun, 16 Sep 2012 15:07:13 +0100 To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= In-reply-to: <86fw6iyt9w.fsf@ds4.des.no> References: <50453686.9090100@FreeBSD.org> <20120911082309.GD72584@dragon.NUXI.org> <504F0687.7020309@FreeBSD.org> <201209121628.18088.jhb@freebsd.org> <5050F477.8060409@FreeBSD.org> <20120912213141.GI14077@x96.org> <20120913052431.GA15052@dragon.NUXI.org> <86fw6iyt9w.fsf@ds4.des.no> From: Mark Murray From: Mark Murray Date: Sun, 16 Sep 2012 15:07:13 +0100 Message-Id: Cc: Arthur Mesh , Ian Lepore , Doug Barton , Ben Laurie , freebsd-security@freebsd.org, RW , "Bjoern A. Zeeb" Subject: Re: svn commit: r239569 - head/etc/rc.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Sep 2012 14:15:32 -0000 =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= writes: > Mark Murray writes: > > You have to rely on something; Yarrow needs some entropy to cold-start, > > and on a freshly installed OS, this is rocking-horse shit. This is > > where BIG problems start because it is at this time that (eg) SSH keys > > are built. We make some effort to get the user to "kayboard bash", but > > experience has shown that annoyed users screw up, and annoyed engineers > > are often worse. > > Look at the code, the "keyboard bash" hasn't worked since someone broke > it in 2006. Ah crap, thanks! :-( M -- Mark R V Murray Pi: 132511160 From owner-freebsd-security@FreeBSD.ORG Sun Sep 16 16:30:23 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 393A91065670 for ; Sun, 16 Sep 2012 16:30:23 +0000 (UTC) (envelope-from markm@FreeBSD.org) Received: from gromit.grondar.org (grandfather.grondar.org [93.89.92.32]) by mx1.freebsd.org (Postfix) with ESMTP id D93178FC08 for ; Sun, 16 Sep 2012 16:30:22 +0000 (UTC) Received: from uucp by gromit.grondar.org with local-rmail (Exim 4.77 (FreeBSD)) (envelope-from ) id 1TDHed-00084Z-Vm for freebsd-security@freebsd.org; Sun, 16 Sep 2012 17:25:07 +0100 Received: from localhost ([127.0.0.1] helo=groundzero.grondar.org) by groundzero.grondar.org with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1TDHb0-000FIh-0Z; Sun, 16 Sep 2012 17:21:22 +0100 To: Ben Laurie , Arthur Mesh , Ian Lepore , Doug Barton , "David O'Brien" , freebsd-security@freebsd.org, RW In-reply-to: References: <50453686.9090100@FreeBSD.org> <20120911082309.GD72584@dragon.NUXI.org> <504F0687.7020309@FreeBSD.org> <201209121628.18088.jhb@freebsd.org> <5050F477.8060409@FreeBSD.org> <20120912213141.GI14077@x96.org> <20120913052431.GA15052@dragon.NUXI.org> From: Mark Murray MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----- =_aaaaaaaaaa0" Content-ID: <58816.1347812437.0@groundzero.grondar.org> Date: Sun, 16 Sep 2012 17:21:21 +0100 Message-Id: Cc: Subject: Proposed fix; stage 1 (Was: svn commit: r239569 - head/etc/rc.d) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Sep 2012 16:30:23 -0000 ------- =_aaaaaaaaaa0 Content-Type: text/plain; charset="us-ascii" Content-ID: <58816.1347812437.1@groundzero.grondar.org> Hi Part 1 of the fix is enclosed; it involves drastically shortening the input into /dev/random (the "kickstart") at boot time. There are time implications that I'd like to hear any objections to. Part 1a is going to be tweeks to stashing entropy at restart (and possibly during normal running). Also fixes to zero-entropy first-startup. Part 2 will be a cheap shortening of files during reading so as not to clog up the harvest queue. The harvest queue will always be a bit intolerant of excess input via this route, so this should help a lot. Part 3 will be the addition of another choice of software PRNG; Fortuna. Fortuna is MUCH more resilient to attack, at the expense of using more kernel memory. For modern machines, this is scarcely noticeable, but it could be bad for embedded units. Tweeks along the way may include reverting to the original intent of starting the PRNG blocked, and only unblocking once reseeded. M -- Mark R V Murray Pi: 132511160 ------- =_aaaaaaaaaa0 Content-Type: text/plain; file="initrandom.diff"; charset="us-ascii" Content-ID: <58816.1347812437.2@groundzero.grondar.org> Content-Description: initrandom.diff Index: initrandom =================================================================== --- initrandom (revision 240384) +++ initrandom (working copy) @@ -23,15 +23,12 @@ better_than_nothing() { - # XXX temporary until we can improve the entropy - # harvesting rate. # Entropy below is not great, but better than nothing. # This unblocks the generator at startup # Note: commands are ordered to cause the most variance across reboots. - ( kenv; dmesg; df -ib; ps -fauxww; date; sysctl -a ) \ - | dd of=/dev/random bs=8k 2>/dev/null - /sbin/sha256 -q `sysctl -n kern.bootfile` \ - | dd of=/dev/random bs=8k 2>/dev/null + for cmd in "kenv" "dmesg" "df -ib" "ps -fauxww" "date" "sysctl -ao" "netstat -arn" "fstat" ; do + ${cmd}| sha256 > /dev/random + done } initrandom_start() @@ -67,6 +64,12 @@ # First pass at reseeding /dev/random. # + better_than_nothing + + sleep 1 + + # Give the RNG the best kicking that we might not have. + # case ${entropy_file} in [Nn][Oo] | '') ;; @@ -77,8 +80,6 @@ ;; esac - better_than_nothing - echo -n ' kickstart' fi ------- =_aaaaaaaaaa0-- From owner-freebsd-security@FreeBSD.ORG Sun Sep 16 21:27:45 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 56F221065673; Sun, 16 Sep 2012 21:27:45 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from opti.dougb.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 884951550DA; Sun, 16 Sep 2012 21:27:34 +0000 (UTC) Message-ID: <50564446.80606@FreeBSD.org> Date: Sun, 16 Sep 2012 14:27:34 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:15.0) Gecko/20120911 Thunderbird/15.0.1 MIME-Version: 1.0 To: Mark Murray References: <50453686.9090100@FreeBSD.org> <20120912213141.GI14077@x96.org> <20120913052431.GA15052@dragon.NUXI.org> In-Reply-To: X-Enigmail-Version: 1.4.4 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Arthur Mesh , Ian Lepore , Ben Laurie , freebsd-security@freebsd.org, RW Subject: Re: Proposed fix; stage 1 (Was: svn commit: r239569 - head/etc/rc.d) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Sep 2012 21:27:45 -0000 On 09/16/2012 09:21, Mark Murray wrote: > Part 1 of the fix is enclosed; it involves drastically shortening the > input into /dev/random (the "kickstart") at boot time. There are time > implications that I'd like to hear any objections to. I remain convinced that chunking the input so that we don't overflow the buffer is a better solution than truncating it (whether that is by the use of a hash, or other means). I also think that Ian has made several good points about the need to avoid hashing for low-end systems, and I have made the suggestion to split the initrandom commands into "safe for all" and "only for higher end systems" components in part to address Ian's concerns that some of the commands we have are real drags on low-end systems. There are several ways that we can do the chunking, one cheap way would be to run the commands in a loop with a 'sleep .1' after each to give the buffer time to drain. Finally, I still think that making changes to the entropy-feeding methods in initrandom or random are premature until we have a chance to review Arthur's work on what's actually happening with the buffer. Until we know where the problems are, we're only guessing as to what the fixes should be. Doug -- I am only one, but I am one. I cannot do everything, but I can do something. And I will not let what I cannot do interfere with what I can do. -- Edward Everett Hale, (1822 - 1909) From owner-freebsd-security@FreeBSD.ORG Sun Sep 16 23:46:31 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 984B0106564A for ; Sun, 16 Sep 2012 23:46:31 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 19B958FC0A for ; Sun, 16 Sep 2012 23:46:30 +0000 (UTC) Received: by weyx56 with SMTP id x56so4195490wey.13 for ; Sun, 16 Sep 2012 16:46:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; bh=9nvD2kE+JW5FkGUwaVbBDx2pnvjWYpRb1PtUlhjusT8=; b=gBm6TtoaTy/R5DMpSpA1li9uRlP3+KbhHsz6BtTEY9jgaJxGwVM1JQDEKWvCU6UaAX wjCi5jAxOo3/rHKwAkuefWYy3slSJwxATeGix+0SbQMssNgmQE0dx5b+2sG1YHD79L9g TaFbkmECC72NdXKZCpJFEO3nWZlezB4Wv54rdCNQqi0/TE5bsmkWiQUJNSeD0euQiTRn Y7XYtgQtrTbOy3IMd1gXplizuvZKOgMW7In91iJv/tmu+srrbtS4hejraQXXnsHZSwan hvuORxFLjamx6ynIOsAi8VWyKcFQNJNvxBzhwUXFBOudcUcZUrf4C206jY+cTVRwbb0f XLnw== Received: by 10.216.24.140 with SMTP id x12mr5443354wex.101.1347839189626; Sun, 16 Sep 2012 16:46:29 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPS id h9sm14769335wiz.1.2012.09.16.16.46.27 (version=SSLv3 cipher=OTHER); Sun, 16 Sep 2012 16:46:28 -0700 (PDT) Date: Mon, 17 Sep 2012 00:46:26 +0100 From: RW To: freebsd-security@freebsd.org Message-ID: <20120917004626.34cecf12@gumby.homeunix.com> In-Reply-To: References: <50453686.9090100@FreeBSD.org> <20120913052431.GA15052@dragon.NUXI.org> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd8.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Proposed fix; stage 1 (Was: svn commit: r239569 - head/etc/rc.d) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Sep 2012 23:46:31 -0000 On Sun, 16 Sep 2012 17:21:21 +0100 Mark Murray wrote: > Part 3 will be the addition of another choice of software PRNG; > Fortuna. Fortuna is MUCH more resilient to attack, Fortuna is much more resilient to types of attack that're probably never going to happen. Potentially Fortuna could be much worse against real world attacks because it spreads the entropy very thinly across the 32 (or more) pools. During the boot most entropy will go into pools that wont contribute until it's too late to be of use. I think Fortuna has a lot of merit, but it needs to be modified to be practical as a UNIX /dev/random. For example instead of looping each entropy source around the 32 pools, just loop up to the first pool that never been consumed. From owner-freebsd-security@FreeBSD.ORG Mon Sep 17 00:23:46 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AFBF1106564A for ; Mon, 17 Sep 2012 00:23:46 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 31A678FC15 for ; Mon, 17 Sep 2012 00:23:45 +0000 (UTC) Received: by wgi16 with SMTP id 16so348460wgi.31 for ; Sun, 16 Sep 2012 17:23:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; bh=klTGJwH5CXGZAh2ZmbbZnIuNU7c8Rzw6Z1YLWknMpMg=; b=pnRtKt6UhocQGqukmUY8ni9tbMXd3k83n/uAwSgaKr361epN8LkiYO6TquRGFD0PCK zbkcxzUd+0ySEyUfSpdOgyyVoz52P9/Sjag36lsWUtpgG36nMB5OG+ENq4aeLWntZWHP VGVG2ag0zre9eqxFS+nyjRS68IfcT3evddzKmRV9juGgASdUY3GlB5hx/gselXSWTmKb +paoFE5ooIPbmh5CsHJWogX9ak47ccFw930No2S5stexeJG4c8xkuqM56TKNZvQiwYqc zNVLoI3KWOeZblsa/hL1QRZZ1UJShDD4nXDF3bh+fn3e9nYz7oxHmIFrAPVzty+PPIXY zWVw== Received: by 10.216.167.135 with SMTP id i7mr4948411wel.97.1347841424715; Sun, 16 Sep 2012 17:23:44 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPS id fb20sm21459787wid.1.2012.09.16.17.23.42 (version=SSLv3 cipher=OTHER); Sun, 16 Sep 2012 17:23:43 -0700 (PDT) Date: Mon, 17 Sep 2012 01:23:41 +0100 From: RW To: freebsd-security@freebsd.org Message-ID: <20120917012341.79cc8ce2@gumby.homeunix.com> In-Reply-To: <50564446.80606@FreeBSD.org> References: <50453686.9090100@FreeBSD.org> <50564446.80606@FreeBSD.org> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd8.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Proposed fix; stage 1 (Was: svn commit: r239569 - head/etc/rc.d) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 00:23:46 -0000 On Sun, 16 Sep 2012 14:27:34 -0700 Doug Barton wrote: > Finally, I still think that making changes to the entropy-feeding > methods in initrandom or random are premature until we have a chance > to review Arthur's work on what's actually happening with the buffer. > Until we know where the problems are, we're only guessing as to what > the fixes should be. The results are likely to be dependent on hardware, so it's going to be difficult to get a complete picture. In particular I'd suggest pre-caching ls and /entropy to simulate very fast flash drives. From owner-freebsd-security@FreeBSD.ORG Mon Sep 17 20:17:30 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 18340106564A; Mon, 17 Sep 2012 20:17:30 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id C4D768FC15; Mon, 17 Sep 2012 20:17:29 +0000 (UTC) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) by mail.dawidek.net (Postfix) with ESMTPSA id 5044EDC3; Mon, 17 Sep 2012 22:16:29 +0200 (CEST) Date: Mon, 17 Sep 2012 22:17:40 +0200 From: Pawel Jakub Dawidek To: Mark Murray Message-ID: <20120917201740.GB1420@garage.freebsd.pl> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="s9fJI615cBHmzTOP" Content-Disposition: inline In-Reply-To: X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) X-Mailman-Approved-At: Mon, 17 Sep 2012 21:27:08 +0000 Cc: Arthur Mesh , Ian Lepore , Doug Barton , Ben Laurie , freebsd-security@freebsd.org, RW , "Bjoern A. Zeeb" Subject: Re: svn commit: r239569 - head/etc/rc.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 20:17:30 -0000 --s9fJI615cBHmzTOP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 15, 2012 at 01:07:34PM +0100, Mark Murray wrote: > Ben Laurie writes: > > I notice that events are also discarded when the queue reaches a > > certain length. This seems like a problem, too. >=20 > Hooboy. >=20 > Please go back and read this whole thread from the beginning. Attempting > to mitigate the inevitable effects of filling the harvest queue is the > main thrust of what I'm trying to solve. Why can't we split harvesting entropy from /dev/random from harvesting entropy from sources that are much more performance-sensitive? Currently random_harvest_internal() is used for both and it is trying to be fast, as we don't want to slow down the caller. But with /dev/random the caller won't mind to be slowed down. --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --s9fJI615cBHmzTOP Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBXhWQACgkQForvXbEpPzQXBACeNR34XWWNDyiIC7zQOTRG+Jls 6F4AoKJoicNLfngTkhnyuY48kZgvx8PZ =t/C8 -----END PGP SIGNATURE----- --s9fJI615cBHmzTOP-- From owner-freebsd-security@FreeBSD.ORG Mon Sep 17 20:20:31 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BD8AD106566B; Mon, 17 Sep 2012 20:20:31 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id 6C4F78FC17; Mon, 17 Sep 2012 20:20:31 +0000 (UTC) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) by mail.dawidek.net (Postfix) with ESMTPSA id EBEFBDC9; Mon, 17 Sep 2012 22:19:37 +0200 (CEST) Date: Mon, 17 Sep 2012 22:20:49 +0200 From: Pawel Jakub Dawidek To: Mark Murray Message-ID: <20120917202049.GC1420@garage.freebsd.pl> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="MAH+hnPXVZWQ5cD/" Content-Disposition: inline In-Reply-To: X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) X-Mailman-Approved-At: Mon, 17 Sep 2012 21:28:00 +0000 Cc: Arthur Mesh , Ian Lepore , Doug Barton , Ben Laurie , freebsd-security@freebsd.org, RW Subject: Re: Proposed fix; stage 1 (Was: svn commit: r239569 - head/etc/rc.d) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 20:20:31 -0000 --MAH+hnPXVZWQ5cD/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 16, 2012 at 05:21:21PM +0100, Mark Murray wrote: > Hi >=20 > Part 1 of the fix is enclosed; it involves drastically shortening the > input into /dev/random (the "kickstart") at boot time. There are time > implications that I'd like to hear any objections to. >=20 > Part 1a is going to be tweeks to stashing entropy at restart > (and possibly during normal running). Also fixes to zero-entropy > first-startup. >=20 > Part 2 will be a cheap shortening of files during reading so as not > to clog up the harvest queue. The harvest queue will always be a bit > intolerant of excess input via this route, so this should help a lot. >=20 > Part 3 will be the addition of another choice of software PRNG; > Fortuna. Fortuna is MUCH more resilient to attack, at the expense > of using more kernel memory. For modern machines, this is scarcely > noticeable, but it could be bad for embedded units. >=20 > Tweeks along the way may include reverting to the original intent of > starting the PRNG blocked, and only unblocking once reseeded. >=20 > M > -- > Mark R V Murray > Pi: 132511160 > Index: initrandom > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- initrandom (revision 240384) > +++ initrandom (working copy) > @@ -23,15 +23,12 @@ > =20 > better_than_nothing() > { > - # XXX temporary until we can improve the entropy > - # harvesting rate. > # Entropy below is not great, but better than nothing. > # This unblocks the generator at startup > # Note: commands are ordered to cause the most variance across reboots. > - ( kenv; dmesg; df -ib; ps -fauxww; date; sysctl -a ) \ > - | dd of=3D/dev/random bs=3D8k 2>/dev/null > - /sbin/sha256 -q `sysctl -n kern.bootfile` \ > - | dd of=3D/dev/random bs=3D8k 2>/dev/null > + for cmd in "kenv" "dmesg" "df -ib" "ps -fauxww" "date" "sysctl -ao" "ne= tstat -arn" "fstat" ; do > + ${cmd}| sha256 > /dev/random > + done I'd much prefer to just use sha512 here and also add -b to sysctl. --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --MAH+hnPXVZWQ5cD/ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBXhiAACgkQForvXbEpPzRENACfebpDcZizqdvOcJhMXXdFZdBB QYAAn3zov0IRIJ3TDJ5gQSd1gE7Afwlo =s/8t -----END PGP SIGNATURE----- --MAH+hnPXVZWQ5cD/-- From owner-freebsd-security@FreeBSD.ORG Tue Sep 18 08:13:56 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 764FB106564A; Tue, 18 Sep 2012 08:13:56 +0000 (UTC) (envelope-from benlaurie@gmail.com) Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id C29D38FC1B; Tue, 18 Sep 2012 08:13:55 +0000 (UTC) Received: by vcbfw7 with SMTP id fw7so10606102vcb.13 for ; Tue, 18 Sep 2012 01:13:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=pT3VFemkei+4oZ7/GrI9Fe+A1Bg49GDN+N83tuABqfo=; b=qxhio3nVV2STw8Du8RS2boiaaDKXnanfL37tGHXV8+6GGkZvQOEGmLSDlmBQcYGMCf 6+rYZP4h6Quv3ImMt9yvyx23fNrmIcMQp4AbYez5v9/Bv4oLVDpfdm7D1mtBF3eMbTIN f8eCXT1EOLd2iHC/219K+2jiuxuAiPKjSVAtYM++P1/u1F7DP8lU47W3BYRQsEpE2xLv WNQAWl+ru6OK+3cm/Hlkinb1iukTnbwTMshcrWOWazAnzvqyUJGxxNRY0RUMTLPEp/Zg A6o0tMk65TjvPTM8EbhfO7/C+YytlxXDVShPb+xxfeOfIg+wC+Le6scIVoQFszVmsJ1G XPCQ== MIME-Version: 1.0 Received: by 10.52.38.40 with SMTP id d8mr4692993vdk.67.1347956028629; Tue, 18 Sep 2012 01:13:48 -0700 (PDT) Sender: benlaurie@gmail.com Received: by 10.58.79.243 with HTTP; Tue, 18 Sep 2012 01:13:48 -0700 (PDT) In-Reply-To: <50564446.80606@FreeBSD.org> References: <50453686.9090100@FreeBSD.org> <20120912213141.GI14077@x96.org> <20120913052431.GA15052@dragon.NUXI.org> <50564446.80606@FreeBSD.org> Date: Tue, 18 Sep 2012 09:13:48 +0100 X-Google-Sender-Auth: ITwjvANm9ujp9oP0lsrsuFUlhq0 Message-ID: From: Ben Laurie To: Doug Barton Content-Type: text/plain; charset=ISO-8859-1 Cc: Arthur Mesh , Ian Lepore , freebsd-security@freebsd.org, RW Subject: Re: Proposed fix; stage 1 (Was: svn commit: r239569 - head/etc/rc.d) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Sep 2012 08:13:56 -0000 On Sun, Sep 16, 2012 at 10:27 PM, Doug Barton wrote: > Finally, I still think that making changes to the entropy-feeding > methods in initrandom or random are premature until we have a chance to > review Arthur's work on what's actually happening with the buffer. Until > we know where the problems are, we're only guessing as to what the fixes > should be. I agree that buffering should be addressed first. From owner-freebsd-security@FreeBSD.ORG Tue Sep 18 09:15:28 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5E379106566B for ; Tue, 18 Sep 2012 09:15:28 +0000 (UTC) (envelope-from markm@FreeBSD.org) Received: from gromit.grondar.org (grandfather.grondar.org [93.89.92.32]) by mx1.freebsd.org (Postfix) with ESMTP id 159418FC08 for ; Tue, 18 Sep 2012 09:15:27 +0000 (UTC) Received: from uucp by gromit.grondar.org with local-rmail (Exim 4.77 (FreeBSD)) (envelope-from ) id 1TDtol-000Bvg-RT for freebsd-security@freebsd.org; Tue, 18 Sep 2012 10:10:07 +0100 Received: from localhost ([127.0.0.1] helo=groundzero.grondar.org) by groundzero.grondar.org with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1TDtnT-00093h-QQ; Tue, 18 Sep 2012 10:08:47 +0100 To: Pawel Jakub Dawidek In-reply-to: <20120917201740.GB1420@garage.freebsd.pl> References: <20120917201740.GB1420@garage.freebsd.pl> From: Mark Murray From: Mark Murray Date: Tue, 18 Sep 2012 10:08:47 +0100 Message-Id: Cc: Arthur Mesh , Ian Lepore , Doug Barton , Ben Laurie , freebsd-security@freebsd.org, RW , "Bjoern A. Zeeb" Subject: Re: svn commit: r239569 - head/etc/rc.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Sep 2012 09:15:28 -0000 Pawel Jakub Dawidek writes: > Why can't we split harvesting entropy from /dev/random from harvesting > entropy from sources that are much more performance-sensitive? > Currently random_harvest_internal() is used for both and it is trying to > be fast, as we don't want to slow down the caller. But with /dev/random > the caller won't mind to be slowed down. Put that way, it actually makes sense. :-) M -- Mark R V Murray Cert APS(Open) Dip Phys(Open) BSc Open(Open) BSc(Hons)(Open) Pi: 132511160 From owner-freebsd-security@FreeBSD.ORG Tue Sep 18 21:14:10 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC6601065672 for ; Tue, 18 Sep 2012 21:14:10 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id A18C38FC08 for ; Tue, 18 Sep 2012 21:14:10 +0000 (UTC) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) by mail.dawidek.net (Postfix) with ESMTPSA id 7774A1B6 for ; Tue, 18 Sep 2012 23:13:09 +0200 (CEST) Date: Tue, 18 Sep 2012 23:14:22 +0200 From: Pawel Jakub Dawidek To: freebsd-security@FreeBSD.org Message-ID: <20120918211422.GA1400@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Q68bSM7Ycu6FN28Q" Content-Disposition: inline X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) X-Mailman-Approved-At: Tue, 18 Sep 2012 21:23:40 +0000 Cc: Subject: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Sep 2012 21:14:11 -0000 --Q68bSM7Ycu6FN28Q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi. I experimented a bit with collecting entropy from the time it takes for device_attach() to run (in CPU cycles). It seems that those times have enough variation that we can use it for entropy harvesting. It happens even before root is mounted, so pretty early. On the machine I'm testing it, which has minimal kernel plus NIC driver I see 75 device_attach() calls. I'm being very careful and advertising to yarrow that each call has only 4 bits of entropy (most of the time there is much more). This gives 300 bits of entropy on this machine before we even start init. For real hardware like sound card it takes between 34647162 and 35548675 cycles to run device_attach(), so the difference here is 901513. If all the times are more or less equally probable in this range we have more than 19 bits of entropy from this one call, but I reduced if to four bits only, because there are devices that are much faster to attach. We could make the code more complex by assuming 0.01% of the time varies, which should still be safe and will allow to collect more entropy from those long calls. The patch is here: http://people.freebsd.org/~pjd/patches/harvest_device_attach.patch Comments? --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --Q68bSM7Ycu6FN28Q Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBY5CoACgkQForvXbEpPzSxewCdGYz/LSd3nDjqKJXY/++5fBGW ucUAn2unEr8oDCXKo2m4pyKgAy7UDpNB =6LoM -----END PGP SIGNATURE----- --Q68bSM7Ycu6FN28Q-- From owner-freebsd-security@FreeBSD.ORG Wed Sep 19 16:52:04 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C6F751065670; Wed, 19 Sep 2012 16:52:04 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 86F888FC08; Wed, 19 Sep 2012 16:52:03 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id E23B26FD5; Wed, 19 Sep 2012 18:51:56 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 9F74985EC; Wed, 19 Sep 2012 17:28:46 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Pawel Jakub Dawidek References: <20120918211422.GA1400@garage.freebsd.pl> Date: Wed, 19 Sep 2012 17:28:46 +0200 In-Reply-To: <20120918211422.GA1400@garage.freebsd.pl> (Pawel Jakub Dawidek's message of "Tue, 18 Sep 2012 23:14:22 +0200") Message-ID: <867grqm3pt.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2012 16:52:04 -0000 Pawel Jakub Dawidek writes: > I experimented a bit with collecting entropy from the time it takes for > device_attach() to run (in CPU cycles). It seems that those times have > enough variation that we can use it for entropy harvesting. It happens > even before root is mounted, so pretty early. Excellent idea :) > On the machine I'm testing it, which has minimal kernel plus NIC driver > I see 75 device_attach() calls. I'm being very careful and advertising > to yarrow that each call has only 4 bits of entropy (most of the time > there is much more). This gives 300 bits of entropy on this machine > before we even start init. Virtual machines (and even some physical hardware) can have as few as 40 devices. I have a VirtualBox instance running 9.1-RC1 that has only 36 devices (based on `sysctl dev | cut -d. -f2-3 | sort -u | wc -l`), and a soekris net5501 that only has 43. This does not count network interfaces, though. > For real hardware like sound card it takes between 34647162 and 35548675 > cycles to run device_attach(), [...] You can't rely on the existence of a TSC. I would suggest using the fractional part of binuptime instead. I would also suggest modifying yarrow to block reseeding as long as possible, ideally right up until the first time something asks for a random number, since reseeding throws away all accumulated entropy. I'd suggest delaying reseeding until right before we start the scheduler, but if I understand correctly, geom_geli may need randomness before that? DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Sep 19 17:48:11 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 40E6D106568A for ; Wed, 19 Sep 2012 17:48:11 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id C3D858FC14 for ; Wed, 19 Sep 2012 17:48:10 +0000 (UTC) Received: by eeke52 with SMTP id e52so601778eek.13 for ; Wed, 19 Sep 2012 10:48:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; bh=kuyaYNCtYmExgSf5pv1ysb7cLfLAWgdK8WeYLQnSz54=; b=bxV8C/SnvKa1MMffZQbAwJ6ZnedN2lZ21bBWFW37c/Ue55DQvAKxXUq8FNMsGK63hn 8lY/Md813oQlZDnjUtvBwg8Ty2L/BnFy/XeYZdTpu6VevbhNCXR23WEt3YJUwCWPJy2k QkzBSKkAnARIGBBvD/I9HgPvxI7O0eUCpBd9cOCYReBLPb76H1zZdm3ePcxErEAkdMD+ KOZAfePBASQKHi0qqJRV4SojoIuOZ+6Qf+KDo9+ECdvlkB4OihZg1TqA5IEx/+1GM4UN +1uzIPi2ewk1xhsNkv9Gp/tsNmwR0q8M+0ZsOBibgdewLkQ2G0cwXcmaI4i+xQqVhvrf PpUg== Received: by 10.14.182.134 with SMTP id o6mr4472214eem.26.1348076883922; Wed, 19 Sep 2012 10:48:03 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPS id e7sm9084649eep.2.2012.09.19.10.48.00 (version=SSLv3 cipher=OTHER); Wed, 19 Sep 2012 10:48:02 -0700 (PDT) Date: Wed, 19 Sep 2012 18:47:58 +0100 From: RW To: freebsd-security@freebsd.org Message-ID: <20120919184758.28589516@gumby.homeunix.com> In-Reply-To: <867grqm3pt.fsf@ds4.des.no> References: <20120918211422.GA1400@garage.freebsd.pl> <867grqm3pt.fsf@ds4.des.no> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd8.3) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2012 17:48:11 -0000 On Wed, 19 Sep 2012 17:28:46 +0200 Dag-Erling Sm=F8rgrav wrote: =20 > I would also suggest modifying yarrow to block reseeding as long as > possible, ideally right up until the first time something asks for a > random number, since reseeding throws away all accumulated entropy. reseeding doesn't throw away entropy it just resets the counters, after initrandom forces a slow reseed all of the accumulated entropy (up to 256 bits) is in the generator. From owner-freebsd-security@FreeBSD.ORG Wed Sep 19 18:28:42 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7AE41106566B for ; Wed, 19 Sep 2012 18:28:42 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 03EED8FC14 for ; Wed, 19 Sep 2012 18:28:41 +0000 (UTC) Received: by eeke52 with SMTP id e52so619712eek.13 for ; Wed, 19 Sep 2012 11:28:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; bh=7KW2F8nmc0QnRurwotE64VSvtOlYsc7Jk9rBwwABqbQ=; b=YMSLzNduVORm+4iU5GegCD626+PJTs2g1l9u7wOeZ6QkMgNP7bjnIKw0PnqFGhMDEO zTprV3vHhQgUUKELaNkqHqksC6CgVYWH0BLItNLKnNzDs+msrKCdJt+MZfFQICuP5beU RRUctGzLiN82u98QdpU0gY22pFDfdFpTDbr3wx6Gfk8U2Zr89tVquL99DmZ9sFqAnfEK 1Pn9FXHU4jbiiCpzYSz9UGxGOcg5hbQlWxL+SrCSV5xCvh4eERsk5ieSLNX+uKDcEA7W euEf9teIZpJFqQsC/e24YswgrqLGBQGiEKKbuSg+KeaQmp1BxxZrvG7Rn5srY3RkV0Js j3ZA== Received: by 10.14.199.67 with SMTP id w43mr4597719een.33.1348079320877; Wed, 19 Sep 2012 11:28:40 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPS id z3sm9208154eel.15.2012.09.19.11.28.37 (version=SSLv3 cipher=OTHER); Wed, 19 Sep 2012 11:28:39 -0700 (PDT) Date: Wed, 19 Sep 2012 19:28:36 +0100 From: RW To: freebsd-security@freebsd.org Message-ID: <20120919192836.3a60cdfd@gumby.homeunix.com> In-Reply-To: <20120918211422.GA1400@garage.freebsd.pl> References: <20120918211422.GA1400@garage.freebsd.pl> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd8.3) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2012 18:28:42 -0000 On Tue, 18 Sep 2012 23:14:22 +0200 Pawel Jakub Dawidek wrote: > Hi. >=20 > The patch is here: >=20 > http://people.freebsd.org/~pjd/patches/harvest_device_attach.patch >=20 > Comments? >=20 + attachtime =3D get_cyclecount() - attachtime; the above line is redundant since random_harvest() already contains a call to get_cyclecount(). On Wed, 19 Sep 2012 17:28:46 +0200 Dag-Erling Sm=F8rgrav wrote: > You can't rely on the existence of a TSC. I would suggest using the > fractional part of binuptime instead. get_cyclecount() is supposed to be platform independent and should fall-back to nanotime(9) if TSC or equivalent is absent.=20 From owner-freebsd-security@FreeBSD.ORG Wed Sep 19 18:30:58 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6E87F106566B; Wed, 19 Sep 2012 18:30:58 +0000 (UTC) (envelope-from jra40@hermes.cam.ac.uk) Received: from ppsw-50.csi.cam.ac.uk (ppsw-50.csi.cam.ac.uk [131.111.8.150]) by mx1.freebsd.org (Postfix) with ESMTP id 08C518FC15; Wed, 19 Sep 2012 18:30:57 +0000 (UTC) X-Cam-AntiVirus: no malware found X-Cam-SpamDetails: not scanned X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/ Received: from cpc2-cmbg15-2-0-cust323.5-4.cable.virginmedia.com ([86.26.13.68]:52282 helo=[192.168.0.2]) by ppsw-50.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.157]:465) with esmtpsa (PLAIN:jra40) (TLSv1:DHE-RSA-AES256-SHA:256) id 1TEP32-0000OV-sR (Exim 4.72) (return-path ); Wed, 19 Sep 2012 19:30:57 +0100 Date: Wed, 19 Sep 2012 19:30:52 +0100 From: Jonathan Anderson To: Pawel Jakub Dawidek Message-ID: In-Reply-To: <20120918211422.GA1400@garage.freebsd.pl> References: <20120918211422.GA1400@garage.freebsd.pl> X-Mailer: sparrow 1.6.4 (build 1176) MIME-Version: 1.0 Sender: Jonathan Anderson X-Mailman-Approved-At: Wed, 19 Sep 2012 18:58:15 +0000 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2012 18:30:58 -0000 On Tuesday, 18 September 2012 at 22:14, Pawel Jakub Dawidek wrote: > I experimented a bit with collecting entropy from the time it takes for= > device=5Fattach() to run (in CPU cycles). It seems that those times hav= e > enough variation that we can use it for entropy harvesting. It happens > even before root is mounted, so pretty early. > =20 That sounds really great. =20 > If all the times are more or less equally probable in this range =5B=E2= =80=A6=5D They're very unlikely to be equally probable. It would make sense to do s= ome characterization of these times and their statistics: a highly non-un= iform distribution would mean that we don't actually get many bits per at= tach. =20 > =5B=E2=80=A6=5D we have more > than 19 bits of entropy from this one call, but I reduced if to four > bits only, because there are devices that are much faster to attach. > =20 Another reason for doing the above characterization is that, if a particu= lar device=5Fattach() really does provide 12 bits of uncertainty, it's a = shame to drop eight of them on the floor. > We could make the code more complex by assuming 0.01% of the time > varies, which should still be safe and will allow to collect more > entropy from those long calls. > =20 I'm a bit leery of assuming that things =22should still be safe=22 for th= e above reasons. Again, some hard numbers would really help here. Maybe w= e should even convince a student to do a project. :) Jon -- =20 Jonathan Anderson Research Associate Computer Laboratory University of Cambridge jonathan.anderson=40cl.cam.ac.uk +44 1223 763 747 From owner-freebsd-security@FreeBSD.ORG Wed Sep 19 19:47:04 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7CB221065674; Wed, 19 Sep 2012 19:47:04 +0000 (UTC) (envelope-from benlaurie@gmail.com) Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 191008FC0A; Wed, 19 Sep 2012 19:47:03 +0000 (UTC) Received: by vbmv11 with SMTP id v11so2141179vbm.13 for ; Wed, 19 Sep 2012 12:47:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=2IShFu75raJK/x5UtudWbYfiFrP0tk3/Ia/C/U+HYpk=; b=hygHQbtOtF7BCnmgvXIWBwvSfETVrvwxTJLyKv6QhSYyj/mjGA6PsqfrdE5/oNCRzp ZoTXYuQdcyD5ToWB/62Hn8B4DPTZywkMIW1QMrJvWQIRe+YfGQ5j/QEj1ph1kgHA1KVG m5/xYSGSSVp5K+G9Dso3bGa3PU33INRuVxMgFh9Hmk4PiiPkX1Z329q/7lfYU430VRQ2 lrmZwO+zPNCbuS8Cq/QFMKxfaOrvf+WnhRTkjBWnXbN8Wdp+8FCv9hUQUM5rJ/GwKOrL qLx4DxH/3BvIg99atRosfjAzDIQGGESy5nUtESSA3SEP6v5LCEGCUI7SvGNPEwO6WwF0 F6Wg== MIME-Version: 1.0 Received: by 10.58.144.232 with SMTP id sp8mr2539239veb.56.1348084023335; Wed, 19 Sep 2012 12:47:03 -0700 (PDT) Sender: benlaurie@gmail.com Received: by 10.58.79.243 with HTTP; Wed, 19 Sep 2012 12:47:03 -0700 (PDT) In-Reply-To: References: <20120918211422.GA1400@garage.freebsd.pl> Date: Wed, 19 Sep 2012 20:47:03 +0100 X-Google-Sender-Auth: OgL_thkILtyP_ubQupVh6_9K_j0 Message-ID: From: Ben Laurie To: Jonathan Anderson Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Pawel Jakub Dawidek Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2012 19:47:04 -0000 On Wed, Sep 19, 2012 at 7:30 PM, Jonathan Anderson wrote: > On Tuesday, 18 September 2012 at 22:14, Pawel Jakub Dawidek wrote: >> [=85] we have more >> than 19 bits of entropy from this one call, but I reduced if to four >> bits only, because there are devices that are much faster to attach. >> > > Another reason for doing the above characterization is that, if a particu= lar device_attach() really does provide 12 bits of uncertainty, it's a sham= e to drop eight of them on the floor. Estimating at 4 bits does not drop any entropy on the floor, it just means that if you are going to unblock the PRNG once a certain amount of entropy is present, then this input counts for 4 bits against that certain amount. The amount of entropy harvested is unchanged. The reason to work out how much entropy there is is to: a) Unblock as early as possible b) Not unblock too early Erring on the side of underestimation is wise here. From owner-freebsd-security@FreeBSD.ORG Wed Sep 19 19:29:07 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1CFC510657FA for ; Wed, 19 Sep 2012 19:29:07 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id D46FD8FC08 for ; Wed, 19 Sep 2012 19:29:05 +0000 (UTC) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) by mail.dawidek.net (Postfix) with ESMTPSA id 0B321471; Wed, 19 Sep 2012 21:28:10 +0200 (CEST) Date: Wed, 19 Sep 2012 21:29:24 +0200 From: Pawel Jakub Dawidek To: Jonathan Anderson Message-ID: <20120919192923.GA1416@garage.freebsd.pl> References: <20120918211422.GA1400@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT" Content-Disposition: inline In-Reply-To: X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) X-Mailman-Approved-At: Wed, 19 Sep 2012 19:52:29 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2012 19:29:07 -0000 --tKW2IUtsqtDRztdT Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 19, 2012 at 07:30:52PM +0100, Jonathan Anderson wrote: > > If all the times are more or less equally probable in this range [=E2= =80=A6] >=20 > They're very unlikely to be equally probable. It would make sense to do s= ome characterization of these times and their statistics: a highly non-unif= orm distribution would mean that we don't actually get many bits per attach. I have times for ~2000 device_attach() calls when loading sound card driver on totally idle system. If someone could take those and analyse the distribution that would be great. > > [=E2=80=A6] we have more > > than 19 bits of entropy from this one call, but I reduced if to four > > bits only, because there are devices that are much faster to attach. > > =20 >=20 > Another reason for doing the above characterization is that, if a particu= lar device_attach() really does provide 12 bits of uncertainty, it's a sham= e to drop eight of them on the floor. Rights. That's why I've prepared another patch: http://people.freebsd.org/~pjd/patches/harvest_device_attach.2.patch which effectively discards top ten bits, which means we expect 0.1% of the attach time to be unpredictable (the attach time in most cases vary by few percent, not sure yet how much of this variation is really unpredictable). --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBaHRMACgkQForvXbEpPzRAagCgnUwOkUfhneiduAdo2aqFnAln 26IAn0clPnWYXZAlFaNixCgD2kdUPF1H =rhV9 -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT-- From owner-freebsd-security@FreeBSD.ORG Wed Sep 19 19:59:16 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 628D7106566B; Wed, 19 Sep 2012 19:59:16 +0000 (UTC) (envelope-from benlaurie@gmail.com) Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id 06B358FC1B; Wed, 19 Sep 2012 19:59:15 +0000 (UTC) Received: by vcbfw7 with SMTP id fw7so2156270vcb.13 for ; Wed, 19 Sep 2012 12:59:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=rMqRM4ZM/bTnxx+Ltzy6rfD0q3NUlc7ME5CCXTB75lE=; b=1DE8G7yMQUrnhXXB9PJswyXw4HjM3LolDQ1pkM1XBa3QdtTtlKbv8bQw+0GM5uEdMz 65WnkTTV0c7za36qL0wqrnNr41wnCTduwCofqN0luZow1aEQgEs+LyaLl192EM8FQYH8 pb8Uq8Yz7c/Hv6vCMWMrp7eWcWL7w4Eqggb1ZTEc6ievNzjM9FJ5RqPZruzmQolADS38 QAsrEY6Iz+h4CExzcJD5n4mlTJ7BwMEDSi9b6THyFnoPmrFVb8ufLshJqJdBi11EVMW5 k1CoacPXSpaiu4fYO9TBy4TBDa1I7FzZ4uSuP/l/lsurOAhtOxSUei5nv926n9PFre00 olvA== MIME-Version: 1.0 Received: by 10.220.157.65 with SMTP id a1mr2500130vcx.39.1348084755138; Wed, 19 Sep 2012 12:59:15 -0700 (PDT) Sender: benlaurie@gmail.com Received: by 10.58.79.243 with HTTP; Wed, 19 Sep 2012 12:59:15 -0700 (PDT) In-Reply-To: <20120919192923.GA1416@garage.freebsd.pl> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192923.GA1416@garage.freebsd.pl> Date: Wed, 19 Sep 2012 20:59:15 +0100 X-Google-Sender-Auth: eGQo4c0ek-MowtatjG8WAmEoB9I Message-ID: From: Ben Laurie To: Pawel Jakub Dawidek Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Jonathan Anderson Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2012 19:59:16 -0000 On Wed, Sep 19, 2012 at 8:29 PM, Pawel Jakub Dawidek wrot= e: > On Wed, Sep 19, 2012 at 07:30:52PM +0100, Jonathan Anderson wrote: >> > If all the times are more or less equally probable in this range [=85] >> >> They're very unlikely to be equally probable. It would make sense to do = some characterization of these times and their statistics: a highly non-uni= form distribution would mean that we don't actually get many bits per attac= h. > > I have times for ~2000 device_attach() calls when loading sound card > driver on totally idle system. If someone could take those and analyse > the distribution that would be great. > >> > [=85] we have more >> > than 19 bits of entropy from this one call, but I reduced if to four >> > bits only, because there are devices that are much faster to attach. >> > >> >> Another reason for doing the above characterization is that, if a partic= ular device_attach() really does provide 12 bits of uncertainty, it's a sha= me to drop eight of them on the floor. > > Rights. That's why I've prepared another patch: > > http://people.freebsd.org/~pjd/patches/harvest_device_attach.2.pa= tch > > which effectively discards top ten bits, which means we expect 0.1% of > the attach time to be unpredictable (the attach time in most cases vary > by few percent, not sure yet how much of this variation is really > unpredictable). This is the wrong thing to do! There's no reason to discard bits on input (modulo the device throwing away inputs, that is) - just reduce your entropy estimate. "Extra" bits do no harm. From owner-freebsd-security@FreeBSD.ORG Wed Sep 19 20:20:06 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1E243106566C; Wed, 19 Sep 2012 20:20:06 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id CE0028FC08; Wed, 19 Sep 2012 20:20:05 +0000 (UTC) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) by mail.dawidek.net (Postfix) with ESMTPSA id 165F74A9; Wed, 19 Sep 2012 22:19:10 +0200 (CEST) Date: Wed, 19 Sep 2012 22:20:24 +0200 From: Pawel Jakub Dawidek To: Ben Laurie Message-ID: <20120919202023.GD1416@garage.freebsd.pl> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192923.GA1416@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="twz1s1Hj1O0rHoT0" Content-Disposition: inline In-Reply-To: X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) X-Mailman-Approved-At: Wed, 19 Sep 2012 20:34:08 +0000 Cc: freebsd-security@freebsd.org, Jonathan Anderson Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2012 20:20:06 -0000 --twz1s1Hj1O0rHoT0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 19, 2012 at 08:59:15PM +0100, Ben Laurie wrote: > On Wed, Sep 19, 2012 at 8:29 PM, Pawel Jakub Dawidek wr= ote: > > On Wed, Sep 19, 2012 at 07:30:52PM +0100, Jonathan Anderson wrote: > >> > If all the times are more or less equally probable in this range [= =E2=80=A6] > >> > >> They're very unlikely to be equally probable. It would make sense to d= o some characterization of these times and their statistics: a highly non-u= niform distribution would mean that we don't actually get many bits per att= ach. > > > > I have times for ~2000 device_attach() calls when loading sound card > > driver on totally idle system. If someone could take those and analyse > > the distribution that would be great. > > > >> > [=E2=80=A6] we have more > >> > than 19 bits of entropy from this one call, but I reduced if to four > >> > bits only, because there are devices that are much faster to attach. > >> > > >> > >> Another reason for doing the above characterization is that, if a part= icular device_attach() really does provide 12 bits of uncertainty, it's a s= hame to drop eight of them on the floor. > > > > Rights. That's why I've prepared another patch: > > > > http://people.freebsd.org/~pjd/patches/harvest_device_attach.2.= patch > > > > which effectively discards top ten bits, which means we expect 0.1% of > > the attach time to be unpredictable (the attach time in most cases vary > > by few percent, not sure yet how much of this variation is really > > unpredictable). >=20 > This is the wrong thing to do! There's no reason to discard bits on > input (modulo the device throwing away inputs, that is) - just reduce > your entropy estimate. "Extra" bits do no harm. I 'discard' ten bits from the estimation. I don't discard them by zeroing them out. If the number is a 26 bit value then I feed entire number, but pass estimation of 16 bits. --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --twz1s1Hj1O0rHoT0 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBaKQcACgkQForvXbEpPzTBrgCgx7yFxqGb0xbY3sQ8qlntcJyK s9sAni3yDdZGVHLsgQ6+GflUAqvvpzEE =ZG7Q -----END PGP SIGNATURE----- --twz1s1Hj1O0rHoT0-- From owner-freebsd-security@FreeBSD.ORG Wed Sep 19 20:46:29 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CA94E1065670 for ; Wed, 19 Sep 2012 20:46:29 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 4F88E8FC17 for ; Wed, 19 Sep 2012 20:46:28 +0000 (UTC) Received: by eeke52 with SMTP id e52so673805eek.13 for ; Wed, 19 Sep 2012 13:46:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; bh=L6My0KMBtrRCfoY3IIGO3QGglPjePThd1fKRi+3iU4E=; b=t1tLcdutiOhIT4KKCxuVUhUKY5gthMf2Tt565oa5VG9axVg6kh6czUwp8AM1TsmsW7 Zn6acukaUa1YYoWgTAB0F3/ZsZxsGmphK3L18YWZUk1NjuaGrOExU22iAi1L/kiRmoS4 A5whmcgMSL8V6HHNpXv9ifp4ehpzl69SYfB+b7apqGgwVOO+O0BId2umZmKKIKAC7tdM X9VxV3+Xy64VX5DDWp5he6aKIwQ8oGOOGwjGDDbA/V9Q9/5KEYEDetMOlonvEOI33upU NfgY4KyOdCHy+AV6bsWxTVCyi6aZ63SDCBZf5AM3uHmZYy+SiEWMyxjd6aIQ/Zg5HnhO PuHw== Received: by 10.14.198.133 with SMTP id v5mr5041820een.7.1348087588065; Wed, 19 Sep 2012 13:46:28 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPS id m42sm7635656eep.16.2012.09.19.13.46.26 (version=SSLv3 cipher=OTHER); Wed, 19 Sep 2012 13:46:26 -0700 (PDT) Date: Wed, 19 Sep 2012 21:46:24 +0100 From: RW To: freebsd-security@freebsd.org Message-ID: <20120919214624.2f6682a2@gumby.homeunix.com> In-Reply-To: References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192923.GA1416@garage.freebsd.pl> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd8.3) Mime-Version: 1.0 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2012 20:46:29 -0000 On Wed, 19 Sep 2012 20:59:15 +0100 Ben Laurie wrote: > On Wed, Sep 19, 2012 at 8:29 PM, Pawel Jakub Dawidek > wrote: > > On Wed, Sep 19, 2012 at 07:30:52PM +0100, Jonathan Anderson wrote: > >> > If all the times are more or less equally probable in this range > >> > […] > >> > >> They're very unlikely to be equally probable. It would make sense > >> to do some characterization of these times and their statistics: a > >> highly non-uniform distribution would mean that we don't actually > >> get many bits per attach. > > > > I have times for ~2000 device_attach() calls when loading sound card > > driver on totally idle system. If someone could take those and > > analyse the distribution that would be great. > > > >> > […] we have more > >> > than 19 bits of entropy from this one call, but I reduced if to > >> > four bits only, because there are devices that are much faster > >> > to attach. > >> > > >> > >> Another reason for doing the above characterization is that, if a > >> particular device_attach() really does provide 12 bits of > >> uncertainty, it's a shame to drop eight of them on the floor. > > > > Rights. That's why I've prepared another patch: > > > > http://people.freebsd.org/~pjd/patches/harvest_device_attach.2.patch > > > > which effectively discards top ten bits, which means we expect 0.1% > > of the attach time to be unpredictable (the attach time in most > > cases vary by few percent, not sure yet how much of this variation > > is really unpredictable). > > This is the wrong thing to do! There's no reason to discard bits on > input (modulo the device throwing away inputs, that is) - just reduce > your entropy estimate. "Extra" bits do no harm. Not only that but the actual full entropy will get used because initrandom forces a reseed irrespective of the current accounting. The extra bits may make the difference between secure and insecure The entropy estimations before that are of no significance unless you have a local attacker that early in the boot. From owner-freebsd-security@FreeBSD.ORG Wed Sep 19 20:57:16 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 664) id 4ABC8106566B; Wed, 19 Sep 2012 20:57:16 +0000 (UTC) Date: Wed, 19 Sep 2012 13:57:15 -0700 From: David O'Brien To: Mark Murray Message-ID: <20120919205715.GA24934@dragon.NUXI.org> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 10.0-CURRENT X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.20 (2009-06-14) Cc: Arthur Mesh , Ian Lepore , Doug Barton , Ben Laurie , freebsd-security@freebsd.org, RW Subject: Re: Proposed fix; stage 1 (Was: svn commit: r239569 - head/etc/rc.d) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: obrien@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2012 20:57:16 -0000 On Sun, Sep 16, 2012 at 05:21:21PM +0100, Mark Murray wrote: > Part 1 of the fix is enclosed; it involves drastically shortening the > input into /dev/random (the "kickstart") at boot time. There are time > implications that I'd like to hear any objections to. ... > better_than_nothing() > { > - # XXX temporary until we can improve the entropy > - # harvesting rate. > # Entropy below is not great, but better than nothing. > # This unblocks the generator at startup > # Note: commands are ordered to cause the most variance across reboots. > - ( kenv; dmesg; df -ib; ps -fauxww; date; sysctl -a ) \ > - | dd of=/dev/random bs=8k 2>/dev/null > - /sbin/sha256 -q `sysctl -n kern.bootfile` \ > - | dd of=/dev/random bs=8k 2>/dev/null > + for cmd in "kenv" "dmesg" "df -ib" "ps -fauxww" "date" "sysctl -ao" "netstat -arn" "fstat" ; do > + ${cmd}| sha256 > /dev/random > + done Hi Mark, A few days ago I posted a patch that changed the 'ps' and 'sysctl' commands based on good input from several folks in this on-going discussion. If your patch is to discuss a framework for "chunking", ignore the rest of this email. If not, and this patch is ready-for-commit I feel parts of my patch should be part of this one. That being sysctl and ps command changes, along with added documentation. Also, you have some commands in your list that are in /usr. As such I do not think they are usable in 'initrandom'. Or do is there sufficient support to commit my patch as-is now as a basis for yours and others suggested changes? better_than_nothing() { - # XXX temporary until we can improve the entropy - # harvesting rate. # Entropy below is not great, but better than nothing. - # This unblocks the generator at startup - # Note: commands are ordered to cause the most variance across reboots. - ( kenv; dmesg; df -ib; ps -fauxww; date; sysctl -a ) \ - | dd of=/dev/random bs=8k 2>/dev/null + + # Entropy below is not great, but better than nothing. + # Overwhelming the internal entropy seeding buffers is a NOP. + # Once the internal buffers are filled, additional input is + # dropped on the floor until the buffers are processed. + # For FreeBSD's current yarrow implementation that means + # there is little need to seed with more than 4k of input. + # In order to reduce the size of the seed input we hash it. + + # The output of a cryptographic hash function whose input + # contained 'n' bits of entropy will have 'm' bits of entropy, + # where 'm' is either 'n' or slightly less due to collisions. + # So we operate under the premise that there is essentially + # no loss of entropy in hashing these inputs. + /sbin/sha256 -q `sysctl -n kern.bootfile` \ | dd of=/dev/random bs=8k 2>/dev/null + + # Note: commands are ordered based on least changing across reboots + # to most: + ( dmesg; kenv; df -ib; \ + ps -fauxrH -o majflt,minflt,nivcsw,nvcsw,nwchan,re,sl,time; \ + sysctl -n kern.cp_times kern.geom kern.lastpid kern.timecounter \ + kern.tty_nout kern.tty_nin vm vfs debug dev.cpu; \ + date ) \ + | /sbin/sha256 -q | dd of=/dev/random bs=8k 2>/dev/null } -- -- David (obrien@FreeBSD.org) From owner-freebsd-security@FreeBSD.ORG Wed Sep 19 20:53:13 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B16B5106568A for ; Wed, 19 Sep 2012 20:53:13 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id 72E258FC0A for ; Wed, 19 Sep 2012 20:53:13 +0000 (UTC) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) by mail.dawidek.net (Postfix) with ESMTPSA id A0CD24C1; Wed, 19 Sep 2012 22:52:17 +0200 (CEST) Date: Wed, 19 Sep 2012 22:53:32 +0200 From: Pawel Jakub Dawidek To: Jonathan Anderson Message-ID: <20120919205331.GE1416@garage.freebsd.pl> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192923.GA1416@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="NY6JkbSqL3W9mApi" Content-Disposition: inline In-Reply-To: <20120919192923.GA1416@garage.freebsd.pl> X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) X-Mailman-Approved-At: Wed, 19 Sep 2012 21:07:06 +0000 Cc: freebsd-security@freebsd.org, Mariusz Gromada Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2012 20:53:13 -0000 --NY6JkbSqL3W9mApi Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 19, 2012 at 09:29:23PM +0200, Pawel Jakub Dawidek wrote: > On Wed, Sep 19, 2012 at 07:30:52PM +0100, Jonathan Anderson wrote: > > > If all the times are more or less equally probable in this range [=E2= =80=A6] > >=20 > > They're very unlikely to be equally probable. It would make sense to do= some characterization of these times and their statistics: a highly non-un= iform distribution would mean that we don't actually get many bits per atta= ch. >=20 > I have times for ~2000 device_attach() calls when loading sound card > driver on totally idle system. If someone could take those and analyse > the distribution that would be great. >=20 > > > [=E2=80=A6] we have more > > > than 19 bits of entropy from this one call, but I reduced if to four > > > bits only, because there are devices that are much faster to attach. > > > =20 > >=20 > > Another reason for doing the above characterization is that, if a parti= cular device_attach() really does provide 12 bits of uncertainty, it's a sh= ame to drop eight of them on the floor. >=20 > Right. That's why I've prepared another patch: >=20 > http://people.freebsd.org/~pjd/patches/harvest_device_attach.2.patch >=20 > which effectively discards top ten bits, which means we expect 0.1% of > the attach time to be unpredictable (the attach time in most cases vary > by few percent, not sure yet how much of this variation is really > unpredictable). Here's how the distribution looks like for device_attach() times of my sound card. The times were 26bit numbers, so this is after discarding top ten bits, which leave us with 16 lower bits of pure entropy:) http://people.freebsd.org/~pjd/misc/harvest_device_attach.png Kudos to my friend Mariusz (CCed) who is mathematician and who helped me with visualization and also promissed to prepare formal proof:) --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --NY6JkbSqL3W9mApi Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBaMMsACgkQForvXbEpPzRvowCcCvvBJ0zDqwcQLhF4SkV7y/q7 xDoAoL5EuvVBtK8ivwKC38i+oHUtHX3E =s4nF -----END PGP SIGNATURE----- --NY6JkbSqL3W9mApi-- From owner-freebsd-security@FreeBSD.ORG Wed Sep 19 22:08:20 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 664) id 7B8D51065672; Wed, 19 Sep 2012 22:08:20 +0000 (UTC) Date: Wed, 19 Sep 2012 15:08:19 -0700 From: David O'Brien To: Mark Murray Message-ID: <20120919220819.GB25606@dragon.NUXI.org> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 10.0-CURRENT X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.20 (2009-06-14) Cc: Arthur Mesh , Ian Lepore , Doug Barton , Ben Laurie , freebsd-security@freebsd.org, RW Subject: Re: Proposed fix; stage 1 (Was: svn commit: r239569 - head/etc/rc.d) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: obrien@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2012 22:08:20 -0000 On Sun, Sep 16, 2012 at 05:21:21PM +0100, Mark Murray wrote: > Tweeks along the way may include reverting to the original intent of > starting the PRNG blocked, and only unblocking once reseeded. I hope I'm testing this incorrectly, but I think we've managed to break this over the years. 