Re: Handling of entropy during boot
On Wed, 9 Jan 2019, Theodore Y. Ts'o wrote:
> On Wed, Jan 09, 2019 at 09:58:22AM +0100, Stefan Fritsch wrote:
> >
> > There have been a number of bug reports and blog posts about this, despite
> > buster not being release yet. So it's not that uncommon.
>
> Pointers, please? Let's see them and investigate. The primary issue
> I've been aware of to date has been on Fedora systems, and it's due to
> some Red Hat specific changes that they made for FEDRAMP compliance
> --- and Red Hat has dealt with those issues.
>
> If there are problems for people using Debian Testing, we should
> investigate them and understand what is going on.
Some other people already have sent you a few pointers (thanks!). The
reason why I am looking into this is that it affects apache2 (see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914297 ). Apache does
not call getrandom itself but libssl does, and it definitely needs secure
randomness for diffie-hellman. So there is nothing that can or should be
fixed in apache.
More links are at the end of
https://lists.debian.org/debian-devel/2018/12/msg00184.html
Also, the thread on debian-kernel pointed to by Ben Hutchings is an
interesting read, I had not noticed that before.
> > No, that's utterly wrong. If it's a hassle to use good entropy, people
> > will use gettimeofday() for getting "entropy" and they will use it for
> > security relevant purposes. In this way, you would achieve exactly the
> > opposite of what you want.
>
> If *users* do this, then if they end up releasing credit card numbers
> or PII or violate their customers privacy which brings the EU's GDPR
> enforcers down on then, it's on *their* heads. If *Debian* makes a
> local Debian-specific change which causes these really bad outcomes,
> then it's on *ours*.
Since many users and developers will take the shortest path to a "working"
service, we must make sure that the secure way just works.
> > Any program that does secure network connections needs entropy for
> > Diffie-Hellman. And even seeds for hash buckets can be security relevant.
> > You really don't want that people need to distinguish between
> > security-critical and stupid uses of entropy, because they WILL get it
> > wrong.
>
> Sure, this is why developers need to investigate the bugs. You said
> you provided links, but I couldn't find any in your e-mail messages or
> earlier ones on this thread. Perhaps I missed them; in which case, my
> apologies. Can you please send/resend those links?
>
> Can you please prioritize reports from people running Debian Unstable
> or Debain Testing? As I said above, these issues tend to be very
> distro specific, especially when distros are messing around with
> crypto-related libraries in order to keep the US Government happy.
As far as I can see, all reports are from unstable/testing only, because
stable does not cause getrandom() to block (see
https://lists.debian.org/debian-release/2018/05/msg00130.html ).
Reply to: