Source-Changes-D archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: CVS commit: src
On Fri, Aug 14, 2020 at 12:53:17AM +0000, Taylor R Campbell wrote:
> New system call getrandom() compatible with Linux and others.
>
> [..]
>
> As proposed on tech-userlevel, tech-crypto, tech-security, and
> tech-kern, and subsequently adopted by core (minus the getentropy part
> of the proposal, because other operating systems and participants in
> the discussion couldn't come to an agreement about getentropy and
> blocking semantics):
Obviously, I disagree with core's decision, but let's try to be
productive about this.
I'm happy to have getrandom in NetBSD, it's a good thing. But not with
this behaviour.
1) Adopting getrandom for compatibility does not make sense.
NetBSD's behaviour for getrandom(x, y, 0) is incompatible with Linux
and FreeBSD _at least_ - they will unblock after the kernel receives
an arbitrary amount of "random-ish" data. NetBSD will block forever
until the sysadmin intervenes (by writing to /dev/random or attaching
a forensically analyzed HWRNG, or rebooting with a seed file).
NetBSD's behaviour for GRND_RANDOM is incompatible with FreeBSD,
which treats it the same as getrandom(x, y, 0).
So, NetBSD disagrees with the most popular operating systems on how
getrandom should block.
2) The main problem raised with getentropy is that Solaris has a buggy
implementation that projects such as Python were seeking to avoid
(because it blocked a lot, and they preferred something that
wouldn't).
This is not a good reason for avoiding it, it's like saying nobody
should ever use posix_fallocate because NetBSD 9.0's implementation
always returns error.
3) getentropy is the preferred API for some projects. e.g, getrandom does
not benefit Firefox at all, since it will only use getentropy or
/dev/urandom.
4) The original argument that we need the getrandom(x, y, 0) behaviour
to please Rust does not make sense, since Rust's randomness library
now uses never-blocking APIs on both OpenBSD and NetBSD. Same for
OpenSSL.
So, I suggest:
1) Make the RANDOM case for getrandom an alias for the default behaviour,
as FreeBSD also does. It's just a nail for unsuspecting software to
step on, and we shouldn't be copying bad ideas from Linux into our
own syscalls.
2) Add a sysctl knob to disable getrandom's blocking behaviour, for
systems without a forensically analyzed HWRNG. This provides an
obvious way to ensure the system doesn't block after entropy is
consolidated after we enter userland. Writing to /dev/random is
non-obvious. On these systems losing the on-disk seed file is a
critical error case that will cause blocking, currently.
3) Adopt getentropy as originally proposed. It simply makes existing
behaviour accessible in a more obvious way (this behaviour will be in
popular use for a long time, given our release cycles and speed at
upstreaming patches), and also helps NSS and various other things
get randomness in restricted environments - they currently prefer
getentropy then urandom.
Sorry for dragging this discussion out, but I'm hoping we can reach some
form of compromise that doesn't unfairly punish systems that don't have
a HWRNG that passes the kernel's vetting.
Home |
Main Index |
Thread Index |
Old Index