1. Putting: entropy_file="NO" entropy_dir="NO" entropy_save_sz="0" # Size of the entropy cache files. entropy_save_num="0" # Number of entropy cache files to save. harvest_interrupt="NO" # Entropy device harvests interrupt randomness harvest_ethernet="NO" # Entropy device harvests ethernet randomness harvest_p_to_p="NO" # Entropy device harvests point-to-point randomness in /etc/rc.conf 2. Commenting out "better_than_nothing": Index: initrandom =================================================================== --- initrandom (revision 240709) +++ initrandom (working copy) @@ -77,7 +77,7 @@ initrandom_start() ;; esac - better_than_nothing + #better_than_nothing echo -n ' kickstart' fi 3. Boot single user and delete ${entropy_file} and ${entropy_dir}/* 4. Adding this patch (which I'd like to commit (but not changing the defaults)): ----------%<----------%<----------%<----------%<----------%<---------- Index: sys/dev/random/randomdev_soft.c =================================================================== --- sys/dev/random/randomdev_soft.c (revision 240694) +++ sys/dev/random/randomdev_soft.c (working copy) @@ -42,6 +42,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -72,7 +73,7 @@ struct random_systat random_yarrow = { .write = random_yarrow_write, .poll = random_yarrow_poll, .reseed = random_yarrow_flush_reseed, - .seeded = 1, + .seeded = 0, }; MALLOC_DEFINE(M_ENTROPY, "entropy", "Entropy harvesting buffers"); @@ -85,7 +86,7 @@ struct mtx harvest_mtx; /* Lockable FIFO queue holding entropy buffers */ struct entropyfifo { - int count; + unsigned int count; STAILQ_HEAD(harvestlist, harvest) head; }; @@ -97,6 +98,9 @@ static struct entropyfifo emptyfifo; /* Harvested entropy */ static struct entropyfifo harvestfifo[ENTROPYSOURCE]; +/* Count processed categories of randomness. */ +static unsigned long e_src_cnt[ENTROPYSOURCE]; + /* <0 to end the kthread, 0 to let it run, 1 to flush the harvest queues */ static int random_kthread_control = 0; @@ -114,6 +118,34 @@ random_check_boolean(SYSCTL_HANDLER_ARGS return sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req); } +static int +sysctl_random_sys_entropy_processed(SYSCTL_HANDLER_ARGS) +{ + struct sbuf sb; + int error; + + sbuf_new(&sb, NULL, 256, SBUF_AUTOEXTEND); + sbuf_printf(&sb, +"write=%lu/%u, keyboard=%lu/%u, mouse=%lu/%u, net=%lu/%u, interrupt=%lu/%u, pure=%lu/%u", + e_src_cnt[RANDOM_WRITE], + harvestfifo[RANDOM_WRITE].count, + e_src_cnt[RANDOM_KEYBOARD], + harvestfifo[RANDOM_KEYBOARD].count, + e_src_cnt[RANDOM_MOUSE], + harvestfifo[RANDOM_MOUSE].count, + e_src_cnt[RANDOM_NET], + harvestfifo[RANDOM_NET].count, + e_src_cnt[RANDOM_INTERRUPT], + harvestfifo[RANDOM_INTERRUPT].count, + e_src_cnt[RANDOM_PURE], + harvestfifo[RANDOM_PURE].count); + sbuf_trim(&sb); + sbuf_finish(&sb); + error = sysctl_handle_string(oidp, sbuf_data(&sb), sbuf_len(&sb), req); + sbuf_delete(&sb); + return (error); +} + /* ARGSUSED */ void random_yarrow_init(void) @@ -138,7 +170,7 @@ random_yarrow_init(void) SYSCTL_ADD_PROC(&random_clist, SYSCTL_CHILDREN(random_sys_o), OID_AUTO, "seeded", CTLTYPE_INT | CTLFLAG_RW, - &random_systat.seeded, 1, random_check_boolean, "I", + &random_systat.seeded, 0, random_check_boolean, "I", "Seeded State"); random_sys_harvest_o = SYSCTL_ADD_NODE(&random_clist, @@ -166,6 +198,10 @@ random_yarrow_init(void) OID_AUTO, "swi", CTLTYPE_INT | CTLFLAG_RW, &harvest.swi, 0, random_check_boolean, "I", "Harvest SWI entropy"); + SYSCTL_ADD_PROC(&random_clist, SYSCTL_CHILDREN(random_sys_harvest_o), + OID_AUTO, "entropy_processed", CTLTYPE_STRING | CTLFLAG_RD, + NULL, 0, sysctl_random_sys_entropy_processed, "A", + "Number of harvested/queued entropy sources"); /* Initialise the harvest fifos */ STAILQ_INIT(&emptyfifo.head); @@ -263,8 +299,10 @@ random_kthread(void *arg __unused) */ if (!STAILQ_EMPTY(&local_queue)) { mtx_unlock_spin(&harvest_mtx); - STAILQ_FOREACH(event, &local_queue, next) + STAILQ_FOREACH(event, &local_queue, next) { random_process_event(event); + e_src_cnt[event->source]++; + } mtx_lock_spin(&harvest_mtx); STAILQ_CONCAT(&emptyfifo.head, &local_queue); emptyfifo.count += local_count; Index: sys/dev/random/harvest.c =================================================================== --- sys/dev/random/harvest.c (revision 240694) +++ sys/dev/random/harvest.c (working copy) @@ -48,7 +48,12 @@ __FBSDID("$FreeBSD$"); static int read_random_phony(void *, int); /* Structure holding the desired entropy sources */ -struct harvest_select harvest = { 1, 1, 1, 0 }; +struct harvest_select harvest = { + 0, /*ethernet*/ + 0, /*pt2pt*/ + 0, /*intr*/ + 0, /*swi*/ +}; static int warned = 0; /* hold the address of the routine which is actually called if @@ -84,6 +89,12 @@ random_yarrow_deinit_harvester(void) * XXXRW: get_cyclecount() is cheap on most modern hardware, where cycle * counters are built in, but on older hardware it will do a real time clock * read which can be quite expensive. + * + * @entropy Buffer of 'count' bytes of potential entropy. + * @count Number of bytes in 'buffer' to process. + * @bits Estimated number of bits of entropy in 'buffer'. + * @frac Estimated number of fractional bits entropy in 'buffer'. + * @origin Origin where this entropy was gathered. */ void random_harvest(void *entropy, u_int count, u_int bits, u_int frac, ----------%<----------%<----------%<----------%<----------%<---------- 5. Still lets me boot multi-user and login: ngoc# sysctl kern.random kern.random.yarrow.gengateinterval: 10 kern.random.yarrow.bins: 10 kern.random.yarrow.fastthresh: 192 kern.random.yarrow.slowthresh: 256 kern.random.yarrow.slowoverthresh: 2 kern.random.sys.seeded: 0 kern.random.sys.harvest.ethernet: 0 kern.random.sys.harvest.point_to_point: 0 kern.random.sys.harvest.interrupt: 0 kern.random.sys.harvest.swi: 0 kern.random.sys.harvest.entropy_processed: write=0/0, keyboard=0/0, mouse=0/0, net=0/0, interrupt=0/0, pure=0/0 Also, I'm having trouble finding the source for 'swi' harvesting. Do you know where it is? -- -- David (obrien@FreeBSD.org) From owner-freebsd-security@FreeBSD.ORG Wed Sep 19 22:10:57 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 478EE1065672; Wed, 19 Sep 2012 22:10:57 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 9A5E08FC15; Wed, 19 Sep 2012 22:10:56 +0000 (UTC) Received: by weyx56 with SMTP id x56so1046058wey.13 for ; Wed, 19 Sep 2012 15:10:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:cc:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; bh=FqljwjdnTgVrqhojNUfN0z/bM4+Y1NDnUm1L2opfiJw=; b=n6ub5Bp96ATW4Znb+d8ybpuVHsTb4mBegBvfRBBOF5218ehwuO2JdO7MwIj9x7Wu6c FxAPmpTQW+TD/cqxygUNTt7z+YevL8OAvMt/JoMr1sQDHnb+vTbDSYkCAQk7mFY40zrV HzNv0IVZPxDCbGzCtn5KuKDgJnQwFU8Hf75Im/urTe/dVAN6L4NsTN3bsnWoOUSggpVZ yofMEIzldASYR2ih3FZnyLESVGy2eflh4JjEKeVaGRs1CM+j2ZM9mPo8k1FowbT2GJXi ZuReqrXACM+k27SoLKUS5MSyb0UNeVsI4KLWEh9IkEmZCwtliJL8B7Vvypqb7/vqW3/1 2UHQ== Received: by 10.216.143.158 with SMTP id l30mr2444744wej.113.1348092655194; Wed, 19 Sep 2012 15:10:55 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPS id l5sm7219076wix.5.2012.09.19.15.10.53 (version=SSLv3 cipher=OTHER); Wed, 19 Sep 2012 15:10:54 -0700 (PDT) Date: Wed, 19 Sep 2012 23:10:51 +0100 From: RW To: Pawel Jakub Dawidek Message-ID: <20120919231051.4bc5335b@gumby.homeunix.com> In-Reply-To: <20120919205331.GE1416@garage.freebsd.pl> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192923.GA1416@garage.freebsd.pl> <20120919205331.GE1416@garage.freebsd.pl> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd8.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Jonathan Anderson , Mariusz Gromada Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2012 22:10:57 -0000 On Wed, 19 Sep 2012 22:53:32 +0200 Pawel Jakub Dawidek wrote: > Here's how the distribution looks like for device_attach() times of my > sound card. The times were 26bit numbers, so this is after discarding > top ten bits, which leave us with 16 lower bits of pure entropy:) > > http://people.freebsd.org/~pjd/misc/harvest_device_attach.png You're basing a model for all devices on a single sound card, that doesn't seem safe to me. Isn't it possible that a device could take a long and well defined time? Some interrupts can carry a lot of entropy but they are still only accounted at 2 bits. I don't see the point of trying to set a realistic number of bits unless there's a need for secure random numbers before initrandom. If there isn't then you might just as well set the estimation at zero bits, and avoid wasting cpu cycles on unnecessary spontaneous reseeds before the forced reseed. From owner-freebsd-security@FreeBSD.ORG Wed Sep 19 22:35:00 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: by hub.freebsd.org (Postfix, from userid 664) id 403191065672; Wed, 19 Sep 2012 22:35:00 +0000 (UTC) Date: Wed, 19 Sep 2012 15:34:59 -0700 From: David O'Brien To: Pawel Jakub Dawidek Message-ID: <20120919223459.GC25606@dragon.NUXI.org> References: <20120918211422.GA1400@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20120918211422.GA1400@garage.freebsd.pl> X-Operating-System: FreeBSD 10.0-CURRENT X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-security@FreeBSD.org Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: obrien@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2012 22:35:00 -0000 On Tue, Sep 18, 2012 at 11:14:22PM +0200, Pawel Jakub Dawidek wrote: > I experimented a bit with collecting entropy from the time it takes for > device_attach() to run (in CPU cycles). It seems that those times have > enough variation that we can use it for entropy harvesting. It happens > even before root is mounted, so pretty early. I like it. Microsoft harvests from something like 900 events/things. The more good things like this we find improves our security. > The patch is here: > http://people.freebsd.org/~pjd/patches/harvest_device_attach.patch > Comments? Embelishments: Index: sys/dev/random/randomdev_soft.c =================================================================== --- sys/dev/random/randomdev_soft.c (revision 240694) +++ sys/dev/random/randomdev_soft.c (working copy) @@ -158,6 +185,11 @@ random_yarrow_init(void) "Harvest serial net entropy"); SYSCTL_ADD_PROC(&random_clist, SYSCTL_CHILDREN(random_sys_harvest_o), + OID_AUTO, "devprobe", CTLTYPE_INT | CTLFLAG_RW, + &harvest.devprobe, 1, random_check_boolean, "I", + "Harvest Device Probe entropy"); + SYSCTL_ADD_PROC(&random_clist, + SYSCTL_CHILDREN(random_sys_harvest_o), OID_AUTO, "interrupt", CTLTYPE_INT | CTLFLAG_RW, &harvest.interrupt, 1, random_check_boolean, "I", "Harvest IRQ entropy"); @@ -303,7 +341,7 @@ random_harvest_internal(u_int64_t someco KASSERT(origin == RANDOM_START || origin == RANDOM_WRITE || origin == RANDOM_KEYBOARD || origin == RANDOM_MOUSE || origin == RANDOM_NET || origin == RANDOM_INTERRUPT || - origin == RANDOM_PURE, + origin == RANDOM_PURE || origin == RANDOM_DEVICE, ("random_harvest_internal: origin %d invalid\n", origin)); /* Lockless read to avoid lock operations if fifo is full. */ Index: sys/dev/random/harvest.c =================================================================== --- sys/dev/random/harvest.c (revision 240694) +++ sys/dev/random/harvest.c (working copy) @@ -48,7 +48,13 @@ __FBSDID("$FreeBSD$"); static int read_random_phony(void *, int); /* Structure holding the desired entropy sources */ -struct harvest_select harvest = { 1, 1, 1, 0 }; +struct harvest_select harvest = { + 1, /*ethernet*/ + 1, /*pt2pt*/ + 1, /*intr*/ + 0, /*swi*/ + 1, /*devprobe*/ +}; static int warned = 0; /* hold the address of the routine which is actually called if Index: sys/sys/random.h =================================================================== --- sys/sys/random.h (revision 240495) +++ sys/sys/random.h (working copy) @@ -45,6 +45,7 @@ enum esource { RANDOM_NET, RANDOM_INTERRUPT, RANDOM_PURE, + RANDOM_DEVICE, ENTROPYSOURCE }; void random_harvest(void *, u_int, u_int, u_int, enum esource); @@ -57,6 +58,7 @@ struct harvest_select { int point_to_point; int interrupt; int swi; + int device; }; extern struct harvest_select harvest; Index: sys/kern/subr_bus.c =================================================================== --- sys/kern/subr_bus.c (revision 240495) +++ sys/kern/subr_bus.c (working copy) @@ -44,6 +44,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -53,6 +54,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include @@ -2760,8 +2762,10 @@ device_probe_and_attach(device_t dev) int device_attach(device_t dev) { + uint64_t attachtime; int error; + attachtime = get_cyclecount(); device_sysctl_init(dev); if (!device_is_quiet(dev)) device_print_child(dev->parent, dev); @@ -2784,6 +2788,10 @@ device_attach(device_t dev) dev->state = DS_ATTACHED; dev->flags &= ~DF_DONENOMATCH; devadded(dev); + if (harvest.devprobe) + random_harvest(&attachtime, sizeof(attachtime), 4, 0, + RANDOM_DEVICE); + return (0); } Index: etc/defaults/rc.conf =================================================================== --- etc/defaults/rc.conf (revision 239610) +++ etc/defaults/rc.conf (working copy) @@ -642,6 +642,7 @@ entropy_file="/entropy" # Set to NO to d entropy_dir="/var/db/entropy" # Set to NO to disable caching entropy via cron. entropy_save_sz="2048" # Size of the entropy cache files. entropy_save_num="8" # Number of entropy cache files to save. +harvest_devprobe="YES" # Entropy device harvests device probe randomness harvest_interrupt="YES" # Entropy device harvests interrupt randomness harvest_ethernet="YES" # Entropy device harvests ethernet randomness harvest_p_to_p="YES" # Entropy device harvests point-to-point randomness Index: etc/rc.d/initrandom =================================================================== --- etc/rc.d/initrandom (revision 239610) +++ etc/rc.d/initrandom (working copy) @@ -41,6 +63,12 @@ initrandom_start() if [ \! -z "${soft_random_generator}" ] ; then if [ -w /dev/random ]; then + if checkyesno harvest_devprobe; then + ${SYSCTL} kern.random.sys.harvest.devprobe=1 >/dev/null + echo -n ' interrupts' + else + ${SYSCTL} kern.random.sys.harvest.devprobe=0 >/dev/null + fi if checkyesno harvest_interrupt; then ${SYSCTL} kern.random.sys.harvest.interrupt=1 >/dev/null echo -n ' interrupts' From owner-freebsd-security@FreeBSD.ORG Wed Sep 19 22:38:03 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: by hub.freebsd.org (Postfix, from userid 664) id 5480E1065673; Wed, 19 Sep 2012 22:38:03 +0000 (UTC) Date: Wed, 19 Sep 2012 15:38:02 -0700 From: David O'Brien To: Pawel Jakub Dawidek Message-ID: <20120919223802.GA26016@dragon.NUXI.org> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919223459.GC25606@dragon.NUXI.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20120919223459.GC25606@dragon.NUXI.org> X-Operating-System: FreeBSD 10.0-CURRENT X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-security@FreeBSD.org Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: obrien@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2012 22:38:03 -0000 On Wed, Sep 19, 2012 at 03:34:59PM -0700, David O'Brien (@FreeBSD) wrote: > Index: sys/sys/random.h > @@ -57,6 +58,7 @@ struct harvest_select { > int point_to_point; > int interrupt; > int swi; > + int device; > }; Should be "int devprobe". From owner-freebsd-security@FreeBSD.ORG Wed Sep 19 22:52:58 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: by hub.freebsd.org (Postfix, from userid 664) id 3DC941065672; Wed, 19 Sep 2012 22:52:58 +0000 (UTC) Date: Wed, 19 Sep 2012 15:52:57 -0700 From: David O'Brien To: Pawel Jakub Dawidek Message-ID: <20120919225257.GA26160@dragon.NUXI.org> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919223459.GC25606@dragon.NUXI.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20120919223459.GC25606@dragon.NUXI.org> X-Operating-System: FreeBSD 10.0-CURRENT X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.20 (2009-06-14) X-Mailman-Approved-At: Wed, 19 Sep 2012 23:13:04 +0000 Cc: freebsd-security@FreeBSD.org Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: obrien@nuxi.