From mboxrd@z Thu Jan 1 00:00:00 1970 From: taylanbayirli@gmail.com (Taylan Ulrich =?UTF-8?Q?Bay=C4=B1rl=C4=B1/Kammer?=) Subject: bug#23605: /dev/urandom not seeded across reboots Date: Tue, 24 May 2016 09:05:21 +0200 Message-ID: <87shx8j5qm.fsf@T420.taylan> References: <20160523175832.GA10646@jasmine> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:52812) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b56Po-0007ef-Kc for bug-guix@gnu.org; Tue, 24 May 2016 03:06:09 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1b56Pi-00026j-Hb for bug-guix@gnu.org; Tue, 24 May 2016 03:06:07 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:51324) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b56Pi-00026f-E2 for bug-guix@gnu.org; Tue, 24 May 2016 03:06:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1b56Pi-0000Qn-6k for bug-guix@gnu.org; Tue, 24 May 2016 03:06:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <20160523175832.GA10646@jasmine> (Leo Famulari's message of "Mon, 23 May 2016 13:58:32 -0400") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Leo Famulari Cc: 23605@debbugs.gnu.org Leo Famulari writes: > I realized that we don't seem to be saving any of the entropy in the > kernel's random pool [0] across reboots. > > This means that for some period after boot, /dev/urandom may not be safe > to use. From random(4): > > --- > If a seed file is saved across reboots as recommended below (all major > Linux distributions have done this since 2000 at least), > [/dev/urandom's] output is cryptographically secure against attackers > without local root access as soon as it is reloaded in the boot > sequence, and perfectly adequate for network encryption session keys. > --- > > I interpret that text to mean that, without use of a seed file, > urandom's output is *not* adequate for network encryption session keys > (SSH, TLS, etc) until enough entropy has been gathered. I don't know how > long that takes. > > I've attached my not-yet-working attempt at a urandom-seed-service. I > tried to get it working on my own but I need the assistance of some more > experienced Guix hackers :) > > I've also attached a stand-alone Guile script to illustrate what the > effect of the service should be. This script does seem to work. I'm sure > the use of shell tools could be replaced by Guile. > > After applying my patch and attempting `guix system vm ...`, I get the > attached backtrace. > > Does anyone have advice about the service? Am I wrong that we need to > seed /dev/urandom to make it work properly? > > [0] See the man page for random(4). Yes, this is necessary under Linux if you want urandom to be random enough immediately after boot, and all the distros do it as part of their init. There's also an interesting implication here about the very first time you boot the system and don't have a urandom seed file from the last shutdown yet. I don't know how this is typically handled, given that for instance it's quite possible that a user might generate SSH keys shortly after their first boot of a system. I heard BSD kernels are smarter: /dev/random and urandom are the same file and behave as follows: after boot, until there's enough entropy, they block (behave like Linux /dev/random), and once there's enough entropy they never block (behave like Linux /dev/urandom). No idea how the Hurd does it. Taylan