Re: getrandom and getentropy

[Kurt Roeckx <kurt%roeckx.be@localhost>]

On Fri, May 01, 2020 at 07:19:09PM +0000, Taylor R Campbell wrote:
> +.It Dv GRND_INSECURE
> +Do not block; instead fill
> +.Fa buf
> +with output derived from whatever is in the system entropy pool so
> +far.
> +Equivalent to reading from
> +.Pa /dev/urandom ;
> +see
> +.Xr rnd 4 .
> +.Pp
> +If interrupted by a signal, may fail with
> +.Er EINTR
> +or return a short read.
> +If successful, guaranteed to return at least 256 bytes even if
> +interrupted.
> +.Pp
> +Despite the name, this is secure as long as you only do it
> +.Em after
> +at least one successful call without
> +.Dv GRND_INSECURE ,
> +such as
> +.Li "getrandom(..., 0)"

At which point calling with GRND_INSECURE is the same as calling
with 0 ...

> +or
> +.Li "getrandom(..., GRND_RANDOM)" ,
> +or after reading at least one byte from
> +.Pa /dev/random .

Note that this is not the cases anymore on Linux. After reading 1
byte from /dev/random, /dev/urandom can still be unintialized, and
so GRND_INSECURE is still insecure on Linux.

> +.Pp
> +.Sy WARNING :
> +If you use
> +.Dv GRND_INSECURE
> +.Em before
> +the system has full entropy. the output may enable an adversary to
> +search the possible states of the entropy pool by brute force, and
> +thereby reduce its entropy to zero.
> +Thus, incautious use of
> +.Dv GRND_INSECURE
> +can ruin the security of the whole system.
> +.It Dv GRND_RANDOM
> +Block until the system entropy pool has full entropy; then generate a
> +small amount of data.
> +Equivalent to reading from
> +.Pa /dev/random ;

You might want to read https://lwn.net/Articles/808575/

The article states among other things that GRND_RANDOM is a noop,
it behaves just like passing 0.


Kurt