Bug#897572: urandom hang in early boot

To: 897572@bugs.debian.org
Subject: Bug#897572: urandom hang in early boot
From: Bjørn Mork <bjorn@mork.no>
Date: Tue, 08 May 2018 13:23:03 +0200
Message-id: <[🔎] 87bmdqo0h4.fsf@miraculix.mork.no>
Reply-to: Bjørn Mork <bjorn@mork.no>, 897572@bugs.debian.org
In-reply-to: <645f0c99053421e8e62ec28c8a11a82cb1416ad3.camel__18379.5901168653$1525744877$gmane$org@decadent.org.uk> (Ben Hutchings's message of "Tue, 08 May 2018 03:00:29 +0100")
References: <[🔎] 152531303503.1654.3286767764771637968.reportbug@ripley> <[🔎] 152531303503.1654.3286767764771637968.reportbug@ripley> <[🔎] 79c0bff5-3bd7-c9db-393f-ccf5c8de3709@debian.org> <[🔎] 152531303503.1654.3286767764771637968.reportbug@ripley> <[🔎] 0eae90d7-4df1-569b-c9f9-a696f401e148@transient.nz> <[🔎] 152531303503.1654.3286767764771637968.reportbug@ripley> <645f0c99053421e8e62ec28c8a11a82cb1416ad3.camel__18379.5901168653$1525744877$gmane$org@decadent.org.uk> <[🔎] 152531303503.1654.3286767764771637968.reportbug@ripley>

Ben Hutchings <ben@decadent.org.uk> writes:
> On Tue, 2018-05-08 at 11:12 +1200, Ben Caradoc-Davies wrote:
>> On 08/05/18 05:34, Laurent Bigonville wrote:
>> > Apparently it's also happening for other applications that are starting 
>> > later during the boot like GDM.
>> > Somebody has reported an issue on IRC where GDM was taking upto 8 
>> > minutes to start (dmesg was showing several "random: systemd: 
>> > uninitialized urandom read (16 bytes read)" during boot)
>> > That problem might impact lot of people I'm afraid.
>> 
>> systemd is the underlying cause: plymouthd uses libudev1, which expects 
>> getrandom/urandom(?) to never block:
>> https://github.com/systemd/systemd/blob/master/src/basic/random-util.c#L34
>> 
>> See discussion here about systemd usage of random numbers:
>> systemd reads from urandom before initialization
>> https://github.com/systemd/systemd/issues/4167
>> 
>> The new problem is that 43838a23a05f ("random: fix crng_ready() test") 
>> turns an ugly warning and cryptographic weakness into an indefinite 
>> hang. Security achieved!
>
> You keep saying this, but based on my reading of the code I don't see
> how reads from /dev/urandom can end up blocking.

It's a bit convoluted, but if I read the code correctly then
acquire_random_bytes() falls back to busy-loop reading from /dev/urandom
until it has the requested number of bytes if 'high_quality_required' is
true.

There aren't more than two such calls, but one of then is
sd_id128_randomize() which calls acquire_random_bytes(&t, sizeof t, true).

And sd_id128_randomize() is called from all over the place.  I haven't
bothered looking at all the call sites, but would be surprised if not at
least one of them is unconditionally called at boot.

If I am correct, then I guess this is a systemd bug?

Bjørn

Reply to:

Follow-Ups:
- Bug#897572: urandom hang in early boot
  - From: Yves-Alexis Perez <corsac@debian.org>

References:
- Bug#897572: linux-image-4.16.0-1-amd64 breaks plymouth LUKS prompt (missing Kaby Lake firmware?)
  - From: Ben Caradoc-Davies <ben@transient.nz>
- Bug#897572: urandom hang in early boot
  - From: Laurent Bigonville <bigon@debian.org>
- Bug#897572: urandom hang in early boot
  - From: Ben Caradoc-Davies <ben@transient.nz>

Prev by Date: Bug#898165: linux-image-3.16.0-6-amd64: can't mount NFS shares via nfs referrals
Next by Date: Processed: fixed 898165 in linux/4.9.88-1~bpo8+1, fixed 898165 in linux/4.9.88-1 ...
Previous by thread: Bug#897572: urandom hang in early boot
Next by thread: Bug#897572: urandom hang in early boot
Index(es):
- Date
- Thread