VOTE Apply PR#9084 reverting DEVRANDOM_WAIT

Dr Paul Dale paul.dale at oracle.com
Fri Jun 7 08:03:26 UTC 2019


Mark, I agree that the project area would be better for this discussion.

For those not involved, this revolves around the vote to merge PR#9084 and possible alternate mitigations for the underlying problem.


Tim’s explanatory message is:

> For the record, I think we need to do a better job of tackling the underlying issue.
> Dealing with systems on first boot with no entropy is an issue for a class of systems.
> However we should be distinguishing between contexts where we have decent seeding material (from having had reasonable entropy) from those where we haven't.
> We also should be able to persist seeding across boots and have recommendations for how vendors should do that.
> We should be able to fall back to handling it at the user level (i.e. non-root user, persisted in the file system).
> We need knowledge of install state (for FIPS) and that can also act as a first-boot state effectively.
> 
> And this applies equally to getentropy usage - it is only a problem in very limited contexts where blocking actually makes sense to perform.
> That the kernel has no additional entropy available is not necessarily an issue - except in a very limited context (first time boot with no other entropy available from previous contexts). 



Viktor replied:

> I just want to make sure we don't lock ourselves in to a single
> potentially clumsy solution in the library.  Various strategies
> may be appropriate depending on the platform, and ultimately the
> cooperation of the system administrator to enable the required
> mechanisms.
> 
> Potential additional sources for initial entropy on systems
> without getrandom(2) might include:
> 
>   RDSEED/RDRAND
>   TPM (or Virtualized TPM which is sometimes better!)
>   RNG state saved across reboots.
>   ...
> 
> This requires knowledge of various platforms, and potential
> help from the platform vendors.  It might, for example, make
> sense to delegate initial seeding to systemd on platforms
> that use systemd, and work with the systemd maintainers to
> provide a set of sensible entropy sources for initial boot.
> 
> Exposing a decent RNG to virtual guests and containers is
> would be another area of focus.



My suggestion as a fallback would be Stephan Müller’s CPU Jitter <http://chronox.de/jent/doc/CPU-Jitter-NPTRNG.html>.  He’s collected a large corpus of data from many processors and the scheme works relatively quickly.



Pauli
-- 
Dr Paul Dale | Cryptographer | Network Security & Encryption 
Phone +61 7 3031 7217
Oracle Australia



> On 7 Jun 2019, at 5:19 pm, Mark J Cox <mark at awe.com> wrote:
> 
> Could we have this more detailed discussion on -project?
> 
> Mark


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-project/attachments/20190607/6829ab7a/attachment-0001.html>


More information about the openssl-project mailing list