This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1315443 - (properly) wait for urandom before master key generation for HDD encryption
(properly) wait for urandom before master key generation for HDD encryption
Status: NEW
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
25
All Linux
medium Severity medium
: ---
: ---
Assigned To: Anaconda Maintenance Team
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-07 13:22 EST by Jiri Jaburek
Modified: 2016-07-26 00:04 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jiri Jaburek 2016-03-07 13:22:13 EST
Description of problem:

Currently, Anaconda doesn't wait for /dev/urandom to be initialized in most cases and is happy to use it uninitialized - at least for generating user password salts (chpasswd), initial saved seed generation (systemd rpm scripts) or HDD encryption (cryptsetup-based).

It *seems* to wait in the last case, waiting for /proc/sys/kernel/random/entropy_avail to be >= 256, but this is a very poor indication. In addition, after 10 minutes, anaconda gives up and creates potentially insecure keys, presumably in the name of user friendliness.

First, why is the current solution suboptimal:

 - it presumes the nonblocking pool is initialized with 256 bits
   of estimated entropy - it generally will be, but it's a bad practice
   to rely on it / hardcode it

 - similarly, the pool might have been initialized much sooner, making
   anaconda unnecessarily wait longer than necessary (common case)

 - it gives up after 10 minutes without warning the user about
   possible implications on system security

Fortunately, there are better ways how to do it (pick one):

 - use the new getrandom(2) syscall, requesting 1 byte, with zero flags
   or repeatedly with NONBLOCK - checking EAGAIN - and continue only
   when you get the 1 byte of data

 - look for "random: nonblocking pool is initialized" in /dev/kmsg
   by continuously reading it as new entries appear

Only then should you continue with actions that use /dev/urandom for security purposes.

This however implies several issues:

 - there's no way to show a progress bar, the pool is either initialized
   or not - any "progress" depends on internal kernel implementation

 - the user might wish to trade security for usability/speed anyway

The former cannot be easily solved, you would just have to show up a dialog similar to ["move mouse around and/or type something until I tell you to stop"]. The good news is that you can include a Cancel button to opt out of this, but make sure to visibly warn the user than doing so will result in a potentially insecure operation.
However by the time the user moves the mouse to the Cancel button, the system will probably have enough entropy to continue, so it might not make much sense to have it in the first place. Actually, chances are that that there will be enough entropy by the time the GUI boots up.

Do not put any arbitrary time limits on waiting for /dev/urandom to be initialized - it may be instant (x86_64 GUI), it may take a few (11) seconds (x86_64 headless), it may take hours (s390x or something embedded without user input and hw rng). If you do, please at least warn the user somehow (motd on installed system?).


While this is a more general issue and it would be nice to have urandom initialized by the time systemd rpm scripts save it (for load on first boot), the potential for extra waiting time might not be worth it, so this bug requests it only when the user specifies HDD encryption, to replace the current entropy waiting logic.


Version-Release number of selected component (if applicable):
naconda-25.0-1.fc25


Additional info:
It makes sense to fix this even with the recent inclusion of rngd into anaconda - the current waiting concept is wrong by design and the presence of rngd doesn't guarantee initialized urandom either.
Comment 1 Jan Kurik 2016-07-26 00:04:54 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.

Note You need to log in before you can comment on or make changes to this bug.