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2012 22:52:58 -0000 On Wed, Sep 19, 2012 at 03:34:59PM -0700, David O'Brien (@FreeBSD) wrote: > On Tue, Sep 18, 2012 at 11:14:22PM +0200, Pawel Jakub Dawidek wrote: > > I experimented a bit with collecting entropy from the time it takes for > > device_attach() to run (in CPU cycles). It seems that those times have > > enough variation that we can use it for entropy harvesting. It happens > > even before root is mounted, so pretty early. > > I like it. Microsoft harvests from something like 900 events/things. Some of this is documented in 'Windows 7 CNGSYS FIPS Security Policy.docx' Section 5.3.2 "SystemPrng". [http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1328.pdf] should this give anyone more ideas... -- -- David From owner-freebsd-security@FreeBSD.ORG Wed Sep 19 22:57:52 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 941B8106564A; Wed, 19 Sep 2012 22:57:52 +0000 (UTC) (envelope-from mariusz.gromada@gmail.com) Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id E85E08FC08; Wed, 19 Sep 2012 22:57:51 +0000 (UTC) Received: by wgi16 with SMTP id 16so1194724wgi.31 for ; Wed, 19 Sep 2012 15:57:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=nEbJi2p+HJc9sF5WUwDIRDmQsu+DGlEcy85lbKQCsTU=; b=lV2mczt+0S2MpOPYL2SVMaV5w+xTl2EzbwWuppbGrAgngAF7KsErkg8PWPdLFzrnCW X3D0lhk+h9gPqque07LmYbM1qSa8dE3/HM9t9uQN3icVIcNHlpknhVYZm8QlueXU3laj 0vHfvJ7shvO4m16kRd3M5jhMGP5k41NOCAFmpPr1mkp4D1WVpHAmmRRGKjxPwrG3Qt7k F818D6MsxrYNmqVNpXttj1aEGUlFFrQ32BHUkzczgB2ZiEZ6at35z7OYSo0+nFccEgAw fPOkFTwj1CkfJRfJnbAgjMfEH4PR/CAFFJQY4rSGfuMKbKrDZC5ykD4f3DlKf0QWRQyF znMA== Received: by 10.180.95.193 with SMTP id dm1mr1579875wib.10.1348095470977; Wed, 19 Sep 2012 15:57:50 -0700 (PDT) Received: from [127.0.0.1] (89-76-147-86.dynamic.chello.pl. [89.76.147.86]) by mx.google.com with ESMTPS id eu4sm29808150wib.2.2012.09.19.15.57.49 (version=SSLv3 cipher=OTHER); Wed, 19 Sep 2012 15:57:50 -0700 (PDT) Message-ID: <505A4DE7.3040304@gmail.com> Date: Thu, 20 Sep 2012 00:57:43 +0200 From: Mariusz Gromada User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120907 Thunderbird/15.0.1 MIME-Version: 1.0 To: Pawel Jakub Dawidek References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192923.GA1416@garage.freebsd.pl> <20120919205331.GE1416@garage.freebsd.pl> In-Reply-To: <20120919205331.GE1416@garage.freebsd.pl> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 20 Sep 2012 01:02:26 +0000 Cc: freebsd-security@freebsd.org, Jonathan Anderson Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2012 22:57:52 -0000 > On Wed, Sep 19, 2012 at 09:29:23PM +0200, Pawel Jakub Dawidek wrote: > Here's how the distribution looks like for device_attach() times of my > sound card. The times were 26bit numbers, so this is after discarding > top ten bits, which leave us with 16 lower bits of pure entropy:) > http://people.freebsd.org/~pjd/misc/harvest_device_attach.png Kudos to > my friend Mariusz (CCed) who is mathematician and who helped me with > visualization and also promissed to prepare formal proof:) Hi All, I am not a mathematician :-) Below you will find some initial formal proof. Problem definition: checking if data sample comes from uniform distribution. Data sample: 2081 empirical observations (after discarding top ten bits) One-sample Kolmogorv-Smirnov test Hypothesis (based on the Cumulative Distribution Functions) H0: Empirical CDF given by 2081 obs. = theoretical uniform CDF H1: (alternatively) Empirical CDF is different than theoretical uniform CDF K-S Statistic: D = 0.017405527 p-value = 0.535 Interpretation: if p-value is much higher than significance level (alpha) then there is no reason to reject H0 hypothesis, if p-value is much smaller than significance level (alpha) then we strongly reject H0 hypothesis. So take any reasonable significance level (i.e. alpha = 0.05 which is far less than 0.535) and you have a proof that empirical observations are in fact given by random uniform numbers. Additionally please take a look on the linked chart http://bamper.vot.pl/ks.jpg It shows: Good fit in general Best fit for the range 0 - c.a 3000 Worse fit for the range c.a. 3000 - 65536 It means that numbers between 0 - 3000 are more random than numbers between 3000 - 6536 Best regards, Mariusz From owner-freebsd-security@FreeBSD.ORG Thu Sep 20 06:54:58 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF75A106564A; Thu, 20 Sep 2012 06:54:58 +0000 (UTC) (envelope-from jonathan@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B4F308FC0C; Thu, 20 Sep 2012 06:54:58 +0000 (UTC) Received: from [::8047:d913:100:0] (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q8K6svbE059309; Thu, 20 Sep 2012 06:54:58 GMT (envelope-from jonathan@FreeBSD.org) Date: Thu, 20 Sep 2012 07:54:57 +0100 From: Jonathan Anderson To: Ben Laurie Message-ID: <5C632384458A495ABD1EDF8A9A55A3E1@FreeBSD.org> In-Reply-To: References: <20120918211422.GA1400@garage.freebsd.pl> X-Mailer: sparrow 1.6.4 (build 1176) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@FreeBSD.org, Pawel Jakub Dawidek Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Sep 2012 06:54:58 -0000 On Wednesday, 19 September 2012 at 20:47, Ben Laurie wrote: > Erring on the side of underestimation is wise here. I agree wholeheartedly, but underestimation means "calculating the correct value and then applying a safety factor" rather than "picking an arbitrary number and hoping it's low enough". It seems like later posts in this thread are starting to push in the mathematically-rigorous direction; I shall go reply to those as well. :) Jon -- Jonathan Anderson jonathan@FreeBSD.org (mailto:jonathan@FreeBSD.org) From owner-freebsd-security@FreeBSD.ORG Thu Sep 20 07:32:38 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 529B3106566B for ; Thu, 20 Sep 2012 07:32:38 +0000 (UTC) (envelope-from jonathan@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3743E8FC16; Thu, 20 Sep 2012 07:32:38 +0000 (UTC) Received: from [::8097:fb14:100:0] (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q8K7WaR4066803; Thu, 20 Sep 2012 07:32:37 GMT (envelope-from jonathan@FreeBSD.org) Date: Thu, 20 Sep 2012 08:32:36 +0100 From: Jonathan Anderson To: RW Message-ID: <10CD8D9A9ADB484694DE4DCBD9594FAB@FreeBSD.org> In-Reply-To: <20120919214624.2f6682a2@gumby.homeunix.com> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192923.GA1416@garage.freebsd.pl> <20120919214624.2f6682a2@gumby.homeunix.com> X-Mailer: sparrow 1.6.4 (build 1176) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@FreeBSD.org Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Sep 2012 07:32:38 -0000 On Wednesday, 19 September 2012 at 21:46, RW wrote: > extra bits may make the difference between secure and insecure I'm sorry, this may be a bit pedantic, but I have to object to the terms "secure" and "insecure" used without qualification. :) Perhaps you mean "predictable" and "unpredictable"? Believe it or not, this is a serious point rather than just nit-picking: there are all kinds of things that we might want to do with "random" numbers during boot, but not all of them require unpredictability in the face of an adaptive adversary. When generating a random MAC address (sys/arm/at91/if_ate.c:305), we don't need unpredictability, we just need per-machine uniqueness. When using a random delay to prevent things happening in cyclical lockstep (sys/kern/kern_synch.c:563), we don't even need that: we just need *some* things to get different delay values. So while cryptographic ("secure") randomness is always sufficient, it's not always necessary, especially in very simple machines that have a hard time harvesting entropy early in the boot process. This is part of why I'd like to see us move to a more descriptive API: - fuzz_value(range) - unique_value(range) - unpredictable_value(range) or something like that, instead of committing to particular algorithms (arc4random) or (in userspace) telling /dev/random to "get me some random, whatever that happens to mean". The implementation of each of these functions could start with "if I have a properly-initialised PRNG, use that", but for code that doesn't require true unpredictability, it might be good to just carry on booting with only-slightly-random numbers rather than wait for entropy estimates to hit the cryptographic threshold. But that's a discussion for another (future) thread. :) Jon -- Jonathan Anderson jonathan@FreeBSD.org (mailto:jonathan@FreeBSD.org) From owner-freebsd-security@FreeBSD.ORG Thu Sep 20 08:58:36 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E4810106566C; Thu, 20 Sep 2012 08:58:36 +0000 (UTC) (envelope-from benlaurie@gmail.com) Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 70FCA8FC0C; Thu, 20 Sep 2012 08:58:36 +0000 (UTC) Received: by vbmv11 with SMTP id v11so2867216vbm.13 for ; Thu, 20 Sep 2012 01:58:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=utHnS4xJifPaj+IFhjeaHwmBiKEGzBTHg4AM7HdxDqc=; b=yBBpJYq2Wod9vXw/NHcmN39B9Oyv58H2lbmYBVs218W/m2R6uXuOB98mmM1/T1gSLh TZLkbbsLy6kffdvxU1UWHbSDQl+/EBIU79ymUpOY45laVLnJE/BxXD/Nvwt3jgkfUotQ nPvYLAB6ULFrFSljL+pdw2Qq6FFr7BKV9v9+s4prv4mTX5mTHevlvZsd03kVAPwegOQG /tHDJu51NLcOY26WZslOVlNYMDE5i4e7+lGX/clqGjOOYRQDPGYHzbcjNpaumY9YOkMT 8yKe+yP60ZziVbR/oHMA6tWMdyTa7/o24M6Dq3uaSC92qtfBpVymb+RD1MM6ByAhZuxM klFg== MIME-Version: 1.0 Received: by 10.58.95.65 with SMTP id di1mr664978veb.55.1348131515814; Thu, 20 Sep 2012 01:58:35 -0700 (PDT) Sender: benlaurie@gmail.com Received: by 10.58.79.243 with HTTP; Thu, 20 Sep 2012 01:58:35 -0700 (PDT) In-Reply-To: <5C632384458A495ABD1EDF8A9A55A3E1@FreeBSD.org> References: <20120918211422.GA1400@garage.freebsd.pl> <5C632384458A495ABD1EDF8A9A55A3E1@FreeBSD.org> Date: Thu, 20 Sep 2012 09:58:35 +0100 X-Google-Sender-Auth: QwSrYHGkEauCDZ_hce3XQ2T34N4 Message-ID: From: Ben Laurie To: Jonathan Anderson Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-security@freebsd.org, Pawel Jakub Dawidek Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Sep 2012 08:58:37 -0000 On Thu, Sep 20, 2012 at 7:54 AM, Jonathan Anderson wrote: > On Wednesday, 19 September 2012 at 20:47, Ben Laurie wrote: > > Erring on the side of underestimation is wise here. > > I agree wholeheartedly, but underestimation means "calculating the correct > value and then applying a safety factor" rather than "picking an arbitrary > number and hoping it's low enough". Ideally, sure. From owner-freebsd-security@FreeBSD.ORG Thu Sep 20 08:59:18 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BDE8F106566C; Thu, 20 Sep 2012 08:59:18 +0000 (UTC) (envelope-from benlaurie@gmail.com) Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id 603118FC14; Thu, 20 Sep 2012 08:59:18 +0000 (UTC) Received: by vcbfw7 with SMTP id fw7so2909924vcb.13 for ; Thu, 20 Sep 2012 01:59:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=GiW76digtyeBc/WxwnY9CDBxgaEDcSK2vxl+vGv11p0=; b=BkA4TJVSCEctlEpWzGAeLAZVGNTjQE4jfPyqvhaIhi7uEhSyLxJ7r/Nfb2L4YKZzqn u3nMBWXmN1PFOOS0ytXlaSOXYxc128mG3kmkpj8mNYUxRJC9yvj9pcYDwqW1d9mxI7G5 2hSPXvEUBtZsaqU28yDcq6EwC7dYwYaj1g/amZiwye96LpYobWS0EEiEZpT2onK3rGbB FuYOv5KsY7ir3cMJDWgX3AL8B3725Co9qyZ3B9vvP0TJPq/W0/Cab7W61zNl3/y966eA d8v5NJGe/8g30E5jVSOwxC4CVAg4PGcHw+U2xc4yBIoyRbGO/wvJsDaOy+Z8QLWWyQT0 FAwg== MIME-Version: 1.0 Received: by 10.52.33.130 with SMTP id r2mr551301vdi.43.1348131557338; Thu, 20 Sep 2012 01:59:17 -0700 (PDT) Sender: benlaurie@gmail.com Received: by 10.58.79.243 with HTTP; Thu, 20 Sep 2012 01:59:17 -0700 (PDT) In-Reply-To: <20120919202023.GD1416@garage.freebsd.pl> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192923.GA1416@garage.freebsd.pl> <20120919202023.GD1416@garage.freebsd.pl> Date: Thu, 20 Sep 2012 09:59:17 +0100 X-Google-Sender-Auth: UaVrM0fbwB_iNwEdi5vYHGro-Gk Message-ID: From: Ben Laurie To: Pawel Jakub Dawidek Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Jonathan Anderson Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Sep 2012 08:59:18 -0000 On Wed, Sep 19, 2012 at 9:20 PM, Pawel Jakub Dawidek wrot= e: > On Wed, Sep 19, 2012 at 08:59:15PM +0100, Ben Laurie wrote: >> On Wed, Sep 19, 2012 at 8:29 PM, Pawel Jakub Dawidek w= rote: >> > On Wed, Sep 19, 2012 at 07:30:52PM +0100, Jonathan Anderson wrote: >> >> > If all the times are more or less equally probable in this range [= =85] >> >> >> >> They're very unlikely to be equally probable. It would make sense to = do some characterization of these times and their statistics: a highly non-= uniform distribution would mean that we don't actually get many bits per at= tach. >> > >> > I have times for ~2000 device_attach() calls when loading sound card >> > driver on totally idle system. If someone could take those and analyse >> > the distribution that would be great. >> > >> >> > [=85] we have more >> >> > than 19 bits of entropy from this one call, but I reduced if to fou= r >> >> > bits only, because there are devices that are much faster to attach= . >> >> > >> >> >> >> Another reason for doing the above characterization is that, if a par= ticular device_attach() really does provide 12 bits of uncertainty, it's a = shame to drop eight of them on the floor. >> > >> > Rights. That's why I've prepared another patch: >> > >> > http://people.freebsd.org/~pjd/patches/harvest_device_attach.2= .patch >> > >> > which effectively discards top ten bits, which means we expect 0.1% of >> > the attach time to be unpredictable (the attach time in most cases var= y >> > by few percent, not sure yet how much of this variation is really >> > unpredictable). >> >> This is the wrong thing to do! There's no reason to discard bits on >> input (modulo the device throwing away inputs, that is) - just reduce >> your entropy estimate. "Extra" bits do no harm. > > I 'discard' ten bits from the estimation. I don't discard them by > zeroing them out. If the number is a 26 bit value then I feed entire > number, but pass estimation of 16 bits. Sorry, should've read the code first! This is great. I also like your friend's analysis. From owner-freebsd-security@FreeBSD.ORG Thu Sep 20 09:05:35 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 16897106567A for ; Thu, 20 Sep 2012 09:05:35 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id CC3108FC12 for ; Thu, 20 Sep 2012 09:05:33 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 1311F6214; Thu, 20 Sep 2012 11:05:33 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id B1E1086EB; Thu, 20 Sep 2012 11:05:32 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: RW References: <20120918211422.GA1400@garage.freebsd.pl> <867grqm3pt.fsf@ds4.des.no> <20120919184758.28589516@gumby.homeunix.com> Date: Thu, 20 Sep 2012 11:05:32 +0200 In-Reply-To: <20120919184758.28589516@gumby.homeunix.com> (RW's message of "Wed, 19 Sep 2012 18:47:58 +0100") Message-ID: <86sjadt677.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Sep 2012 09:05:35 -0000 RW writes: > Dag-Erling Sm=C3=B8rgrav writes: > > I would also suggest modifying yarrow to block reseeding as long as > > possible, ideally right up until the first time something asks for a > > random number, since reseeding throws away all accumulated entropy. > reseeding doesn't throw away entropy Yes, it does. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Sep 20 09:20:57 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D11351065675; Thu, 20 Sep 2012 09:20:57 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 8BE8D8FC14; Thu, 20 Sep 2012 09:20:57 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 98D956221; Thu, 20 Sep 2012 11:20:56 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 69BD786EF; Thu, 20 Sep 2012 11:20:56 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: RW References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192923.GA1416@garage.freebsd.pl> <20120919205331.GE1416@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> Date: Thu, 20 Sep 2012 11:20:56 +0200 In-Reply-To: <20120919231051.4bc5335b@gumby.homeunix.com> (RW's message of "Wed, 19 Sep 2012 23:10:51 +0100") Message-ID: <86ipb9t5hj.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Jonathan Anderson , Pawel Jakub Dawidek , Mariusz Gromada Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Sep 2012 09:20:57 -0000 RW writes: > You're basing a model for all devices on a single sound card, that > doesn't seem safe to me. Isn't it possible that a device could take a > long and well defined time? Please understand that the timers used here have a resolution of around 1e-8 to 1e-10 seconds. You may be able to predict the first six digits with reasonable accuracy - in fact, the first four or five will almost always be 0, except for devices with moving parts - but anything beyond that is a crapshoot, even in a virtual machine. (I am speaking, of course, of decimal digits - multiply by 3.322 for the corresponding number of bits) DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Sep 20 09:58:56 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 79ADF106564A; Thu, 20 Sep 2012 09:58:56 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 395E98FC0A; Thu, 20 Sep 2012 09:58:55 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 38B79623E; Thu, 20 Sep 2012 11:58:55 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 0D9838700; Thu, 20 Sep 2012 11:58:54 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Pawel Jakub Dawidek References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192923.GA1416@garage.freebsd.pl> Date: Thu, 20 Sep 2012 11:58:54 +0200 In-Reply-To: <20120919192923.GA1416@garage.freebsd.pl> (Pawel Jakub Dawidek's message of "Wed, 19 Sep 2012 21:29:24 +0200") Message-ID: <86boh1t3q9.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Jonathan Anderson Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Sep 2012 09:58:56 -0000 Pawel Jakub Dawidek writes: > http://people.freebsd.org/~pjd/patches/harvest_device_attach.2.patch You can replace highbit(x) - 9 with flsll(x) - 10. Unfortunately, we don't have flsll() in the kernel, but here's a simple implementation: /* * Find last bit set in an unsigned long long. Assumes that ULL is * always 64 bits wide while UL may be either 32 or 64 bits wide. */ static __inline unsigned int flsll(unsigned long long mask) { #ifdef __LP64__ return (flsl(mask)); #else return (mask >> 32 ? 32 + flsl(mask >> 32) : flsl(mask)); #endif } On i386 and amd64, flsl() is an inline function that expands to a single assembler instruction. On all other platforms, it is a function in libkern, which is stupid - gcc and clang have builtin functions for it which are almost certainly faster than a function call. Same goes for s/last bit/first bit/; s/fls/ffs/g. