Hi Stephan, thank you for your thorough reply, On St, 2016-06-15 at 18:58 +0200, Stephan Mueller wrote: > Am Mittwoch, 15. Juni 2016, 18:17:43 schrieb David Jaša: > > Hi David, > > > Hello Stephan, > > > > Did you consider blocking urandom output or returning error until > > initialized? Given the speed of initialization you report, it shouldn't > > break any userspace apps while making sure that nobody uses predictable > > pseudoranom numbers. > > My LRNG will definitely touch the beginning of the initramfs booting until it > is fully seeded. As these days the initramfs is driven by systemd which always > pulls from /dev/urandom, we cannot block as this would block systemd. In Ted's > last patch, he mentioned that he tried to make /dev/urandom block which caused > user space pain. I was thinking along the lines that "almost every important package supports FreeBSD as well where they have to handle the condition so option to switch to Rather Break Than Generate Weak Keys would be nice" - but I didn't expect that systemd could be a roadblock here. :-/ I was also thinking of little devices where OpenWRT or proprietary Linux-based systems run that ended up with predictable keys way too ofter (or as in OpenWRT's case, with cumbersome tutorials how to generate keys elsewhere). > > But if you use the getrandom system call, it works like /dev/urandom but > blocks until the DRBG behind /dev/urandom is fully initialized. > > > > I was considering asking for patch (or even trying to write it myself) > > to make current urandom block/fail when not initialized but that would > > surely have to be off by default over "never break userspace" rule (even > > if it means way too easy security problem with both random and urandom). > > Properties of your urandom implementation makes this point moot and it > > could make the random/urandom wars over. > > That patch unfortunately will not work. But if you are interested in that > blocking /dev/urandom behavior for your application, use getrandom. > I'm QA with a touch of sysadmin so the numbers of apps to fix is large and I don't have neither control over the projects nor abilities to patch them all myself. :) > > > > Best Regards, > > > > David Jaša > > > Ciao > Stephan BTW when looking at an old BSI's issue with Linux urandom that Jarod Wilson tried to solve with this series: https://www.spinics.net/lists/linux-crypto/msg06113.html I was thinking: 1) wouldn't it help for large urandom consumers if kernel created a DRBG instance for each of them? It would likely enhance performance and solve BSI's concern of predicting what numbers could other urandom consumers obtain at cost of memory footprint and then, after reading paper associated with this series: 2) did you evaluate use of intermediate DRBG fed by primary generator to instantiate per-node DRBG's? It would allow initialization of all secondary DRBGs right after primary generator initialization. Cheers, David -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html