From owner-svn-src-all@FreeBSD.ORG Sun Nov 2 13:23:03 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3CFAB137; Sun, 2 Nov 2014 13:23:03 +0000 (UTC) Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EFA3F611; Sun, 2 Nov 2014 13:23:02 +0000 (UTC) Received: from [73.34.117.227] (helo=ilsoft.org) by mho-02-ewr.mailhop.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1Xkv7V-0002O0-7a; Sun, 02 Nov 2014 13:23:01 +0000 Received: from [172.22.42.240] (revolution.hippie.lan [172.22.42.240]) by ilsoft.org (8.14.9/8.14.9) with ESMTP id sA2DN06D089540; Sun, 2 Nov 2014 06:23:00 -0700 (MST) (envelope-from ian@FreeBSD.org) X-Mail-Handler: Dyn Standard SMTP by Dyn X-Originating-IP: 73.34.117.227 X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/sendlabs/outbound_abuse.html for abuse reporting information) X-MHO-User: U2FsdGVkX1+XI/saCs4YwtQLoLs0YEJy X-Authentication-Warning: paranoia.hippie.lan: Host revolution.hippie.lan [172.22.42.240] claimed to be [172.22.42.240] Subject: Re: svn commit: r273958 - head/sys/dev/random From: Ian Lepore To: Mark R V Murray In-Reply-To: <720EB74E-094A-43F3-8B1C-47BC7F6FECC3@grondar.org> References: <201411020201.sA221unt091493@svn.freebsd.org> <720EB74E-094A-43F3-8B1C-47BC7F6FECC3@grondar.org> Content-Type: text/plain; charset="iso-8859-13" Date: Sun, 02 Nov 2014 06:22:59 -0700 Message-ID: <1414934579.17308.248.camel@revolution.hippie.lan> Mime-Version: 1.0 X-Mailer: Evolution 2.32.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by ilsoft.org id sA2DN06D089540 Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Nov 2014 13:23:03 -0000 On Sun, 2014-11-02 at 09:45 +0000, Mark R V Murray wrote: > Hi DES, >=20 > I=FFm scared witless of this being on-by-default, for the reason given = in the removed comment. I=FFd much prefer to see it only turned on if a k= ernel option is set, and the embedded folks /et al/ can use that. >=20 > Please reinstate the #ifdef RANDOM_AUTOSEED, and set a kernel option to= turn it on. Please also leave the comment; summarily turning on an unpre= pared generator is not going to be obvious to anyone but an attacker. >=20 > Moving the point of the auto-firstseed to where is good, thanks. >=20 > M >=20 To give you some idea of how usable this new stuff is on a system that isn't an x86 server or someone's desktop or laptop... after commenting out the postrandom so that a board would at least boot (but before DES' resend change), I left a board sitting idle at the login prompt. It was somewhere between 40 minutes and an hour before I saw this: FreeBSD/arm (rpi) (ttyu0) login: random: reseed - fast - thresh 96,1 - 0 48 0 0 0 130 0 0 620 0 0 = 0 0 0 0 0 0 0 0 0 random: reseed - slow - thresh 128,2 - 0 44 0 0 0 130 0 0 619 0 0 0 0 0 = 0 0 0 0 0 0 random: unblocking device. Securing a system against some theoretical attack has value only to the point where the system is no longer usable at all. At that point you kind of have to declare the attacker the winner, and he didn't even have to actually launch an attack. -- Ian > > On 2 Nov 2014, at 02:01, Dag-Erling Sm=B8rgrav wrot= e: > >=20 > > Author: des > > Date: Sun Nov 2 02:01:55 2014 > > New Revision: 273958 > > URL: https://svnweb.freebsd.org/changeset/base/273958 > >=20 > > Log: > > Restore the auto-reseed logic, but move it to a much later point, > > immediately before kick_init. > >=20 > > Approved by: so (self) > >=20 > > Modified: > > head/sys/dev/random/random_adaptors.c > > head/sys/dev/random/yarrow.c > >=20 > > Modified: head/sys/dev/random/random_adaptors.c > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D > > --- head/sys/dev/random/random_adaptors.c Sun Nov 2 01:47:27 2014 (r= 273957) > > +++ head/sys/dev/random/random_adaptors.c Sun Nov 2 02:01:55 2014 (r= 273958) > > @@ -447,30 +447,8 @@ random_adaptors_deinit(void) > > } > >=20 > > /* > > - * First seed. > > - * > > - * NB! NB! NB! > > - * NB! NB! NB! > > - * > > - * It turns out this is bloody dangerous. I was fiddling with code e= lsewhere > > - * and managed to get conditions where a safe (i.e. seeded) entropy = device should > > - * not have been possible. This managed to hide that by unblocking t= he device anyway. > > - * As crap randomness is not directly distinguishable from good rand= omness, this > > - * could have gone unnoticed for quite a while. > > - * > > - * NB! NB! NB! > > - * NB! NB! NB! > > - * > > - * Very luckily, the probe-time entropy is very nearly good enough t= o cause a > > - * first seed all of the time, and the default settings for other en= tropy > > - * harvesting causes a proper, safe, first seed (unblock) in short o= rder after that. > > - * > > - * That said, the below would be useful where folks are more concern= ed with > > - * a quick start than with extra paranoia in a low-entropy environme= nt. > > - * > > - * markm - October 2013. > > + * Reseed the active adaptor shortly before starting init(8). > > */ > > -#ifdef RANDOM_AUTOSEED > > /* ARGSUSED */ > > static void > > random_adaptors_seed(void *unused __unused) > > @@ -484,6 +462,5 @@ random_adaptors_seed(void *unused __unus > >=20 > > arc4rand(NULL, 0, 1); > > } > > -SYSINIT(random_seed, SI_SUB_INTRINSIC_POST, SI_ORDER_LAST, > > - random_adaptors_reseed, NULL); > > -#endif /* RANDOM_AUTOSEED */ > > +SYSINIT(random_seed, SI_SUB_KTHREAD_INIT, SI_ORDER_FIRST, > > + random_adaptors_seed, NULL); > >=20 > > Modified: head/sys/dev/random/yarrow.c > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D > > --- head/sys/dev/random/yarrow.c Sun Nov 2 01:47:27 2014 (r273957) > > +++ head/sys/dev/random/yarrow.c Sun Nov 2 02:01:55 2014 (r273958) > > @@ -508,7 +508,9 @@ void > > random_yarrow_reseed(void) > > { > >=20 > > + mtx_lock(&random_reseed_mtx); > > reseed(SLOW); > > + mtx_unlock(&random_reseed_mtx); > > } > >=20 > > int > >=20 >=20