Web lists-archives.com

Re: Handling of entropy during boot




On Wed, 9 Jan 2019, Theodore Y. Ts'o wrote:

> On Wed, Jan 09, 2019 at 09:58:22AM +0100, Stefan Fritsch wrote:
> > 
> > There have been a number of bug reports and blog posts about this, despite 
> > buster not being release yet. So it's not that uncommon.
> 
> Pointers, please?  Let's see them and investigate.  The primary issue
> I've been aware of to date has been on Fedora systems, and it's due to
> some Red Hat specific changes that they made for FEDRAMP compliance
> --- and Red Hat has dealt with those issues.
> 
> If there are problems for people using Debian Testing, we should
> investigate them and understand what is going on.

Some other people already have sent you a few pointers (thanks!). The 
reason why I am looking into this is that it affects apache2 (see 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914297 ). Apache does 
not call getrandom itself but libssl does, and it definitely needs secure 
randomness for diffie-hellman. So there is nothing that can or should be 
fixed in apache.

More links are at the end of 
https://lists.debian.org/debian-devel/2018/12/msg00184.html

Also, the thread on debian-kernel pointed to by Ben Hutchings is an 
interesting read, I had not noticed that before.


> > No, that's utterly wrong. If it's a hassle to use good entropy, people 
> > will use gettimeofday() for getting "entropy" and they will use it for 
> > security relevant purposes. In this way, you would achieve exactly the 
> > opposite of what you want.
> 
> If *users* do this, then if they end up releasing credit card numbers
> or PII or violate their customers privacy which brings the EU's GDPR
> enforcers down on then, it's on *their* heads.  If *Debian* makes a
> local Debian-specific change which causes these really bad outcomes,
> then it's on *ours*.

Since many users and developers will take the shortest path to a "working" 
service, we must make sure that the secure way just works.

> > Any program that does secure network connections needs entropy for 
> > Diffie-Hellman. And even seeds for hash buckets can be security relevant. 
> > You really don't want that people need to distinguish between 
> > security-critical and stupid uses of entropy, because they WILL get it 
> > wrong.
> 
> Sure, this is why developers need to investigate the bugs.  You said
> you provided links, but I couldn't find any in your e-mail messages or
> earlier ones on this thread.  Perhaps I missed them; in which case, my
> apologies.   Can you please send/resend those links?
> 
> Can you please prioritize reports from people running Debian Unstable
> or Debain Testing?  As I said above, these issues tend to be very
> distro specific, especially when distros are messing around with
> crypto-related libraries in order to keep the US Government happy.

As far as I can see, all reports are from unstable/testing only, because 
stable does not cause getrandom() to block (see 
https://lists.debian.org/debian-release/2018/05/msg00130.html ).