On Sat, Sep 14, 2019 at 10:09 AM Alexander E. Patrakov <patrakov@xxxxxxxxx> wrote: > > > Which means that we're all kinds of screwed. The whole "we guarantee > > entropy" model is broken. > > I agree here. Given that you suggested "to just fill the buffer and > return 0" in the previous mail (well, I think you really meant "return > buflen", otherwise ENOENTROPY == 0 and your previous objection applies), Right. The question remains when we should WARN_ON(), though. For example, if somebody did save entropy between boots, we probably should accept that - at least in the sense of not warning when they then ask for randomness data back. And if the hardware does have a functioning rdrand, we probably should accept that too - simply because not accepting it and warning sounds a bit too annoying. But we definitely *should* have a warning for people who build embedded devices that we can't see any reasonable amount of possible entropy. Those have definitely happened, and it's a serious and real security issue. > let's do just that. As a bonus, it saves applications from the complex > dance with retrying via /dev/urandom and finally brings a reliable API > (modulo old and broken kernels) to get random numbers (well, as random > as possible right now) without needing a file descriptor. Yeah, well, the question in the end always is "what is reliable". Waiting has definitely not been reliable, and has only ever caused problems. Returning an error (or some status while still doing a best effort) would be reasonable, but I really do think that people will mis-use that. We just have too much of a history of people having the mindset that they can just fall back to something better - like waiting - and they are always wrong. Just returning random data is the right thing, but we do need to make sure that system developers see a warning if they do something obviously wrong (so that the embedded people without even a real-time clock to initialize any bits of entropy AT ALL won't think that they can generate a system key on their router). Linus