Red Hat Bugzilla – Bug 1315443
(properly) wait for urandom before master key generation for HDD encryption
Last modified: 2016-07-26 00:04:54 EDT
Description of problem:
Currently, Anaconda doesn't wait for /dev/urandom to be initialized in most cases and is happy to use it uninitialized - at least for generating user password salts (chpasswd), initial saved seed generation (systemd rpm scripts) or HDD encryption (cryptsetup-based).
It *seems* to wait in the last case, waiting for /proc/sys/kernel/random/entropy_avail to be >= 256, but this is a very poor indication. In addition, after 10 minutes, anaconda gives up and creates potentially insecure keys, presumably in the name of user friendliness.
First, why is the current solution suboptimal:
- it presumes the nonblocking pool is initialized with 256 bits
of estimated entropy - it generally will be, but it's a bad practice
to rely on it / hardcode it
- similarly, the pool might have been initialized much sooner, making
anaconda unnecessarily wait longer than necessary (common case)
- it gives up after 10 minutes without warning the user about
possible implications on system security
Fortunately, there are better ways how to do it (pick one):
- use the new getrandom(2) syscall, requesting 1 byte, with zero flags
or repeatedly with NONBLOCK - checking EAGAIN - and continue only
when you get the 1 byte of data
- look for "random: nonblocking pool is initialized" in /dev/kmsg
by continuously reading it as new entries appear
Only then should you continue with actions that use /dev/urandom for security purposes.
This however implies several issues:
- there's no way to show a progress bar, the pool is either initialized
or not - any "progress" depends on internal kernel implementation
- the user might wish to trade security for usability/speed anyway
The former cannot be easily solved, you would just have to show up a dialog similar to ["move mouse around and/or type something until I tell you to stop"]. The good news is that you can include a Cancel button to opt out of this, but make sure to visibly warn the user than doing so will result in a potentially insecure operation.
However by the time the user moves the mouse to the Cancel button, the system will probably have enough entropy to continue, so it might not make much sense to have it in the first place. Actually, chances are that that there will be enough entropy by the time the GUI boots up.
Do not put any arbitrary time limits on waiting for /dev/urandom to be initialized - it may be instant (x86_64 GUI), it may take a few (11) seconds (x86_64 headless), it may take hours (s390x or something embedded without user input and hw rng). If you do, please at least warn the user somehow (motd on installed system?).
While this is a more general issue and it would be nice to have urandom initialized by the time systemd rpm scripts save it (for load on first boot), the potential for extra waiting time might not be worth it, so this bug requests it only when the user specifies HDD encryption, to replace the current entropy waiting logic.
Version-Release number of selected component (if applicable):
It makes sense to fix this even with the recent inclusion of rngd into anaconda - the current waiting concept is wrong by design and the presence of rngd doesn't guarantee initialized urandom either.
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.