undefined | Better HN

0 pointslixtra7y ago0 comments

TLDR:

Devices that create TLS and SSH keys just after boot when there is not enough entropy.

0 comments

7 comments · 1 top-level

loeg7y ago· 6 in thread

That's not a great takeaway.

The takeaway is: Linux's /dev/random and /dev/urandom interfaces are both broken, in the sense that neither is reliable for embedded developers during certain early boot conditions. Some of that was maybe worse in 2012 than today, but the fundamental interface properties have not changed.

Tl;dr: Use getrandom() instead of /dev/[u]random. Do not use GRND_RANDOM. Do not use GRND_NONBLOCK.

Scoundreller7y ago

But maybe better pre-2009:

> Surprisingly, modern Linux systems no longer collect entropy from IRQ timings. The Linux kernel maintainers deprecated the use of this source in 2009 by removing the IRQF_SAMPLE_RANDOM flag, apparently to prevent events controlled or observable by an attacker from contributing to the entropy pools.

> Although mailing list discussions suggest the intent to replace it with new collection mech- anisms tailored to each interrupt-driven source [21], as of Linux 3.4.2 no such functions have been added to the ker- nel.

> The removal of IRQs as an entropy source has likely exacerbated RNG problems in headless and embedded devices, which often lack human input devices, disks, and multiple cores. If they do, the only source of entropy—if there are any at all—may be the time of boot.

X6S1x6Okd1st7y ago

Removing something from an entropy pool because it could be used by an attacker seems really odd to me.

1 more reply

loeg7y ago

No. The fundamental problem — random blocks arbitrarily after seeding, and urandom does not block even before seeding — existed prior to the 2009 change.

pera7y ago

For keys that are generated during early/first boot conditions, couldn't one wait until /proc/sys/kernel/random/entropy_avail is greater than 256 and then read from urandom? IIRC getrandom still isn't universally available on SoCs kernels.

SEJeff7y ago

I was 1/2 way through reading your comment and was thinking, "Yeah, but they can use the getrandom() that was ported from OpenBSD", but you obviously beat me to it. Take your upvote!

loeg7y ago

OpenBSD's interface is getentropy(), but yeah, basically the same idea! I believe Linux was the second actor and intentionally made getrandom() a superset of the getentropy interface (i.e., no EINTR below 256 bytes).

As a result, writing a getentropy() shim around getrandom is feasible; FreeBSD and Linux (glibc) have done so.

1 more reply

j / k navigate · click thread line to collapse

0 comments

7 comments · 1 top-level

loeg7y ago· 6 in thread

That's not a great takeaway.

Tl;dr: Use getrandom() instead of /dev/[u]random. Do not use GRND_RANDOM. Do not use GRND_NONBLOCK.

Scoundreller7y ago

But maybe better pre-2009:

X6S1x6Okd1st7y ago

Removing something from an entropy pool because it could be used by an attacker seems really odd to me.

1 more reply

loeg7y ago

No. The fundamental problem — random blocks arbitrarily after seeding, and urandom does not block even before seeding — existed prior to the 2009 change.

pera7y ago

SEJeff7y ago

I was 1/2 way through reading your comment and was thinking, "Yeah, but they can use the getrandom() that was ported from OpenBSD", but you obviously beat me to it. Take your upvote!

loeg7y ago

As a result, writing a getentropy() shim around getrandom is feasible; FreeBSD and Linux (glibc) have done so.

1 more reply

j / k navigate · click thread line to collapse