Re: getrandom and getentropy

To: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Subject: Re: getrandom and getentropy
From: Kurt Roeckx <kurt%roeckx.be@localhost>
Date: Sat, 2 May 2020 20:20:21 +0200

On Sat, May 02, 2020 at 04:31:43PM +0000, Taylor R Campbell wrote:
> > Date: Sat, 2 May 2020 18:07:54 +0200
> > From: Kurt Roeckx <kurt%roeckx.be@localhost>
> > 
> > On Sat, May 02, 2020 at 03:38:43PM +0000, Taylor R Campbell wrote:
> > > > Date: Sat, 2 May 2020 11:10:44 +0200
> > > > From: Kurt Roeckx <kurt%roeckx.be@localhost>
> > > > 
> > > > I hink we've previously talked about it, and you said the OpenBSD
> > > > manpage doesn't mention anything related to it. But it's implied
> > > > behaviour for OpenBSD, they never had an interface where you can
> > > > get random numbers before it's properly seeded.
> > > 
> > > I reviewed the OpenBSD implementation at
> > > 
> > > https://cvsweb.openbsd.org/src/sys/dev/rnd.c?rev=1.204&content-type=text/x-cvsweb-markup
> > > 
> > > and I see no evidence of blocking.  Where does it block?
> > 
> > It's my understanding that it never blocks because the bootloader
> > provides entropy. Be time time the first user can call genentropy,
> > it has already been seeded.
> 
> On NetBSD we try to do that where possible too, but in the real world
> it can't be 100% guaranteed to work on NetBSD or on OpenBSD -- for
> example, if you copy the same fresh OS image onto multiple machines
> (every machine might generate the same keys), then it won't work, or
> if your / is mounted on a read-only medium, then it won't work (boot
> again and you might get the same keys).
> 
> If you're satisfied with what OpenBSD does here, then I think you
> should generally be satisfied with what NetBSD does too.

It all depends on which attacks you're concerned about. On Linux
a seed file is saved during shutdown and read boot. By default
that file is counted as having 0 entropy, because it might for
instance be from a backup/image, and so by default you need other
sources of entropy. To trust that file to provide entropy is
really up to the administrator, who can decide which attacks he
wants to protect against.

I really never looked at how things work in OpenBSD, NetBSD or
FreeBSD, I just read various small things about it. If it works
like that seed file, and that's considered enough to initialize
the RNG, I'm concerned.


Kurt

References:
- Re: getrandom and getentropy
  - From: Kurt Roeckx
- Re: getrandom and getentropy
  - From: Taylor R Campbell

Prev by Date: Re: getrandom and getentropy
Next by Date: Re: getrandom and getentropy
Previous by Thread: Re: getrandom and getentropy
Next by Thread: Re: getrandom and getentropy
Indexes:

Home | Main Index | Thread Index | Old Index