Go to file
Jason A. Donenfeld e85c0fc1d9 random: do not pretend to handle premature next security model
Per the thread linked below, "premature next" is not considered to be a
realistic threat model, and leads to more serious security problems.

"Premature next" is the scenario in which:

- Attacker compromises the current state of a fully initialized RNG via
  some kind of infoleak.
- New bits of entropy are added directly to the key used to generate the
  /dev/urandom stream, without any buffering or pooling.
- Attacker then, somehow having read access to /dev/urandom, samples RNG
  output and brute forces the individual new bits that were added.
- Result: the RNG never "recovers" from the initial compromise, a
  so-called violation of what academics term "post-compromise security".

The usual solutions to this involve some form of delaying when entropy
gets mixed into the crng. With Fortuna, this involves multiple input
buckets. With what the Linux RNG was trying to do prior, this involves
entropy estimation.

However, by delaying when entropy gets mixed in, it also means that RNG
compromises are extremely dangerous during the window of time before
the RNG has gathered enough entropy, during which time nonces may become
predictable (or repeated), ephemeral keys may not be secret, and so
forth. Moreover, it's unclear how realistic "premature next" is from an
attack perspective, if these attacks even make sense in practice.

Put together -- and discussed in more detail in the thread below --
these constitute grounds for just doing away with the current code that
pretends to handle premature next. I say "pretends" because it wasn't
doing an especially great job at it either; should we change our mind
about this direction, we would probably implement Fortuna to "fix" the
"problem", in which case, removing the pretend solution still makes
sense.

This also reduces the crng reseed period from 5 minutes down to 1
minute. The rationale from the thread might lead us toward reducing that
even further in the future (or even eliminating it), but that remains a
topic of a future commit.

At a high level, this patch changes semantics from:

    Before: Seed for the first time after 256 "bits" of estimated
    entropy have been accumulated since the system booted. Thereafter,
    reseed once every five minutes, but only if 256 new "bits" have been
    accumulated since the last reseeding.

    After: Seed for the first time after 256 "bits" of estimated entropy
    have been accumulated since the system booted. Thereafter, reseed
    once every minute.

Most of this patch is renaming and removing: POOL_MIN_BITS becomes
POOL_INIT_BITS, credit_entropy_bits() becomes credit_init_bits(),
crng_reseed() loses its "force" parameter since it's now always true,
the drain_entropy() function no longer has any use so it's removed,
entropy estimation is skipped if we've already init'd, the various
notifiers for "low on entropy" are now only active prior to init, and
finally, some documentation comments are cleaned up here and there.

Link: https://lore.kernel.org/lkml/YmlMGx6+uigkGiZ0@zx2c4.com/
Cc: Theodore Ts'o <tytso@mit.edu>
Cc: Nadia Heninger <nadiah@cs.ucsd.edu>
Cc: Tom Ristenpart <ristenpart@cornell.edu>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2022-05-15 12:11:58 +02:00
arch xtensa: use fallback for random_get_entropy() instead of zero 2022-05-13 23:59:23 +02:00
block Revert "block: release rq qos structures for queue without disk" 2022-05-02 10:06:40 -06:00
certs Kbuild updates for v5.18 2022-03-31 11:59:03 -07:00
crypto
Documentation random: fix sysctl documentation nits 2022-05-13 23:59:12 +02:00
drivers random: do not pretend to handle premature next security model 2022-05-15 12:11:58 +02:00
fs io_uring-5.18-2022-05-06 2022-05-07 10:41:41 -07:00
include timekeeping: Add raw clock fallback for random_get_entropy() 2022-05-13 23:59:23 +02:00
init init: call time_init() before rand_initialize() 2022-05-13 23:59:22 +02:00
ipc
kernel timekeeping: Add raw clock fallback for random_get_entropy() 2022-05-13 23:59:23 +02:00
lib - A fix to disable PCI/MSI[-X] masking for XEN_HVM guests as that is 2022-05-01 10:03:36 -07:00
LICENSES
mm mm/readahead: Fix readahead with large folios 2022-05-05 00:47:29 -04:00
net NFS client bugfixes for Linux 5.18 2022-05-06 13:19:11 -07:00
samples
scripts objtool: Enable unreachable warnings for CLANG LTO 2022-04-19 21:58:48 +02:00
security hardening updates for v5.18-rc1-fix1 2022-03-31 11:43:01 -07:00
sound ASoC: Fixes for v5.18 2022-05-08 10:49:25 +02:00
tools Networking fixes for 5.18-rc6, including fixes from can, rxrpc and 2022-05-05 09:45:12 -07:00
usr Kbuild updates for v5.18 2022-03-31 11:59:03 -07:00
virt Merge branch 'kvm-fixes-for-5.18-rc5' into HEAD 2022-04-29 12:39:34 -04:00
.clang-format
.cocciconfig
.get_maintainer.ignore
.gitattributes
.gitignore
.mailmap futex: MAINTAINERS, .mailmap: Update André's email address 2022-04-22 10:30:20 +02:00
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS A fix and an email address update: 2022-05-08 11:21:54 -07:00
Makefile Linux 5.18-rc6 2022-05-08 13:54:17 -07:00
README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.