On Mon, Apr 30, 2018 at 4:12 PM, Jeremy Cline <jer...@jcline.org> wrote: > On 04/29/2018 06:05 PM, Theodore Y. Ts'o wrote: >> On Sun, Apr 29, 2018 at 01:20:33PM -0700, Sultan Alsawaf wrote: >>> On Sun, Apr 29, 2018 at 08:41:01PM +0200, Pavel Machek wrote: >>>> Umm. No. https://www.youtube.com/watch?v=xneBjc8z0DE >>> >>> Okay, but /dev/urandom isn't a solution to this problem because it isn't >>> usable >>> until crng init is complete, so it suffers from the same init lag as >>> /dev/random. >> >> It's more accurate to say that using /dev/urandom is no worse than >> before (from a few years ago). There are, alas, plenty of >> distributions and user space application programmers that basically >> got lazy using /dev/urandom, and assumed that there would be plenty of >> entropy during early system startup. >> >> When they switched over the getrandom(2), the most egregious examples >> of this caused pain (and they got fixed), but due to a bug in >> drivers/char/random.c, if getrandom(2) was called after the entropy >> pool was "half initialized", it would not block, but proceed. >> >> Is that exploitable? Well, Jann and I didn't find an _obvious_ way to >> exploit the short coming, which is this wasn't treated like an >> emergency situation ala the embarassing situation we had five years >> ago[1]. >> >> [1] https://factorable.net/paper.html >> >> However, it was enough to make us be uncomfortable, which is why I >> pushed the changes that I did. At least on the devices we had at >> hand, using the distributions that we typically use, the impact seemed >> minimal. Unfortuantely, there is no way to know for sure without >> rolling out change and seeing who screams. In the ideal world, >> software would not require cryptographic randomness immediately after >> boot, before the user logs in. And ***really***, as in [1], softwaret >> should not be generating long-term public keys that are essential to >> the security of the box a few seconds immediately after the device is >> first unboxed and plugged in.i >> >> What would be useful is if people gave reports that listed exactly >> what laptop and distributions they are using. Just "a high spec x86 >> laptop" isn't terribly useful, because *my* brand-new Dell XPS 13 >> running Debian testing is working just fine. The year, model, make, >> and CPU type plus what distribution (and distro version number) you >> are running is useful, so I can assess how wide spread the unhappiness >> is going to be, and what mitigation steps make sense. > > Fedora has started seeing some bug reports on this for Fedora 27[0] and > I've asked reporters to include their hardware details. > > [0] https://bugzilla.redhat.com/show_bug.cgi?id=1572944 >
We have also had reports that Fedora users are seeing this on Google Compute Engine. Justin