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Sep 20 10:03:56 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 96024106564A; Thu, 20 Sep 2012 10:03:56 +0000 (UTC) (envelope-from jonathan@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6002C8FC15; Thu, 20 Sep 2012 10:03:56 +0000 (UTC) Received: from [::8037:e412:100:0] (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q8KA3sSS091406; Thu, 20 Sep 2012 10:03:55 GMT (envelope-from jonathan@FreeBSD.org) Date: Thu, 20 Sep 2012 11:03:55 +0100 From: Jonathan Anderson To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Message-ID: In-Reply-To: <86ipb9t5hj.fsf@ds4.des.no> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192923.GA1416@garage.freebsd.pl> <20120919205331.GE1416@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <86ipb9t5hj.fsf@ds4.des.no> X-Mailer: sparrow 1.6.4 (build 1176) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@FreeBSD.org, RW , Mariusz Gromada , Pawel Jakub Dawidek Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Sep 2012 10:03:56 -0000 On Thursday, 20 September 2012 at 10:20, Dag-Erling Sm=C3=B8rgrav wrote: > Please understand that the timers used here have a resolution of around= > 1e-8 to 1e-10 seconds. You may be able to predict the first six digits > with reasonable accuracy - in fact, the first four or five will almost > always be 0, except for devices with moving parts - but anything beyond= > that is a crapshoot, even in a virtual machine. And this conclusion seems to be borne out by Pawel's data, at least on on= e machine on one architecture. RW's point is still valid, though: if we'r= e going to start asserting that =22we have gathered entropy from source X= =22, we owe it to the consumers of that entropy to really check that we'v= e done what we claim. =46or instance: on an embedded board with few devices, that uses =46DT ra= ther than bus enumeration whatsits, perhaps the time is more deterministi= c and therefore yields less entropy. I don't know, maybe it doesn't, but = we must have data. Jon -- =20 Jonathan Anderson jonathan=40=46reeBSD.org From owner-freebsd-security@FreeBSD.ORG Thu Sep 20 10:30:31 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 38D96106566C; Thu, 20 Sep 2012 10:30:31 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id E938D8FC17; Thu, 20 Sep 2012 10:30:29 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 8B8DA6256; Thu, 20 Sep 2012 12:30:28 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 28575870F; Thu, 20 Sep 2012 12:30:28 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Jonathan Anderson References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192923.GA1416@garage.freebsd.pl> <20120919205331.GE1416@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <86ipb9t5hj.fsf@ds4.des.no> Date: Thu, 20 Sep 2012 12:30:27 +0200 In-Reply-To: (Jonathan Anderson's message of "Thu, 20 Sep 2012 11:03:55 +0100") Message-ID: <86392dt29o.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org, RW , Mariusz Gromada , Pawel Jakub Dawidek Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Sep 2012 10:30:31 -0000 Jonathan Anderson writes: > For instance: on an embedded board with few devices, that uses FDT > rather than bus enumeration whatsits, perhaps the time is more > deterministic and therefore yields less entropy. The idea is that attach() initializes the hardware, which is where the unpredictability comes from. Yes, embedded devices will certainly have less of it, but they will still have *some*. And yes, we need data, which is why when I proposed this last week I also proposed a scheme to record what we feed into Yarrow pre-boot so we could inspect it and compare it across multiple boots. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Sep 20 10:32:54 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 294741065676; Thu, 20 Sep 2012 10:32:54 +0000 (UTC) (envelope-from jonathan@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E7F4D8FC1A; Thu, 20 Sep 2012 10:32:53 +0000 (UTC) Received: from [::8087:9812:100:0] (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q8KAWqdB097907; Thu, 20 Sep 2012 10:32:53 GMT (envelope-from jonathan@FreeBSD.org) Date: Thu, 20 Sep 2012 11:32:53 +0100 From: Jonathan Anderson To: Pawel Jakub Dawidek Message-ID: <269BF2927F4A4BB5B0F4A4155F2294A6@FreeBSD.org> In-Reply-To: <20120920102104.GA1397@garage.freebsd.pl> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192923.GA1416@garage.freebsd.pl> <20120919205331.GE1416@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> X-Mailer: sparrow 1.6.4 (build 1176) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@FreeBSD.org, RW , Mariusz Gromada Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Sep 2012 10:32:54 -0000 On Thursday, 20 September 2012 at 11:21, Pawel Jakub Dawidek wrote: > It would be ideal if we could provide properly seeded PRNG even for > single-user mode, so eliminating initrandom altogether is also an > option Amen to that. :) As I believe theraven@ pointed out a couple of days ago: it is very silly indeed that we are taking data generated by the kernel (process table) based on presumed-pseudorandom inputs, passing it to userspace, turning it into text (via ps), hashing that text and then passing it *back* to the kernel in order to stir into the entropy pool that we could instead just build from actually-fairly-random information like device_attach() times. Jon -- Jonathan Anderson jonathan@FreeBSD.org From owner-freebsd-security@FreeBSD.ORG Thu Sep 20 10:35:18 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7A16D106566B; Thu, 20 Sep 2012 10:35:18 +0000 (UTC) (envelope-from jonathan@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5C01F8FC18; Thu, 20 Sep 2012 10:35:18 +0000 (UTC) Received: from [::80c7:914:100:0] (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q8KAZG3k098230; Thu, 20 Sep 2012 10:35:17 GMT (envelope-from jonathan@FreeBSD.org) Date: Thu, 20 Sep 2012 11:35:17 +0100 From: Jonathan Anderson To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= Message-ID: <3B899D7720314D3EBFE7C1DC028B5D8F@FreeBSD.org> In-Reply-To: <86392dt29o.fsf@ds4.des.no> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192923.GA1416@garage.freebsd.pl> <20120919205331.GE1416@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <86ipb9t5hj.fsf@ds4.des.no> <86392dt29o.fsf@ds4.des.no> X-Mailer: sparrow 1.6.4 (build 1176) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@FreeBSD.org, RW , Mariusz Gromada , Pawel Jakub Dawidek , Jonathan Anderson Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Sep 2012 10:35:18 -0000 On Thursday, 20 September 2012 at 11:30, Dag-Erling Sm=C3=B8rgrav wrote: > which is why when I proposed this last week I also proposed a scheme to= > record what we feed into Yarrow pre-boot so we could inspect it and > compare it across multiple boots. I must've missed that e-mail. Sounds great: I'd love to see such statisti= cs. Jon -- =20 Jonathan Anderson jonathan=40=46reeBSD.org From owner-freebsd-security@FreeBSD.ORG Thu Sep 20 10:49:49 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7DC501065673; Thu, 20 Sep 2012 10:49:48 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id F0D098FC0A; Thu, 20 Sep 2012 10:49:47 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 394526262; Thu, 20 Sep 2012 12:49:47 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id F40C58713; Thu, 20 Sep 2012 12:49:46 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Jonathan Anderson References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192923.GA1416@garage.freebsd.pl> <20120919205331.GE1416@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <86ipb9t5hj.fsf@ds4.des.no> <86392dt29o.fsf@ds4.des.no> <3B899D7720314D3EBFE7C1DC028B5D8F@FreeBSD.org> Date: Thu, 20 Sep 2012 12:49:46 +0200 In-Reply-To: <3B899D7720314D3EBFE7C1DC028B5D8F@FreeBSD.org> (Jonathan Anderson's message of "Thu, 20 Sep 2012 11:35:17 +0100") Message-ID: <86y5k5rmt1.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org, RW , Mariusz Gromada , Pawel Jakub Dawidek Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Sep 2012 10:49:49 -0000 Jonathan Anderson writes: > I must've missed that e-mail. Sounds great: I'd love to see such > statistics. Yes, it went to a list with a much higher SNR than this one. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Sep 20 10:20:51 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E11D3106566B for ; Thu, 20 Sep 2012 10:20:51 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id A1AE58FC18 for ; Thu, 20 Sep 2012 10:20:51 +0000 (UTC) Received: from localhost (cjq104.neoplus.adsl.tpnet.pl [83.31.66.104]) by mail.dawidek.net (Postfix) with ESMTPSA id 3AB11685; Thu, 20 Sep 2012 12:19:49 +0200 (CEST) Date: Thu, 20 Sep 2012 12:21:04 +0200 From: Pawel Jakub Dawidek To: RW Message-ID: <20120920102104.GA1397@garage.freebsd.pl> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192923.GA1416@garage.freebsd.pl> <20120919205331.GE1416@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="/04w6evG8XlLl3ft" Content-Disposition: inline In-Reply-To: <20120919231051.4bc5335b@gumby.homeunix.com> X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) X-Mailman-Approved-At: Thu, 20 Sep 2012 11:35:14 +0000 Cc: freebsd-security@freebsd.org, Jonathan Anderson , Mariusz Gromada Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Sep 2012 10:20:52 -0000 --/04w6evG8XlLl3ft Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 19, 2012 at 11:10:51PM +0100, RW wrote: > On Wed, 19 Sep 2012 22:53:32 +0200 > Pawel Jakub Dawidek wrote: >=20 >=20 > > Here's how the distribution looks like for device_attach() times of my > > sound card. The times were 26bit numbers, so this is after discarding > > top ten bits, which leave us with 16 lower bits of pure entropy:) > >=20 > > http://people.freebsd.org/~pjd/misc/harvest_device_attach.png >=20 >=20 > You're basing a model for all devices on a single sound card, that > doesn't seem safe to me. Isn't it possible that a device could take a > long and well defined time? Some interrupts can carry a lot of entropy > but they are still only accounted at 2 bits. I agree, we should do such analysis for much more devices and different kind of devices. A platform might be an important factor as well. It is hard to collect decent number of probes when reboot is needed, so what I'd recommend is to turn of SMP, boot into single module and kldload/kldunload a driver in a loop, of course with kernel patched to log those times. > I don't see the point of trying to set a realistic number of bits > unless there's a need for secure random numbers before initrandom. If > there isn't then you might just as well set the estimation at zero > bits, and avoid wasting cpu cycles on unnecessary spontaneous reseeds > before the forced reseed. It would be ideal if we could provide properly seeded PRNG even for single-user mode, so eliminating initrandom altogether is also an option, but also doesn't hurt to leave it as it is. I don't like depending on initrandom as it doesn't help for single-user mode and it might be easy to make some mistake by ordering rc.d/ scripts and placing some script that needs properly seeded PRNG before initrandom. Feeding enough entropy into yarrow before even root is mounted would be perfect. --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --/04w6evG8XlLl3ft Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBa7hAACgkQForvXbEpPzQNYwCggtLkg+VP8Angoz3tnnb6UtUW SpoAmgJ2GfsmN8GcWi+ex/fYI1RcjFIO =2WdM -----END PGP SIGNATURE----- --/04w6evG8XlLl3ft-- From owner-freebsd-security@FreeBSD.ORG Thu Sep 20 17:47:01 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 637CE106566C; Thu, 20 Sep 2012 17:47:01 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from bigwig.baldwin.cx (bigknife-pt.tunnel.tserv9.chi1.ipv6.he.net [IPv6:2001:470:1f10:75::2]) by mx1.freebsd.org (Postfix) with ESMTP id 375EF8FC0A; Thu, 20 Sep 2012 17:47:01 +0000 (UTC) Received: from jhbbsd.localnet (unknown [209.249.190.124]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id 753C8B963; Thu, 20 Sep 2012 13:47:00 -0400 (EDT) From: John Baldwin To: freebsd-security@freebsd.org Date: Thu, 20 Sep 2012 07:58:51 -0400 User-Agent: KMail/1.13.5 (FreeBSD/8.2-CBSD-20110714-p17; KDE/4.5.5; amd64; ; ) References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> In-Reply-To: <20120920102104.GA1397@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Message-Id: <201209200758.51924.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (bigwig.baldwin.cx); Thu, 20 Sep 2012 13:47:00 -0400 (EDT) Cc: Mariusz Gromada , RW , Jonathan Anderson , Pawel Jakub Dawidek Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Sep 2012 17:47:01 -0000 On Thursday, September 20, 2012 6:21:04 am Pawel Jakub Dawidek wrote: > On Wed, Sep 19, 2012 at 11:10:51PM +0100, RW wrote: > > On Wed, 19 Sep 2012 22:53:32 +0200 > > Pawel Jakub Dawidek wrote: > > > > > > > Here's how the distribution looks like for device_attach() times of my > > > sound card. The times were 26bit numbers, so this is after discarding > > > top ten bits, which leave us with 16 lower bits of pure entropy:) > > > > > > http://people.freebsd.org/~pjd/misc/harvest_device_attach.png > > > > > > You're basing a model for all devices on a single sound card, that > > doesn't seem safe to me. Isn't it possible that a device could take a > > long and well defined time? Some interrupts can carry a lot of entropy > > but they are still only accounted at 2 bits. > > I agree, we should do such analysis for much more devices and different > kind of devices. A platform might be an important factor as well. > It is hard to collect decent number of probes when reboot is needed, so > what I'd recommend is to turn of SMP, boot into single module and > kldload/kldunload a driver in a loop, of course with kernel patched to > log those times. This is not always representative. Any driver that uses a config intrhook will run that synchronously during attach() in single user mode but will not during boot. config intrhook's often go out and do things that take a variable amount of time (poking hardware, waiting for interrupts, etc.). That means that timing any such drivers from single user mode will likely give you more variable attach() times than would occur during boot. -- John Baldwin From owner-freebsd-security@FreeBSD.ORG Thu Sep 20 17:47:01 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE44D106566B; Thu, 20 Sep 2012 17:47:01 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from bigwig.baldwin.cx (bigknife-pt.tunnel.tserv9.chi1.ipv6.he.net [IPv6:2001:470:1f10:75::2]) by mx1.freebsd.org (Postfix) with ESMTP id AEF908FC0C; Thu, 20 Sep 2012 17:47:01 +0000 (UTC) Received: from jhbbsd.localnet (unknown [209.249.190.124]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id 07A44B982; Thu, 20 Sep 2012 13:47:01 -0400 (EDT) From: John Baldwin To: freebsd-security@freebsd.org, obrien@freebsd.org Date: Thu, 20 Sep 2012 08:44:10 -0400 User-Agent: KMail/1.13.5 (FreeBSD/8.2-CBSD-20110714-p17; KDE/4.5.5; amd64; ; ) References: <20120919220819.GB25606@dragon.NUXI.org> In-Reply-To: <20120919220819.GB25606@dragon.NUXI.org> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <201209200844.10470.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (bigwig.baldwin.cx); Thu, 20 Sep 2012 13:47:01 -0400 (EDT) Cc: Arthur Mesh , Ian Lepore , Doug Barton , Ben Laurie , RW Subject: Re: Proposed fix; stage 1 (Was: svn commit: r239569 - head/etc/rc.d) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Sep 2012 17:47:02 -0000 On Wednesday, September 19, 2012 6:08:19 pm David O'Brien wrote: > Also, I'm having trouble finding the source for 'swi' harvesting. > Do you know where it is? It has certainly not been used since 5.0. I wasn't able to find it in my limited grubbing around in 4.x sources either. The untested change below would add it so that all calls to swi_sched() would harvest something similar to what happens for hardware interrupts. Note that the current code already explicitly forbids INTR_ENTROPY from being set for swi handlers, so the current random_harvest() call in intr_schedule_thread() should never trigger for an swi. I just copied the random_harvest() code from the hardware interrupt case. I leave it up to someone else to explicitly ok that this data goes into the RANDOM_INTERRUPT queue with the claim of 2 bits of entropy: Index: sys/kern/kern_intr.c =================================================================== --- kern_intr.c (revision 240605) +++ kern_intr.c (working copy) @@ -1144,11 +1144,21 @@ swi_sched(void *cookie, int flags) { struct intr_handler *ih = (struct intr_handler *)cookie; struct intr_event *ie = ih->ih_event; + struct intr_entropy entropy; int error; CTR3(KTR_INTR, "swi_sched: %s %s need=%d", ie->ie_name, ih->ih_name, ih->ih_need); + if (harvest.swi) { + CTR3(KTR_INTR, "swi_sched: pid %d (%s) gathering entropy", + curproc->p_pid, curthread->td_name); + entropy.event = (uintptr_t)ih; + entropy.td = curthread; + random_harvest(&entropy, sizeof(entropy), 2, 0, + RANDOM_INTERRUPT); + } + /* * Set ih_need for this handler so that if the ithread is already * running it will execute this handler on the next pass. Otherwise, -- John Baldwin From owner-freebsd-security@FreeBSD.ORG Thu Sep 20 22:01:38 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BFA57106564A for ; Thu, 20 Sep 2012 22:01:38 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 49E628FC16 for ; Thu, 20 Sep 2012 22:01:37 +0000 (UTC) Received: by weyx56 with SMTP id x56so1853615wey.13 for ; Thu, 20 Sep 2012 15:01:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:cc:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; bh=NlIGL+KYr1Q//DyENcrBok93xSTl9fQSv71PePnkfmA=; b=rk2++JUU49XpwTOdWo0Xz+ZOHaU9wunK8tj69z++QXIczXQtf8VWW+Y7VAkA4qQWRV 3F2/yR6iG8Os9mBJXqI7v2RS7KMkYhX37mPST3dpG7RxGsOasi0SSEkZQUEEz3mao/KP jOSkWKDhPYS6R8sW0EpNS57Sdy6yAEy/D/qCybz0OXZ6xQ9wLhCeSOJnyi/EPulH8B4c MOo7pS+p7geGFWVC1BjH7eWkse39IOQnt3LdR916/RF29eho3/mNO5q1mOWlkdm0AIgs