PR/55847 CVS commit: src

["Taylor R Campbell" <riastradh%netbsd.org@localhost>]

The following reply was made to PR pkg/55847; it has been noted by GNATS.

From: "Taylor R Campbell" <riastradh%netbsd.org@localhost>
To: gnats-bugs%gnats.NetBSD.org@localhost
Cc: 
Subject: PR/55847 CVS commit: src
Date: Fri, 30 Jun 2023 21:42:06 +0000

 Module Name:	src
 Committed By:	riastradh
 Date:		Fri Jun 30 21:42:06 UTC 2023
 
 Modified Files:
 	src/share/man/man7: entropy.7
 	src/sys/kern: kern_clock.c kern_entropy.c
 
 Log Message:
 entropy(9): Reintroduce netbsd<=9 time-delta estimator for unblocking.
 
 The system will (in a subsequent change) by default block for this
 condition before almost all of userland is running (including
 /etc/rc.d/sshd key generation).  That way, a never-blocking
 getentropy(3) API will never return any data without at least
 best-effort entropy like netbsd<=9 did to applications except in
 single-user mode (where you have to be careful about everything
 anyway) or in the few processes that run before a seed can even be
 loaded (where blocking indefinitely, e.g. when generating a stack
 protector cookie in libc, could pose a severe availability problem
 that can't be configured away, but where the security impact is low).
 
 However, (in another subsequent change) we will continue to use
 _only_ HWRNG driver estimates and seed estimates, and _not_
 time-delta estimator, for _warning_ about security in motd, daily
 security report, etc.  And if HWRNG/seed provides enough entropy
 before time-delta estimator does, that will unblock /dev/random too.
 
 The result is:
 
 - Machines with HWRNG or seed won't warn about entropy and will
   essentially never block -- even on first boot without a seed, it
   will take only as long as the fastest HWRNG to unblock.
 
 - Machines with neither HWRNG nor seed:
   . will warn about entropy, giving feedback about security;
     and
   . will avoid returning anything more predictable than netbsd<=9;
     but
   . won't block (much) longer than netbsd<=9 would (and won't block
     again after blocking once, except with kern.entropy.depletion=1 for
     testing).
 
   (The threshold for unblocking is now somewhat higher than before:
   512 samples that pass the time-delta estimator, rather than 80 as
   it used to be.)
 
   And, of course, adding a seed (or HWRNG) will prevent both warnings
   and blocking.
 
 The mechanism is:
 
 1. /dev/random will block until _either_
 
    (a) enough bits of entropy (256) from reliable sources have been
        added to the pool, _or_
 
    (b) enough samples have been added from any sources (512), passing
        the old time-delta entropy estimator, that the possible
        security benefit doesn't justify holding up availability any
        longer (`best effort'), except on systems with higher security
        requirements like securelevel=2 which can disable non-HWRNG,
        non-seed sources with rndctl_flags in rc.conf(5).
 
 2. dmesg will report `entropy: ready' when 1(a) is satisfied, but if
    1(b) is satisfied first, it will report `entropy: best effort', so
    the concise log messages will reflect the timing and whether in
    any period of time any of the system might be relying on best
    effort entropy.
 
 3. The sysctl knob kern.entropy.needed (and the ioctl RNDGETPOOLSTAT
    variable rndpoolstat_t::added) still reflects the number of bits
    of entropy from reliable sources, so we can still use this to
    suggest regenerating ssh keys.
 
    This matters on platforms that can only be reached, after flashing
    an installation image, by sshing in over a (private) network, like
    small network appliances or remote virtual machines without
    (interactive) serial consoles.  If we blocked indefinitely at boot
    when generating ssh keys, such platforms would be unusable.  This
    way, platforms are usable, but operators can still be advised at
    login time to regenerate keys as soon as they can actually load
    entropy onto the system, e.g. with rndctl(8) on a seed file copied
    from a local machine over the (private) network.
 
 4. On machines without HWRNG, using a seed file still suppresses
    warnings for users who need more confident security.  But it is no
    longer necessary for availability.
 
 This is a compromise between availability and security:
 
 - The security mechanism of blocking indefinitely on machines without
   HWRNG hurts availability too much, as painful experience over the
   multiple years since I made the mistake of introducing it have
   shown.  (Sorry!)
 
 - The other main alternative, not having a blocking path at all (as I
   pushed for, and as OpenBSD has done for a long time) could
   potentially reduce security vs netbsd<=9, and would run against the
   expectations set by many popular operating systems to the severe
   detriment of public perception of NetBSD security.
 
 Even though we can't _confidently_ assess enough entropy from, e.g.,
 sampling interrupt timings, this is the traditional behaviour that
 most operating systems provide -- and the result here is a net
 nondecrease in security over netbsd<=9, because all paths from the
 entropy pool to userland now have at least as high a standard before
 returning data as they did in netbsd<=9.
 
 PR kern/55641
 PR pkg/55847
 PR kern/57185
 https://mail-index.netbsd.org/current-users/2020/09/02/msg039470.html
 https://mail-index.netbsd.org/current-users/2020/11/21/msg039931.html
 https://mail-index.netbsd.org/current-users/2020/12/05/msg040019.html
 
 XXX pullup-10
 
 
 To generate a diff of this commit:
 cvs rdiff -u -r1.8 -r1.9 src/share/man/man7/entropy.7
 cvs rdiff -u -r1.148 -r1.149 src/sys/kern/kern_clock.c
 cvs rdiff -u -r1.61 -r1.62 src/sys/kern/kern_entropy.c
 
 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.