Bug 1330000

Summary: kernel: Backport getrandom system call
Product: Red Hat Enterprise Linux 7 Reporter: Florian Weimer <fweimer>
Component: kernelAssignee: Herbert Xu <herbert.xu>
kernel sub component: Crypto QA Contact: Chao Ye <cye>
Status: CLOSED ERRATA Docs Contact: Marie Hornickova <mdolezel>
Severity: unspecified    
Priority: unspecified CC: cye, herbert.xu, hkario, jwboyer, ksrot, ncoghlan, nmavrogi, rharwood, tmraz, torsava
Version: 7.3   
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: kernel-3.10.0-544.el7 Doc Type: Enhancement
Doc Text:
`getrandom` added to the Linux kernel on AMD64 and Intel 64 This update adds the `getrandom` system call to the Linux kernel on AMD64 and Intel 64 architectures. As a result, the user space can now request randomness from the same non-blocking entropy pool used by /dev/urandom, and the user space can block until at least 128 bits of entropy has been accumulated in that pool.
 Story Points: ---
Clone Of:
: 1432218 1433000 (view as bug list) Environment:
Last Closed: 2017-08-01 20:10:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1329996, 1374268, 1394638, 1394908, 1404314, 1432218    

Description Florian Weimer 2016-04-25 09:14:16 UTC 
We have a request to add getrandom support to glibc (bug 1329996).  This makes only sense if there is kernel support because emulation in glibc will be iffy.

getrandom was introduced upstream in 3.17:

commit c6e9d6f38894798696f23c8084ca7edbf16ee895
Author: Theodore Ts'o <tytso>
Date:   Thu Jul 17 04:13:05 2014 -0400

    random: introduce getrandom(2) system call

There seem to have been a couple of fixes/internal API changes since then.
Comment 1 Nick Coghlan 2016-06-23 17:14:29 UTC 
Just noting that this is likely to be important for userspace/kernel container compatibility for Python runtimes, as Python runtimes built on systems with newer kernels and glibc versions will depend on the getrandom syscall (for example, this can come up when running Fedora images on OpenShift for development purposes).

For additional background, see https://www.python.org/dev/peps/pep-0522/
Comment 2 Florian Weimer 2016-06-23 17:22:14 UTC 
(In reply to Nick Coghlan from comment #1)
> Just noting that this is likely to be important for userspace/kernel
> container compatibility for Python runtimes, as Python runtimes built on
> systems with newer kernels and glibc versions will depend on the getrandom
> syscall (for example, this can come up when running Fedora images on
> OpenShift for development purposes).
> 
> For additional background, see https://www.python.org/dev/peps/pep-0522/

Thanks for the background.  I'm trying to get consensus for adding a getrandom wrapper to glibc:

  https://sourceware.org/ml/libc-alpha/2016-06/msg00398.html
Comment 3 Robbie Harwood 2016-09-12 17:45:22 UTC 
We would also like to be using this in krb5, though glibc support is not necessary for that use (similar to the python behavior: we both can go through syscall() to get functionality).
Comment 7 Herbert Xu 2016-12-07 09:47:15 UTC 
Stanislav, I think you just need to write a program to make the new getrandom system call.
Comment 8 Stanislav Zidek 2016-12-07 09:56:58 UTC 
(In reply to Herbert Xu from comment #7)
> Stanislav, I think you just need to write a program to make the new
> getrandom system call.

That seems doable, even though Hubert would probably like to test more :). Thanks for info.
Comment 9 Rafael Aquini 2017-01-17 14:00:14 UTC 
Patch(es) committed on kernel repository and an interim kernel build is undergoing testing
Comment 11 Rafael Aquini 2017-01-18 13:32:36 UTC 
Patch(es) available on kernel-3.10.0-544.el7
Comment 20 Herbert Xu 2017-04-26 09:53:54 UTC 
Please remove the reference to file descriptor exhaustion, and modify the last bit to say "and the kernel can now request randomness from the same non-blocking entropy pool usd by /dev/urandom, but to block until at least 128 bits of entropy has been accumulated in that pool."

Thanks.
Comment 30 errata-xmlrpc 2017-08-01 20:10:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:1842
Comment 31 errata-xmlrpc 2017-08-02 00:36:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:1842