ZigKWH19sftRSau/JQuo8ymQsRefoGKS40Sr5lSfiyPX3nwf/S5YmNAn+xK/5pfYELSC 7F4w== Received: by 10.180.80.134 with SMTP id r6mr42673wix.1.1348178496844; Thu, 20 Sep 2012 15:01:36 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPS id eu4sm34628010wib.2.2012.09.20.15.01.35 (version=SSLv3 cipher=OTHER); Thu, 20 Sep 2012 15:01:35 -0700 (PDT) Date: Thu, 20 Sep 2012 23:01:33 +0100 From: RW To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= Message-ID: <20120920230133.55b63dea@gumby.homeunix.com> In-Reply-To: <86sjadt677.fsf@ds4.des.no> References: <20120918211422.GA1400@garage.freebsd.pl> <867grqm3pt.fsf@ds4.des.no> <20120919184758.28589516@gumby.homeunix.com> <86sjadt677.fsf@ds4.des.no> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd8.3) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Sep 2012 22:01:38 -0000 On Thu, 20 Sep 2012 11:05:32 +0200 Dag-Erling Sm=F8rgrav wrote: > RW writes: > > Dag-Erling Sm=F8rgrav writes: > > > I would also suggest modifying yarrow to block reseeding as long > > > as possible, ideally right up until the first time something asks > > > for a random number, since reseeding throws away all accumulated > > > entropy. > > reseeding doesn't throw away entropy >=20 > Yes, it does. Would you elaborate? I don't see what you mean by that? When yarrow reseeds, the previous generator key is hashed with the pool[s], into the new key. They key will therefore *accumulate* entropy across multiple reseeds. From owner-freebsd-security@FreeBSD.ORG Thu Sep 20 22:07:38 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 32832106566C; Thu, 20 Sep 2012 22:07:38 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 862BA8FC14; Thu, 20 Sep 2012 22:07:37 +0000 (UTC) Received: by weyx56 with SMTP id x56so1856769wey.13 for ; Thu, 20 Sep 2012 15:07:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:cc:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; bh=2S1Ak54A7wCEuQkApG5GAsCzCA2TQjg3ygvWfiqASLI=; b=BgbMNtOm/hxdZShKeCRj39WZR5drBwwb0gYKNEnLkCp5TrNBuiUQyIW4AzgR9FypF2 ViWd+IYuQnduCeAQSc1byJUtfNrWGgBJzy75SW/jbzOdZyukqKQTlCmcuWHrXYO8JXG8 6lYfTuKSPRaJO67yshjk+fyzPVE42scUtqQ0GtuWqhrcgslqyBsR/H5ATKRbnYB2aRuu TQZ/c/QkZ+063pzy5/S4S6dgFjMl/ZFeF8tgb2EVOP3BJ6fUm/IAVTBN7ccv/matS0g/ ssebWMzjcv9PBhQ/NQbuJkkwZ/tHo4g+yOFMwgbdKU5PRgW2KhvIivgYmc9/wgp7Y4b0 IITg== Received: by 10.180.81.165 with SMTP id b5mr528wiy.17.1348178856531; Thu, 20 Sep 2012 15:07:36 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPS id l6sm34653111wiz.4.2012.09.20.15.07.35 (version=SSLv3 cipher=OTHER); Thu, 20 Sep 2012 15:07:35 -0700 (PDT) Date: Thu, 20 Sep 2012 23:07:33 +0100 From: RW To: Jonathan Anderson Message-ID: <20120920230733.4a305e0f@gumby.homeunix.com> In-Reply-To: <10CD8D9A9ADB484694DE4DCBD9594FAB@FreeBSD.org> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192923.GA1416@garage.freebsd.pl> <20120919214624.2f6682a2@gumby.homeunix.com> <10CD8D9A9ADB484694DE4DCBD9594FAB@FreeBSD.org> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd8.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-security@FreeBSD.org Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Sep 2012 22:07:38 -0000 On Thu, 20 Sep 2012 08:32:36 +0100 Jonathan Anderson wrote: > On Wednesday, 19 September 2012 at 21:46, RW wrote: > > extra bits may make the difference between secure and insecure > > I'm sorry, this may be a bit pedantic, but I have to object to the > terms "secure" and "insecure" used without qualification. :) Perhaps > you mean "predictable" and "unpredictable"? No I meant "extra bits may make the difference between /dev/random being secure and being insecure". Sorry if it wasn't clear. From owner-freebsd-security@FreeBSD.ORG Thu Sep 20 23:29:48 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: by hub.freebsd.org (Postfix, from userid 664) id 365351065672; Thu, 20 Sep 2012 23:29:48 +0000 (UTC) Date: Thu, 20 Sep 2012 16:29:47 -0700 From: David O'Brien To: Jonathan Anderson Message-ID: <20120920232947.GA40126@dragon.NUXI.org> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192923.GA1416@garage.freebsd.pl> <20120919205331.GE1416@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <269BF2927F4A4BB5B0F4A4155F2294A6@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <269BF2927F4A4BB5B0F4A4155F2294A6@FreeBSD.org> X-Operating-System: FreeBSD 10.0-CURRENT X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-security@FreeBSD.org, RW , Mariusz Gromada , Pawel Jakub Dawidek Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: obrien@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Sep 2012 23:29:48 -0000 On Thu, Sep 20, 2012 at 11:32:53AM +0100, Jonathan Anderson wrote: > As I believe theraven@ pointed out a couple of days ago: it is very > silly indeed that we are taking data generated by the kernel (process ... I thought I had mentioned something like this in the rc.d thread, but it seems it was to an internal $WORK thread. It would seem to me that adding a 'initialize_devrandom_seeding' sysctl for use in 'initrandom' or the single-user user could be better than running userland commands (sysctl, dmesg, kenv) or being restricted to commands in /[s]bin where there are some interesting ones in /usr/bin that aren't available to 'initrandom'. This would allow us to specify >0 bits entropy from this data. -- -- David (obrien@FreeBSD.org) From owner-freebsd-security@FreeBSD.ORG Fri Sep 21 01:39:59 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 664) id E14931065673; Fri, 21 Sep 2012 01:39:59 +0000 (UTC) Date: Thu, 20 Sep 2012 18:39:58 -0700 From: David O'Brien To: John Baldwin Message-ID: <20120921013958.GA41167@dragon.NUXI.org> References: <20120919220819.GB25606@dragon.NUXI.org> <201209200844.10470.jhb@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201209200844.10470.jhb@freebsd.org> X-Operating-System: FreeBSD 10.0-CURRENT X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.20 (2009-06-14) Cc: Arthur Mesh , Ian Lepore , Doug Barton , Ben Laurie , freebsd-security@freebsd.org, RW Subject: Re: Proposed fix; stage 1 (Was: svn commit: r239569 - head/etc/rc.d) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: obrien@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Sep 2012 01:40:00 -0000 On Thu, Sep 20, 2012 at 08:44:10AM -0400, John Baldwin wrote: > I leave it up to someone else to explicitly ok that this data goes into > the RANDOM_INTERRUPT queue with the claim of 2 bits of entropy: > > Index: sys/kern/kern_intr.c ... >+ if (harvest.swi) { >+ CTR3(KTR_INTR, "swi_sched: pid %d (%s) gathering entropy", >+ curproc->p_pid, curthread->td_name); CTR3(KTR_INTR, "%s: pid %d (%s) gathering entropy", __func__, curproc->p_pid, curthread->td_name); --or-- CTR2(KTR_INTR, "swi_sched: pid %d (%s) gathering entropy", curproc->p_pid, curthread->td_name); This seems to have captured some harvesting. I applied your patch and only enabled harvest.swi with: Index: harvest.c =================================================================== --- harvest.c (revision 240694) +++ harvest.c (working copy) @@ -51 +51,7 @@ static int read_random_phony(void *, int -struct harvest_select harvest = { 1, 1, 1, 0 }; +struct harvest_select harvest = { + 0, /*ethernet*/ + 0, /*pt2pt*/ + 0, /*intr*/ + 1, /*swi*/ + 0, /*devprobe*/ +}; ngoc# sysctl kern.random kern.random.yarrow.gengateinterval: 10 kern.random.yarrow.bins: 10 kern.random.yarrow.fastthresh: 192 kern.random.yarrow.slowthresh: 256 kern.random.yarrow.slowoverthresh: 2 kern.random.sys.seeded: 1 kern.random.sys.harvest.ethernet: 0 kern.random.sys.harvest.point_to_point: 0 kern.random.sys.harvest.devprobe: 0 kern.random.sys.harvest.interrupt: 0 kern.random.sys.harvest.swi: 1 kern.random.sys.harvest.entropy_processed: write=0/0, keyboard=0/0, mouse=0/0, net=0/0, interrupt=4235/3, device=0/0 pure=0/0 (note, this system is initialized as non-seeded as shown in my previous patch) -- -- David (obrien@FreeBSD.org) From owner-freebsd-security@FreeBSD.ORG Fri Sep 21 06:08:16 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: by hub.freebsd.org (Postfix, from userid 664) id 6146E106566C; Fri, 21 Sep 2012 06:08:16 +0000 (UTC) Date: Thu, 20 Sep 2012 23:08:15 -0700 From: David O'Brien To: Pawel Jakub Dawidek Message-ID: <20120921060815.GA42778@dragon.NUXI.org> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919223459.GC25606@dragon.NUXI.org> <20120921053549.GF1407@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20120921053549.GF1407@garage.freebsd.pl> X-Operating-System: FreeBSD 10.0-CURRENT X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-security@FreeBSD.org Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: obrien@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Sep 2012 06:08:16 -0000 On Fri, Sep 21, 2012 at 07:35:49AM +0200, Pawel Jakub Dawidek wrote: > Note that adding sysctl to turn off entropy harvesting from > device_attach() is pretty useless, as sysctls can be changed once we > start userland and then all device_attach() are already called (modulo > drivers loaded later). That is what I had in mind -- .ko drivers loaded post 'initrandom'. The same could be said for kern.random.sys.harvest.interrupt. By the time kern.random.sys.harvest.interrupt can be turned off, my test system has already processed 784 'origin interrupt' queue entries and went from kern.random.sys.seeded=0->1. > What I'd like to see is for all those sysctls to > have corresponding tunables, then it would make more sense. True. I don't know if Mark thought about this approach and felt there was an issue or not. For consistency sake, if we have kern.random.sys.harvest.interrupt, we should have kern.random.sys.harvest.devprobe (or what ever we'd call it). -- -- David (obrien@FreeBSD.org) From owner-freebsd-security@FreeBSD.ORG Fri Sep 21 05:35:31 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F0A75106566C; Fri, 21 Sep 2012 05:35:30 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id 7C0938FC08; Fri, 21 Sep 2012 05:35:29 +0000 (UTC) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) by mail.dawidek.net (Postfix) with ESMTPSA id 6ABA98CD; Fri, 21 Sep 2012 07:34:33 +0200 (CEST) Date: Fri, 21 Sep 2012 07:35:49 +0200 From: Pawel Jakub Dawidek To: David O'Brien Message-ID: <20120921053549.GF1407@garage.freebsd.pl> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919223459.GC25606@dragon.NUXI.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="7mxbaLlpDEyR1+x6" Content-Disposition: inline In-Reply-To: <20120919223459.GC25606@dragon.NUXI.org> X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) X-Mailman-Approved-At: Fri, 21 Sep 2012 07:18:06 +0000 Cc: freebsd-security@FreeBSD.org Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Sep 2012 05:35:31 -0000 --7mxbaLlpDEyR1+x6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 19, 2012 at 03:34:59PM -0700, David O'Brien wrote: > On Tue, Sep 18, 2012 at 11:14:22PM +0200, Pawel Jakub Dawidek wrote: > > I experimented a bit with collecting entropy from the time it takes for > > device_attach() to run (in CPU cycles). It seems that those times have > > enough variation that we can use it for entropy harvesting. It happens > > even before root is mounted, so pretty early. >=20 > I like it. Microsoft harvests from something like 900 events/things. > The more good things like this we find improves our security. >=20 > > The patch is here: > > http://people.freebsd.org/~pjd/patches/harvest_device_attach.patch > > Comments? >=20 > Embelishments: Note that adding sysctl to turn off entropy harvesting from device_attach() is pretty useless, as sysctls can be changed once we start userland and then all device_attach() are already called (modulo drivers loaded later). What I'd like to see is for all those sysctls to have corresponding tunables, then it would make more sense. > Index: sys/dev/random/randomdev_soft.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- sys/dev/random/randomdev_soft.c (revision 240694) > +++ sys/dev/random/randomdev_soft.c (working copy) > @@ -158,6 +185,11 @@ random_yarrow_init(void) > "Harvest serial net entropy"); > SYSCTL_ADD_PROC(&random_clist, > SYSCTL_CHILDREN(random_sys_harvest_o), > + OID_AUTO, "devprobe", CTLTYPE_INT | CTLFLAG_RW, > + &harvest.devprobe, 1, random_check_boolean, "I", > + "Harvest Device Probe entropy"); > + SYSCTL_ADD_PROC(&random_clist, > + SYSCTL_CHILDREN(random_sys_harvest_o), > OID_AUTO, "interrupt", CTLTYPE_INT | CTLFLAG_RW, > &harvest.interrupt, 1, random_check_boolean, "I", > "Harvest IRQ entropy"); > @@ -303,7 +341,7 @@ random_harvest_internal(u_int64_t someco > KASSERT(origin =3D=3D RANDOM_START || origin =3D=3D RANDOM_WRITE || > origin =3D=3D RANDOM_KEYBOARD || origin =3D=3D RANDOM_MOUSE = || > origin =3D=3D RANDOM_NET || origin =3D=3D RANDOM_INTERRUPT || > - origin =3D=3D RANDOM_PURE, > + origin =3D=3D RANDOM_PURE || origin =3D=3D RANDOM_DEVICE, > ("random_harvest_internal: origin %d invalid\n", origin)); > =20 > /* Lockless read to avoid lock operations if fifo is full. */ > Index: sys/dev/random/harvest.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- sys/dev/random/harvest.c (revision 240694) > +++ sys/dev/random/harvest.c (working copy) > @@ -48,7 +48,13 @@ __FBSDID("$FreeBSD$"); > static int read_random_phony(void *, int); > =20 > /* Structure holding the desired entropy sources */ > -struct harvest_select harvest =3D { 1, 1, 1, 0 }; > +struct harvest_select harvest =3D { > + 1, /*ethernet*/ > + 1, /*pt2pt*/ > + 1, /*intr*/ > + 0, /*swi*/ > + 1, /*devprobe*/ > +}; > static int warned =3D 0; > =20 > /* hold the address of the routine which is actually called if > Index: sys/sys/random.h > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- sys/sys/random.h (revision 240495) > +++ sys/sys/random.h (working copy) > @@ -45,6 +45,7 @@ enum esource { > RANDOM_NET, > RANDOM_INTERRUPT, > RANDOM_PURE, > + RANDOM_DEVICE, > ENTROPYSOURCE > }; > void random_harvest(void *, u_int, u_int, u_int, enum esource); > @@ -57,6 +58,7 @@ struct harvest_select { > int point_to_point; > int interrupt; > int swi; > + int device; > }; > =20 > extern struct harvest_select harvest; > Index: sys/kern/subr_bus.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- sys/kern/subr_bus.c (revision 240495) > +++ sys/kern/subr_bus.c (working copy) > @@ -44,6 +44,7 @@ __FBSDID("$FreeBSD$"); > #include > #include > #include > +#include > #include > #include > #include > @@ -53,6 +54,7 @@ __FBSDID("$FreeBSD$"); > #include > #include > =20 > +#include > #include > =20 > #include > @@ -2760,8 +2762,10 @@ device_probe_and_attach(device_t dev) > int > device_attach(device_t dev) > { > + uint64_t attachtime; > int error; > =20 > + attachtime =3D get_cyclecount(); > device_sysctl_init(dev); > if (!device_is_quiet(dev)) > device_print_child(dev->parent, dev); > @@ -2784,6 +2788,10 @@ device_attach(device_t dev) > dev->state =3D DS_ATTACHED; > dev->flags &=3D ~DF_DONENOMATCH; > devadded(dev); > + if (harvest.devprobe) > + random_harvest(&attachtime, sizeof(attachtime), 4, 0, > + RANDOM_DEVICE); > + > return (0); > } > =20 > Index: etc/defaults/rc.conf > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- etc/defaults/rc.conf (revision 239610) > +++ etc/defaults/rc.conf (working copy) > @@ -642,6 +642,7 @@ entropy_file=3D"/entropy" # Set to NO to d > entropy_dir=3D"/var/db/entropy" # Set to NO to disable caching entropy v= ia cron. > entropy_save_sz=3D"2048" # Size of the entropy cache files. > entropy_save_num=3D"8" # Number of entropy cache files to save. > +harvest_devprobe=3D"YES" # Entropy device harvests device probe randomne= ss > harvest_interrupt=3D"YES" # Entropy device harvests interrupt randomness > harvest_ethernet=3D"YES" # Entropy device harvests ethernet randomness > harvest_p_to_p=3D"YES" # Entropy device harvests point-to-point randomne= ss > Index: etc/rc.d/initrandom > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- etc/rc.d/initrandom (revision 239610) > +++ etc/rc.d/initrandom (working copy) > @@ -41,6 +63,12 @@ initrandom_start() > if [ \! -z "${soft_random_generator}" ] ; then > =20 > if [ -w /dev/random ]; then > + if checkyesno harvest_devprobe; then > + ${SYSCTL} kern.random.sys.harvest.devprobe=3D1 >/dev/null > + echo -n ' interrupts' > + else > + ${SYSCTL} kern.random.sys.harvest.devprobe=3D0 >/dev/null > + fi > if checkyesno harvest_interrupt; then > ${SYSCTL} kern.random.sys.harvest.interrupt=3D1 >/dev/null > echo -n ' interrupts' --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --7mxbaLlpDEyR1+x6 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBb/LUACgkQForvXbEpPzRqbwCggYbw2eHuwSQ3ymbaOhoWH98w 7m4AmwQHghgTE7VWsaUs+5sU/cjKpJjB =A9ZX -----END PGP SIGNATURE----- --7mxbaLlpDEyR1+x6-- From owner-freebsd-security@FreeBSD.ORG Fri Sep 21 07:20:28 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1DCF41065674 for ; Fri, 21 Sep 2012 07:20:28 +0000 (UTC) (envelope-from markm@FreeBSD.org) Received: from gromit.grondar.org (grandfather.grondar.org [93.89.92.32]) by mx1.freebsd.org (Postfix) with ESMTP id CF3FD8FC19 for ; Fri, 21 Sep 2012 07:20:27 +0000 (UTC) Received: from uucp by gromit.grondar.org with local-rmail (Exim 4.77 (FreeBSD)) (envelope-from ) id 1TExS7-000K7U-Np for freebsd-security@freebsd.org; Fri, 21 Sep 2012 08:15:07 +0100 Received: from localhost ([127.0.0.1] helo=groundzero.grondar.org) by groundzero.grondar.org with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1TExOC-000GTX-Q3; Fri, 21 Sep 2012 08:11:04 +0100 To: John Baldwin In-reply-to: <201209200844.10470.jhb@freebsd.org> References: <20120919220819.GB25606@dragon.NUXI.org> <201209200844.10470.jhb@freebsd.org> From: Mark Murray Date: Fri, 21 Sep 2012 08:11:04 +0100 Message-Id: Cc: Arthur Mesh , Ian Lepore , Doug Barton , Ben Laurie , freebsd-security@freebsd.org, RW Subject: Re: Proposed fix; stage 1 (Was: svn commit: r239569 - head/etc/rc.d) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Sep 2012 07:20:28 -0000 John Baldwin writes: > Index: sys/kern/kern_intr.c Looks OK to me! Appears to work too. I'd drop the estimate down to 1 bit instead of 2 for now. Keeping the estimate really low is safe. Thanks, John. M -- Mark R V Murray Cert APS(Open) Dip Phys(Open) BSc Open(Open) BSc(Hons)(Open) Pi: 132511160 From owner-freebsd-security@FreeBSD.ORG Fri Sep 21 07:09:36 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 088441065677; Fri, 21 Sep 2012 07:09:36 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id BDFE48FC1A; Fri, 21 Sep 2012 07:09:35 +0000 (UTC) Received: from localhost (dkr183.neoplus.adsl.tpnet.pl [83.24.21.183]) by mail.dawidek.net (Postfix) with ESMTPSA id D59458E5; Fri, 21 Sep 2012 09:08:38 +0200 (CEST) Date: Fri, 21 Sep 2012 09:09:56 +0200 From: Pawel Jakub Dawidek To: David O'Brien Message-ID: <20120921070956.GA1382@garage.freebsd.pl> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919223459.GC25606@dragon.NUXI.org> <20120921053549.GF1407@garage.freebsd.pl> <20120921060815.GA42778@dragon.NUXI.