On Wed 2017-08-16 23:31:48, Theodore Ts'o wrote: > On Wed, Aug 16, 2017 at 04:14:58PM -0700, Laura Abbott wrote: > > From: Daniel Micay <danielmicay@xxxxxxxxx> > > > > Existing Android bootloaders usually pass data useful as early entropy > > on the kernel command-line. It may also be the case on other embedded > > systems..... > > May I suggest a slight adjustment to the beginning commit description? > > Feed the boot command-line as to the /dev/random entropy pool > > Existing Android bootloaders usually pass data which may not be > known by an external attacker on the kernel command-line. It may > also be the case on other embedded systems. Sample command-line > from a Google Pixel running CopperheadOS.... > > The idea here is to if anything, err on the side of under-promising > the amount of security we can guarantee that this technique will > provide. For example, how hard is it really for an attacker who has > an APK installed locally to get the device serial number? Or the OS > version? And how much variability is there in the bootloader stages > in milliseconds? > > I think we should definitely do this. So this is more of a request to > be very careful what we promise in the commit description, not an > objection to the change itself. The command line is visible to unpriviledged userspace (/proc/cmdline, dmesg). Is that a problem? U-boot already does some crypto stuff, so it may have some randomness. Should we create parameter random=xxxxxxxxxxx that is "censored" during kernel boot? Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
Attachment:
signature.asc
Description: Digital signature