From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Matthew Wilcox <willy@infradead.org>
Cc: "Theodore Y. Ts'o" <tytso@mit.edu>,
Alexey Dobriyan <adobriyan@gmail.com>,
linux-kernel@vger.kernel.org, linux-mm@kvack.org
Subject: Re: repeatable boot randomness inside KVM guest
Date: Tue, 17 Apr 2018 12:57:12 +0100 [thread overview]
Message-ID: <1523966232.3250.15.camel@HansenPartnership.com> (raw)
In-Reply-To: <20180417114728.GA21954@bombadil.infradead.org>
On Tue, 2018-04-17 at 04:47 -0700, Matthew Wilcox wrote:
> On Tue, Apr 17, 2018 at 10:13:34AM +0100, James Bottomley wrote:
> > On Sat, 2018-04-14 at 17:41 -0700, Matthew Wilcox wrote:
> > > On Sat, Apr 14, 2018 at 06:44:19PM -0400, Theodore Y. Ts'o wrote:
> > > > What needs to happen is freelist should get randomized much
> > > > later in the boot sequence.A A Doing it later will require
> > > > locking; I don't know enough about the slab/slub code to know
> > > > whether the slab_mutex would be sufficient, or some other lock
> > > > might need to be added.
> > >
> > > Could we have the bootloader pass in some initial randomness?
> >
> > Where would the bootloader get it from (securely) that the kernel
> > can't?
>
> In this particular case, qemu is booting the kernel, so it can apply
> to /dev/random for some entropy.
Well, yes, but wouldn't qemu virtualize /dev/random anyway so the guest
kernel can get it from the HWRNG provided by qemu?
> > For example, if you compile in a TPM driver, the kernel will
> > pick up 32 random entropy bytes from the TPM to seed the pool, but
> > I think it happens too late to help with this problem
> > currently.A A IMA also needs the TPM very early in the boot sequence,
> > so I was wondering about using the initial EFI driver, which is
> > present on boot, and then transitioning to the proper kernel TPM
> > driver later, which would mean we could seed the pool earlier.
> >
> > As long as you mix it properly and limit the amount, it shouldn't
> > necessarily be a source of actual compromise, but having an
> > external input to our cryptographically secure entropy pool is an
> > additional potential attack vector.
>
> I thought our model was that if somebody had compromised the
> bootloader, all bets were off.
You don't have to compromise the bootloader to influence this, you
merely have to trick it into providing the random number you wanted.
The bigger you make the attack surface (the more inputs) the more
likelihood of finding a trick that works.
> A A And also that we were free to mix in as many untrustworthy bytes of
> alleged entropy into the random pool as we liked.
No, entropy mixing ensures that all you do with bad entropy is degrade
the quality, but if the quality degrades to zero (as it might at boot
when you've no other entropy sources so you feed in 100% bad entropy),
then the random sequences become predictable.
James
next prev parent reply other threads:[~2018-04-17 11:57 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20180414195921.GA10437@avx2>
2018-04-14 22:44 ` Theodore Y. Ts'o
2018-04-15 0:41 ` Matthew Wilcox
2018-04-17 9:13 ` James Bottomley
2018-04-17 11:47 ` Matthew Wilcox
2018-04-17 11:57 ` James Bottomley [this message]
2018-04-17 14:07 ` Matthew Wilcox
2018-04-17 15:20 ` James Bottomley
2018-04-17 15:16 ` Theodore Y. Ts'o
2018-04-17 15:42 ` James Bottomley
2018-04-17 21:40 ` Theodore Y. Ts'o
2018-04-16 15:54 ` Kees Cook
2018-04-16 16:15 ` Thomas Garnier
2018-04-17 0:31 ` Alexey Dobriyan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1523966232.3250.15.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=adobriyan@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=tytso@mit.edu \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox