Bug 1315443 - (properly) wait for urandom before master key generation for HDD encryption
(properly) wait for urandom before master key generation for HDD encryption
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Anaconda Maintenance Team
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2016-03-07 13:22 EST by Jiri Jaburek
Modified: 2017-12-12 05:59 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-12-12 05:59:31 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jiri Jaburek 2016-03-07 13:22:13 EST
Description of problem:

Currently, Anaconda doesn't wait for /dev/urandom to be initialized in most cases and is happy to use it uninitialized - at least for generating user password salts (chpasswd), initial saved seed generation (systemd rpm scripts) or HDD encryption (cryptsetup-based).

It *seems* to wait in the last case, waiting for /proc/sys/kernel/random/entropy_avail to be >= 256, but this is a very poor indication. In addition, after 10 minutes, anaconda gives up and creates potentially insecure keys, presumably in the name of user friendliness.

First, why is the current solution suboptimal:

 - it presumes the nonblocking pool is initialized with 256 bits
   of estimated entropy - it generally will be, but it's a bad practice
   to rely on it / hardcode it

 - similarly, the pool might have been initialized much sooner, making
   anaconda unnecessarily wait longer than necessary (common case)

 - it gives up after 10 minutes without warning the user about
   possible implications on system security

Fortunately, there are better ways how to do it (pick one):

 - use the new getrandom(2) syscall, requesting 1 byte, with zero flags
   or repeatedly with NONBLOCK - checking EAGAIN - and continue only
   when you get the 1 byte of data

 - look for "random: nonblocking pool is initialized" in /dev/kmsg
   by continuously reading it as new entries appear

Only then should you continue with actions that use /dev/urandom for security purposes.

This however implies several issues:

 - there's no way to show a progress bar, the pool is either initialized
   or not - any "progress" depends on internal kernel implementation

 - the user might wish to trade security for usability/speed anyway

The former cannot be easily solved, you would just have to show up a dialog similar to ["move mouse around and/or type something until I tell you to stop"]. The good news is that you can include a Cancel button to opt out of this, but make sure to visibly warn the user than doing so will result in a potentially insecure operation.
However by the time the user moves the mouse to the Cancel button, the system will probably have enough entropy to continue, so it might not make much sense to have it in the first place. Actually, chances are that that there will be enough entropy by the time the GUI boots up.

Do not put any arbitrary time limits on waiting for /dev/urandom to be initialized - it may be instant (x86_64 GUI), it may take a few (11) seconds (x86_64 headless), it may take hours (s390x or something embedded without user input and hw rng). If you do, please at least warn the user somehow (motd on installed system?).

While this is a more general issue and it would be nice to have urandom initialized by the time systemd rpm scripts save it (for load on first boot), the potential for extra waiting time might not be worth it, so this bug requests it only when the user specifies HDD encryption, to replace the current entropy waiting logic.

Version-Release number of selected component (if applicable):

Additional info:
It makes sense to fix this even with the recent inclusion of rngd into anaconda - the current waiting concept is wrong by design and the presence of rngd doesn't guarantee initialized urandom either.
Comment 1 Jan Kurik 2016-07-26 00:04:54 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.
Comment 2 Fedora End Of Life 2017-11-16 14:04:58 EST
This message is a reminder that Fedora 25 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 25. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '25'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 25 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Comment 3 Fedora End Of Life 2017-12-12 05:59:31 EST
Fedora 25 changed to end-of-life (EOL) status on 2017-12-12. Fedora 25 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.