At Sun, 4 Apr 2021 09:49:58 +0000, Taylor R Campbell <riastradh%NetBSD.org@localhost> wrote:
Subject: Re: regarding the changes to kernel entropy gathering
>
> > Date: Sat, 03 Apr 2021 12:24:29 -0700
> > From: "Greg A. Woods" <woods%planix.ca@localhost>
> >
> > Updating a system, even on -current, shouldn't create a long-lived
> > situation where the system documentation and the behaviour and actions
> > of system commands is completely out of sync with the behaviour of the
> > kernel, and in fact lies to the administrator about the abilities of the
> > system.
>
> It would help if you could identify specifically what you are calling
> a lie.
>
> > @@ -1754,21 +1766,21 @@
> > rnd_add_uint32(struct krndsource *rs, uint32_t value)
> > {
> >
> > - rnd_add_data(rs, &value, sizeof value, 0);
> > + rnd_add_data(rs, &value, sizeof value, sizeof value * ABBY);
> > }
>
> The rnd_add_uint32 function is used by drivers to feed in data from
> sources _with no known model for their entropy_.
Indeed -- that's the idea.
> It's how drivers
> toss in data that might be helpful but might totally predictable, and
> the driver has no way to know.
Yeah, so? They don't need to know this. I'm not actually asking random
drivers to decide the amount of physical entropy they can collect.
That is controlled elsewhere.
> Your change _creates_ the lie that every bit of data entered this way
> is drawn from a source with independent uniform distribution.
No, my change _allows_ the administrator to decide which devices can be
used as estimating/counting entropy sources. For example I know that
many of the devices on almost all of my machines (virtual or otherwise)
are equally good sources of entropy for their uses.
An addition change, one which I would also find totally acceptable,
would be to disable the current default of allowing "estimation" on
devices which are not true hardware RNGs. I.e. maybe this simple change
would suffice (though I haven't checked beyond a quick grep to see that
this flag is the mostly commonly used one -- perhaps some real RNG
devices could also be changed to use explicit flags to enable estimation
by default):
--- sys/sys/rndio.h.~1.2.~ 2016-07-23 14:36:45.000000000 -0700
+++ sys/sys/rndio.h 2021-04-04 12:39:15.609936311 -0700
@@ -91,8 +91,7 @@
#define RND_FLAG_ESTIMATE_TIME 0x00004000 /* estimate entropy on time */
#define RND_FLAG_ESTIMATE_VALUE 0x00008000 /* estimate entropy on value */
#define RND_FLAG_HASENABLE 0x00010000 /* has enable/disable fns */
-#define RND_FLAG_DEFAULT (RND_FLAG_COLLECT_VALUE|RND_FLAG_COLLECT_TIME|\
- RND_FLAG_ESTIMATE_TIME)
+#define RND_FLAG_DEFAULT (RND_FLAG_COLLECT_VALUE|RND_FLAG_COLLECT_TIME)
#define RND_TYPE_UNKNOWN 0 /* unknown source */
#define RND_TYPE_DISK 1 /* source is physical disk */
There are a vast number of ways this re-tooling of entropy collection
could have been done better.
I'm asking for discussion on what amount to some VERY simple changes
which completely and totally solve many real-world uses of this code
while at the same time not just allowing, but defaulting to, the very
strict and secure operation for special situations.
--
Greg A. Woods <gwoods%acm.org@localhost>
Kelowna, BC +1 250 762-7675 RoboHack <woods%robohack.ca@localhost>
Planix, Inc. <woods%planix.com@localhost> Avoncote Farms <woods%avoncote.ca@localhost>
Attachment:
pgpaA7BEu_i2X.pgp
Description: OpenPGP Digital Signature