From owner-freebsd-hackers@freebsd.org Mon Dec 7 22:59:16 2020 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 330E64B9851 for ; Mon, 7 Dec 2020 22:59:16 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CqdzR1Y0gz4Rk0 for ; Mon, 7 Dec 2020 22:59:14 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: by mail-wm1-x329.google.com with SMTP id v14so672118wml.1 for ; Mon, 07 Dec 2020 14:59:14 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=iYy7Np0pCPrwWGaIbZfq1hTsQtd+nPVQsf3RyrrRfM0=; b=YtgJ1325g05kRlXWaKyilArfQrWzFqX9asjpF1HW0wHrGY6Vo2LM72viAWBSjjYx8N P9i0yiSz/d/vVjb2UPtPQvrUsWD4hHQQQSPv+4Vy7yhkaHPm5/4mIZ0NDo6eZuc3gitt XvChkW8f6fl5lFL/R5ryFqMIQIl1WPxAk87sOXkOh3QS6mm9B6KOM8tjQgYOQF3tXTGQ l9ZhqOXRgmga6KnFbAFHUUHlJUp8LS7iZD8+2gwPtKAnKHtKIblsM0aEF1btZ9h4BwCd qsmiFgAvFQgf3AJj3TVq+dxPHm/bbQ1I2H5DsvekFeiu9/StFdtutw0Dn7FTfazOdee7 uK6Q== X-Gm-Message-State: AOAM53215AeUMG8P69xgSHr8Ecyky/QIo9vmVjj2sugJHXAkLI4Xc97+ xZcN1eoowogDk7ugsvb+9K4RvgIANY2NUw== X-Google-Smtp-Source: ABdhPJz8NvJTDJti4pOFvOj8Rn816mMCF8spEtmy9Y1Ktthiv5wyPUDWQsdL/+M5u6kE4mHQN8o7lw== X-Received: by 2002:a7b:cd90:: with SMTP id y16mr1031167wmj.115.1607381953035; Mon, 07 Dec 2020 14:59:13 -0800 (PST) Received: from gumby.homeunix.com ([2.222.24.253]) by smtp.gmail.com with ESMTPSA id h2sm871418wme.45.2020.12.07.14.59.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 07 Dec 2020 14:59:12 -0800 (PST) Date: Mon, 7 Dec 2020 22:59:09 +0000 From: RW To: freebsd-hackers@freebsd.org Subject: Re: arc4random initialization Message-ID: <20201207225909.650818c2@gumby.homeunix.com> In-Reply-To: References: <20201206153625.13e349a8@bigus.dream-tech.com> X-Mailer: Claws Mail 3.17.5 (GTK+ 2.24.32; amd64-portbld-freebsd12.1) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4CqdzR1Y0gz4Rk0 X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.99 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; FREEMAIL_FROM(0.00)[googlemail.com]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[googlemail.com:+]; DMARC_POLICY_ALLOW(-0.50)[googlemail.com,quarantine]; NEURAL_HAM_SHORT(-0.99)[-0.992]; RECEIVED_SPAMHAUS_PBL(0.00)[2.222.24.253:received]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[googlemail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1450:4864:20::329:from]; DWL_DNSWL_NONE(0.00)[googlemail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[googlemail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2a00:1450:4864:20::329:from:127.0.2.255]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::329:from]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-hackers] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Dec 2020 22:59:16 -0000 On Mon, 7 Dec 2020 08:37:42 +0000 Mark Murray wrote: > Hi > > > On 6 Dec 2020, at 23:36, Dave Hayes wrote: > > > > So security-wise, just how bad is it to be improperly seeded? If I > > cannot get a valid entropy stash at boot time, can I delay the need > > for it until I can get a writable filesystem up and running? The warning doesn't mean it was unseeded, just that it didn't seed from the boot entropy file. I think it's unlikely that this is a significant problem if your cpu has RDRAND or similar, but it depends on the timing of calls. sysctl -o -B 65536 kern.arandom > /dev/null should force a reseed if you want one. > This means that the random(4) device and relevant infrastructure like > arc4random starts up in an insecure state and is not to be trusted > for e.g. generating SSH keys. > > After you have used the machine for a while (exactly how long > "depends"), it will reseed itself and become secure. > > Essentially, expect every boot off a DVD on the same hardware to reuse > cryptographic keys That's easy to test. > and therefore be insecure. Kernel arc4random() also reads entropy from Fortuna via read_random(). If there's a hardware generator Fortuna will get enough entropy to reach the default minpoolsize within 0.7s of initialization. If arc4random is called before that it will get reseeded on the first call to read_random() that occurs after Fortuna is able to seed. The risk would be that kernel arc4random is initialized early and insecurely and there's no appropriate read_random() call to reseed it before something critical uses it. IMO it would be better to eliminate that 0.7s period by getting enough entropy from the hardware generator instantaneously when Fortuna initializes. Whatever the paranoia over these generators they're better than no seeding at all.