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="lrZ03NoBR/3+SXJZ" Content-Disposition: inline In-Reply-To: <20120921060815.GA42778@dragon.NUXI.org> X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) X-Mailman-Approved-At: Fri, 21 Sep 2012 07:23:32 +0000 Cc: freebsd-security@FreeBSD.org Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Sep 2012 07:09:36 -0000 --lrZ03NoBR/3+SXJZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 20, 2012 at 11:08:15PM -0700, David O'Brien wrote: > On Fri, Sep 21, 2012 at 07:35:49AM +0200, Pawel Jakub Dawidek wrote: > > Note that adding sysctl to turn off entropy harvesting from > > device_attach() is pretty useless, as sysctls can be changed once we > > start userland and then all device_attach() are already called (modulo > > drivers loaded later). >=20 > That is what I had in mind -- .ko drivers loaded post 'initrandom'. >=20 > The same could be said for kern.random.sys.harvest.interrupt. > By the time kern.random.sys.harvest.interrupt can be turned off, > my test system has already processed 784 'origin interrupt' queue > entries and went from kern.random.sys.seeded=3D0->1. Yes, this is exactly why I'd like to see corresponding tunable for all those sysctls. --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --lrZ03NoBR/3+SXJZ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBcEsQACgkQForvXbEpPzStFACeOALT31CDBZgi3wA843QKK+NQ NaQAnRmjjgU+Zv70L/H+FG9pPz682eOf =Bqar -----END PGP SIGNATURE----- --lrZ03NoBR/3+SXJZ-- From owner-freebsd-security@FreeBSD.ORG Fri Sep 21 20:22:22 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 87F88106566B; Fri, 21 Sep 2012 20:22:22 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from [127.0.0.1] (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 5BAC514DEE1; Fri, 21 Sep 2012 20:22:22 +0000 (UTC) Message-ID: <505CCC7E.5080205@FreeBSD.org> Date: Fri, 21 Sep 2012 13:22:22 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120827 Thunderbird/15.0 MIME-Version: 1.0 To: Pawel Jakub Dawidek References: <20120918211422.GA1400@garage.freebsd.pl> <20120919223459.GC25606@dragon.NUXI.org> <20120921053549.GF1407@garage.freebsd.pl> <20120921060815.GA42778@dragon.NUXI.org> <20120921070956.GA1382@garage.freebsd.pl> In-Reply-To: <20120921070956.GA1382@garage.freebsd.pl> X-Enigmail-Version: 1.4.4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@FreeBSD.org, David O'Brien Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Sep 2012 20:22:22 -0000 On 09/21/2012 12:09 AM, Pawel Jakub Dawidek wrote: > On Thu, Sep 20, 2012 at 11:08:15PM -0700, David O'Brien wrote: >> On Fri, Sep 21, 2012 at 07:35:49AM +0200, Pawel Jakub Dawidek wrote: >>> Note that adding sysctl to turn off entropy harvesting from >>> device_attach() is pretty useless, as sysctls can be changed once we >>> start userland and then all device_attach() are already called (modulo >>> drivers loaded later). Devices can be added at any time in the life of the system via USB, and other interfaces. >> That is what I had in mind -- .ko drivers loaded post 'initrandom'. >> >> The same could be said for kern.random.sys.harvest.interrupt. >> By the time kern.random.sys.harvest.interrupt can be turned off, >> my test system has already processed 784 'origin interrupt' queue >> entries and went from kern.random.sys.seeded=0->1. > > Yes, this is exactly why I'd like to see corresponding tunable for all > those sysctls. Agreed. From owner-freebsd-security@FreeBSD.ORG Fri Sep 21 23:15:48 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97981106566C for ; Fri, 21 Sep 2012 23:15:48 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 56FAC8FC0C for ; Fri, 21 Sep 2012 23:15:47 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id ED88166CB; Sat, 22 Sep 2012 01:15:40 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 9FEA28D81; Sat, 22 Sep 2012 01:15:40 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: RW References: <20120918211422.GA1400@garage.freebsd.pl> <867grqm3pt.fsf@ds4.des.no> <20120919184758.28589516@gumby.homeunix.com> <86sjadt677.fsf@ds4.des.no> <20120920230133.55b63dea@gumby.homeunix.com> Date: Sat, 22 Sep 2012 01:15:39 +0200 In-Reply-To: <20120920230133.55b63dea@gumby.homeunix.com> (RW's message of "Thu, 20 Sep 2012 23:01:33 +0100") Message-ID: <86sjabarxg.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Sep 2012 23:15:48 -0000 RW writes: > Dag-Erling Sm=C3=B8rgrav writes: > > RW writes: > > > Reseeding doesn't throw away entropy > > Yes, it does. > Would you elaborate? I don't see what you mean by that? Never mind. I read through the code multiple times without seeing the line where it mixes in the old key. It does it in a very strange way, though: it doesn't just mix in the key, but the entire AES context. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Sep 21 23:20:34 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A265D106566C for ; Fri, 21 Sep 2012 23:20:34 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 625048FC0A for ; Fri, 21 Sep 2012 23:20:34 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 756E566D1; Sat, 22 Sep 2012 01:20:33 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 466A08D84; Sat, 22 Sep 2012 01:20:33 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: RW References: <20120918211422.GA1400@garage.freebsd.pl> <867grqm3pt.fsf@ds4.des.no> <20120919184758.28589516@gumby.homeunix.com> <86sjadt677.fsf@ds4.des.no> <20120920230133.55b63dea@gumby.homeunix.com> Date: Sat, 22 Sep 2012 01:20:32 +0200 In-Reply-To: <20120920230133.55b63dea@gumby.homeunix.com> (RW's message of "Thu, 20 Sep 2012 23:01:33 +0100") Message-ID: <86lig3arpb.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Sep 2012 23:20:34 -0000 RW writes: > They key will therefore *accumulate* entropy across multiple reseeds. Forgot to address this. By definition, there can never be more entropy in Yarrow than the key size. So it *does* throw away entropy in the sense that if it accumulated, say, 900 bits of entropy pre-boot (to pick one of the numbers Pawel cited), 650 of them are wasted. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Sat Sep 22 09:18:49 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BCA28106566C for ; Sat, 22 Sep 2012 09:18:49 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id 8024C8FC08 for ; Sat, 22 Sep 2012 09:18:49 +0000 (UTC) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) by mail.dawidek.net (Postfix) with ESMTPSA id C04B5CCC; Sat, 22 Sep 2012 11:17:51 +0200 (CEST) Date: Sat, 22 Sep 2012 11:19:08 +0200 From: Pawel Jakub Dawidek To: RW Message-ID: <20120922091908.GB1454@garage.freebsd.pl> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192836.3a60cdfd@gumby.homeunix.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="FkmkrVfFsRoUs1wW" Content-Disposition: inline In-Reply-To: <20120919192836.3a60cdfd@gumby.homeunix.com> X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@freebsd.org Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Sep 2012 09:18:49 -0000 --FkmkrVfFsRoUs1wW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 19, 2012 at 07:28:36PM +0100, RW wrote: > On Tue, 18 Sep 2012 23:14:22 +0200 > Pawel Jakub Dawidek wrote: >=20 > > Hi. > >=20 >=20 > > The patch is here: > >=20 > > http://people.freebsd.org/~pjd/patches/harvest_device_attach.patch > >=20 > > Comments? > >=20 >=20 > + attachtime =3D get_cyclecount() - attachtime; >=20 > the above line is redundant since random_harvest() already contains a > call to get_cyclecount(). Agreed, although in more recent patch I need total time, so I can calculate how many bits it has, so I can estimate how much entropy there is. --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --FkmkrVfFsRoUs1wW Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBdgowACgkQForvXbEpPzT6LwCfQnX0XeMrJq57lGnxeFats/yo I6gAoOgyrhyRS4jBmCbwjAl9Ma6YzJFR =jesV -----END PGP SIGNATURE----- --FkmkrVfFsRoUs1wW-- From owner-freebsd-security@FreeBSD.ORG Sat Sep 22 08:03:10 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5836910657C4; Sat, 22 Sep 2012 08:03:10 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id E47538FC12; Sat, 22 Sep 2012 08:03:09 +0000 (UTC) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) by mail.dawidek.net (Postfix) with ESMTPSA id 106D9CB4; Sat, 22 Sep 2012 10:02:07 +0200 (CEST) Date: Sat, 22 Sep 2012 10:03:23 +0200 From: Pawel Jakub Dawidek To: John Baldwin Message-ID: <20120922080323.GA1454@garage.freebsd.pl> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="PEIAKu/WMn1b1Hv9" Content-Disposition: inline In-Reply-To: <201209200758.51924.jhb@freebsd.org> X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) X-Mailman-Approved-At: Sat, 22 Sep 2012 11:19:06 +0000 Cc: Ben Laurie , freebsd-security@freebsd.org, RW , Jonathan Anderson , Mariusz Gromada Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Sep 2012 08:03:10 -0000 --PEIAKu/WMn1b1Hv9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 20, 2012 at 07:58:51AM -0400, John Baldwin wrote: > On Thursday, September 20, 2012 6:21:04 am Pawel Jakub Dawidek wrote: > > I agree, we should do such analysis for much more devices and different > > kind of devices. A platform might be an important factor as well. > > It is hard to collect decent number of probes when reboot is needed, so > > what I'd recommend is to turn of SMP, boot into single module and > > kldload/kldunload a driver in a loop, of course with kernel patched to > > log those times. >=20 > This is not always representative. Any driver that uses a config intrhook > will run that synchronously during attach() in single user mode but will > not during boot. config intrhook's often go out and do things that take a > variable amount of time (poking hardware, waiting for interrupts, etc.). > That means that timing any such drivers from single user mode will likely > give you more variable attach() times than would occur during boot. Ok, to verify that I implemented some dummy driver that simply returns 0 on device_attach() and does nothing more. Additionally during probe I call device_quiet(dev). It turned out that printing device description during device_attach() over serial console (115200) make the call few orders of magnitude longer:), which in turn provides much more entropy so I wanted to avoid that. I booted the machine with SMP disabled and in single-user mode. I gathered 162833 samples: http://people.freebsd.org/~pjd/misc/device_attach_total_time.txt The values were between 15 and 16 bits, but to simplify things I assumed they are all 16 bits. I discarded top ten bits. This left me with 6bit values [0-63]: http://people.freebsd.org/~pjd/misc/device_attach_6bit.txt I compared empirical distribution with theoretical one and I got this: http://people.freebsd.org/~pjd/misc/device_attach_6bit.jpg Source in libreoffice: http://people.freebsd.org/~pjd/misc/device_attach_6bit.ods Mariusz can verify my findings here, but it looks like discarding top ten bits is enough even for very dummy drivers that don't interact with hardware at all. Note that discarding top ten bits effectively means that we expect 0.1% of the total device_attach() time to be unpredictably different. If discarding top ten bit in case of such dummy driver is enough, we could probably discard less from drivers that interact with real hardware, but even with 43 device_attach() calls during boot on similar hardware and assuming that we can get only 6 bits of entropy from each call, it gives us more than 256 bits of entropy. In other words I don't think we should further complicate this and that we should stick to entropy estimations from my current patch. Having similar tests for different architectures would be of course very welcome. --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --PEIAKu/WMn1b1Hv9 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBdcMcACgkQForvXbEpPzThLwCdHtCMTdgPjYCPmi7FShi1X8Wv 90MAn3Ldd/1fzymsgNeaUK+pa4kcCcB1 =n8Ic -----END PGP SIGNATURE----- --PEIAKu/WMn1b1Hv9-- From owner-freebsd-security@FreeBSD.ORG Sat Sep 22 16:05:53 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 71BDE106564A; Sat, 22 Sep 2012 16:05:53 +0000 (UTC) (envelope-from avg@FreeBSD.org) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.freebsd.org (Postfix) with ESMTP id 77F3D8FC0A; Sat, 22 Sep 2012 16:05:52 +0000 (UTC) Received: from porto.starpoint.kiev.ua (porto-e.starpoint.kiev.ua [212.40.38.100]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id TAA07335; Sat, 22 Sep 2012 19:05:50 +0300 (EEST) (envelope-from avg@FreeBSD.org) Received: from localhost ([127.0.0.1]) by porto.starpoint.kiev.ua with esmtp (Exim 4.34 (FreeBSD)) id 1TFSDG-000NSX-Fk; Sat, 22 Sep 2012 19:05:50 +0300 Message-ID: <505DE1DD.7070506@FreeBSD.org> Date: Sat, 22 Sep 2012 19:05:49 +0300 From: Andriy Gapon User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:15.0) Gecko/20120913 Thunderbird/15.0.1 MIME-Version: 1.0 To: freebsd-hackers , freebsd-security@FreeBSD.org X-Enigmail-Version: 1.4.3 Content-Type: text/plain; charset=X-VIET-VPS Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sat, 22 Sep 2012 16:20:03 +0000 Cc: Subject: kern_exec: check p_tracecred instead of p_cred X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Sep 2012 16:05:53 -0000 Currently even if root ktraces an unprivileged process that execs a sguid executable, then tracing aborted at that point. I think that that happens because wrong credentials are checked at that point. What do you think about the following patch? commit 956a80783bc39162b1d64383188c5037f9767413 Author: Andriy Gapon Date: Sat Sep 22 18:17:46 2012 +0300 kern_exec: check p_tracecred instead of p_cred ... when deciding whether to continue tracing across suid/sgid exec diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 90f7311..8d62c1e 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -694,7 +694,8 @@ interpret: setsugid(p); #ifdef KTRACE - if (priv_check_cred(oldcred, PRIV_DEBUG_DIFFCRED, 0)) + if (p->p_tracecred != NULL && + priv_check_cred(p->p_tracecred, PRIV_DEBUG_DIFFCRED, 0)) ktrprocexec(p, &tracecred, &tracevp); #endif /* -- Andriy Gapon From owner-freebsd-security@FreeBSD.ORG Sat Sep 22 19:53:12 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 76A74106564A; Sat, 22 Sep 2012 19:53:12 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id 359D28FC15; Sat, 22 Sep 2012 19:53:11 +0000 (UTC) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) by mail.dawidek.net (Postfix) with ESMTPSA id 5173DE02; Sat, 22 Sep 2012 21:52:10 +0200 (CEST) Date: Sat, 22 Sep 2012 21:53:26 +0200 From: Pawel Jakub Dawidek To: John Baldwin Message-ID: <20120922195325.GH1454@garage.freebsd.pl> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="boAH8PqvUi1v1f55" Content-Disposition: inline In-Reply-To: <20120922080323.GA1454@garage.freebsd.pl> X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Ben Laurie , freebsd-security@freebsd.org, RW , Jonathan Anderson , Mariusz Gromada Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Sep 2012 19:53:12 -0000 --boAH8PqvUi1v1f55 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 22, 2012 at 10:03:23AM +0200, Pawel Jakub Dawidek wrote: > If discarding top ten bit in case of such dummy driver is enough, we > could probably discard less from drivers that interact with real > hardware, but even with 43 device_attach() calls during boot on similar > hardware and assuming that we can get only 6 bits of entropy from each > call, it gives us more than 256 bits of entropy. In other words I don't > think we should further complicate this and that we should stick to > entropy estimations from my current patch. I made additional calculations to see where is the line we shall not cross. I checked how distribution would look like for 6, 7, 8, 9, 10, 11 and 12 bit values (so we discard from top 10 to top 4 bits): http://people.freebsd.org/~pjd/misc/device_attach_6bit.jpg http://people.freebsd.org/~pjd/misc/device_attach_7bit.jpg http://people.freebsd.org/~pjd/misc/device_attach_8bit.jpg http://people.freebsd.org/~pjd/misc/device_attach_9bit.jpg http://people.freebsd.org/~pjd/misc/device_attach_10bit.jpg http://people.freebsd.org/~pjd/misc/device_attach_11bit.jpg http://people.freebsd.org/~pjd/misc/device_attach_12bit.jpg And source in libreoffice: http://people.freebsd.org/~pjd/misc/device_attach_6-12_bits.ods It looks like we can safely discard even only 7 bits (leaving 9 bits of entropy). With 10bit value the maximum difference between theoretical and empirical distribution goes to 6.34% which I don't think is acceptable. On the other hand the differences for 6, 7, 8 and 9 are very small: 6bit: 0.33% 7bit: 0.29% 8bit: 0.27% 9bit: 0.21% For completness all the rest: 10bit: 6.34% 11bit: 19.07% 12bit: 54.80% Mariusz, can you confirm my findings? --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --boAH8PqvUi1v1f55 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBeFzUACgkQForvXbEpPzS0vgCeL1Mx6YqJkZEtHMM1D12yN4TL /1AAoME2hgUeoWnrEKDHnaqoBXv0ZGCW =c5U0 -----END PGP SIGNATURE----- --boAH8PqvUi1v1f55--