On Sat, Sep 14, 2019 at 6:00 PM Theodore Y. Ts'o <tytso@xxxxxxx> wrote: > > That makes me even more worried. It's probably going to be OK for > modern x86 systems, since "best we can do" will include RDRAND > (whether or not it's trusted). But on systems without something like > RDRAND --- e.g., ARM --- the "best we can do" could potentially be > Really Bad. Again, look back at the Mining Your P's and Q's paper > from factorable.net. Yes. And they had that problem *because* the blocking interface was useless, and they didn't use it, and *because* nobody warned them about it. In other words, the whole disaster was exactly because blocking is wrong, and because blocking to get "secure" data is unacceptable. And the random people DIDN'T LEARN A SINGLE LESSON from that thing. Seriously. getrandom() introduced the same broken model as /dev/random had - and that then caused people to use /dev/urandom instead. And now it has shown itself to be broken _again_. And you still argue against the only sane model. Scream loudly that you're doing something wrong so that people can fix their broken garbage, but don't let people block, which is _also_ broken garbage. Seriously. Blocking is wrong. Blocking has _always_ been wrong. It was why /dev/random was useless, and it is now why the new getrandom() system call is showing itself useless. > We could return 0 for success, and yet "the best we > can do" could be really terrible. Yes. Which is why we should warn. But we can't *block*. Because that just breaks people. Like shown in this whole discussion. Why is warning different? Because hopefully it tells the only person who can *do* something about it - the original maintainer or developer of the user space tools - that they are doing something wrong and need to fix their broken model. Blocking doesn't do that. Blocking only makes the system unusable. And yes, some security people think "unusable == secure", but honestly, those security people shouldn't do system design. They are the worst kind of "technically correct" incompetent. > > > For 5.3, can we please consider my proposal in [1]? > > It may be the safest thing to do, but at that point we might as well > > just revert the ext4 change entirely. I'd rather do that, than have > > random filesystems start making random decisions based on crazy user > > space behavior. > > All we're doing is omitting the plug; Yes. Which we'll do by reverting that change. I agree that it's the safe thing to do for 5.3. We are not adding crazy workarounds for "getrandom()" bugs in some low-level filesystem. Either we fix getrandom() or we revert the change. We don't do some mis-designed "let's work around bugs in getrandom() in the ext4 filesystem with ad-hoc behavioral changes". Linus