Re: getrandom and getentropy

To: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Subject: Re: getrandom and getentropy
From: Andreas Gustafsson <gson%gson.org@localhost>
Date: Sun, 10 May 2020 14:24:00 +0300

Taylor R Campbell wrote:
> In NetBSD-current, there's a distinction between:
> - incorporating what samples we have, and
> - confidently achieving full entropy.
> This distinction is made between sources that maybe might have
> entropy, like interrupt timings, but we can't honestly put a lower
> bound on the amount, and hardware random number generators, which are
> engineered with specific physical designs to have a certain advertised
> minimum amount of entropy.
> 
> Right now, reading from /dev/urandom on NetBSD generally gives at
> least as good a result as you get on any of the other systems -- the
> pool will have been seeded with whatever we can get, including cycle
> counts sampled at various times during kernel startup and a seed on
> disk or HWRNG samples if available; it's never reading from an
> _uninitialized_ pool.
>
> However, reading from /dev/random might wait _longer_ on NetBSD, for
> what it can more confidently call full entropy based either on
> automatic counting from HWRNG drivers, or on intervention by the
> operator.
> 
> Given that, I think it is reasonable to implement getentropy(...)  as
> an alias for getrandom(..., GRND_INSECURE) == read from /dev/urandom
> == sysctl kern.arandom (as nia@ just committed the other day), which
> is consistent with the somewhat nuanced interpretation of the
> semantics above, and to provide getrandom(...,0) as I originally
> suggested alongside it.

The getentropy() man pages on OpenBSD, FreeBSD, and Linux all say it
returns "high-quality" entropy, and do not caution against using it
for security critical purposes such as key generation, so presumably
applications do in fact use if for such purposes.  Given that,
implementing it as getrandom(..., GRND_INSECURE) seems like a bad
idea.

Also, two of the man pages explicitly mention blocking, so any
portable software using getentropy() should already deal with it.
So why not do the safe thing and implement it as getrandom(..., 0)
== read from /dev/random?
-- 
Andreas Gustafsson, gson%gson.org@localhost

Follow-Ups:
- Re: getrandom and getentropy
  - From: Taylor R Campbell
- Re: getrandom and getentropy
  - From: nia
- Re: getrandom and getentropy
  - From: Joerg Sonnenberger

References:
- Re: getrandom and getentropy
  - From: nia
- Re: getrandom and getentropy
  - From: Taylor R Campbell

Prev by Date: Re: getrandom and getentropy
Next by Date: Re: PATCH libatomic
Previous by Thread: Re: getrandom and getentropy
Next by Thread: Re: getrandom and getentropy
Indexes:

Home | Main Index | Thread Index | Old Index