[PATCH] getrandom: new applet

Etienne Champetier champetier.etienne at gmail.com
Mon Jul 4 16:08:48 UTC 2016


2016-07-04 17:02 GMT+02:00 Denys Vlasenko <vda.linux at googlemail.com>:
> On Mon, Jul 4, 2016 at 11:00 AM, Etienne Champetier
> <champetier.etienne at gmail.com> wrote:
>>> BTW, I know that security people would scream bloody murder,
>>> but wouldn't
>>>
>>> cd /proc && cat cpuinfo meminfo stat interrupts diskstats slabinfo
>>> schedstat buddyinfo >/dev/random
>>>
>>> in practice work quite satisfactorily for adding some entropy at boot time?
>>
>> Your cat /proc/* will be almost identical each boot,
>
> Yes, at boot it is somewhat likely, although I'd like someone
> to experiment on a real system.

I will repeat myself, in crypto you prove that it's safe, not the
other way around

>
> But you can also run the same command before key generation.
> I bet at least pids, allocation counts, and allocation addresses
> get randomized pretty fast.

Or I can just use a safe API as it exists ...

>
>> so no it's not
>> adding entropy, or it's re-adding what is already used internaly
>> What we are trying to fight here is having the same state between
>> multiple reboot of the same router, or between multiple identical
>> routers.
>
> I'm sure most of contents of these files are not mixed in to entropy
> pool by the kernel. For one, this data comes from a lot of different places:
> memory allocator, scheduler, disk IO, even hardware CPU frequency scaling.
> Kernel has no code to use all of that, or even half of that, for entropy
> collection.

Maybe kernel maintainers have good reasons to not mix them ...

>
> BTW, add to that /proc/net/*. I mean, literally every file (unlike /proc/*,
> where you don't want to read everything, "kcore" for one may be "a bit" big).
> There are ~50 files in /proc/net/.
> Just one example. /proc/net/unix has Inode column for unix sockets.
> Those depend on the order how processes have started at boot.
> If there is at least some concurrency, inodes will contain some randomness.

Network and radio can add some entropy, everything else is pretty non random.
You are reading the same flash, executing the same code, with the same
1 core cpu, and without a high precision timer.

Crypto 101 is "don't roll your own crypto", the code you are
suggesting will make you feel safe when in reality it will change
almost nothing

Please also reread Bastian Bittorf, in his experience on 100 identical
routers you have at least 2 identical ssh-key !

You haven't answered my question, should i change the applet name to
bbgetrandom ?


More information about the busybox mailing list