Bug 1330000 - kernel: Backport getrandom system call
Summary: kernel: Backport getrandom system call
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: kernel
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Herbert Xu
QA Contact: Chao Ye
Marie Dolezelova
URL:
Whiteboard:
Depends On:
Blocks: rhel7-getrandom 1374268 1394638 1394908 1404314 1432218
TreeView+ depends on / blocked
 
Reported: 2016-04-25 09:14 UTC by Florian Weimer
Modified: 2017-08-02 00:36 UTC (History)
10 users (show)

Fixed In Version: kernel-3.10.0-544.el7
Doc Type: Enhancement
Doc Text:
`getrandom` added to the Linux kernel on AMD64 and Intel 64 This update adds the `getrandom` system call to the Linux kernel on AMD64 and Intel 64 architectures. As a result, the user space can now request randomness from the same non-blocking entropy pool used by /dev/urandom, and the user space can block until at least 128 bits of entropy has been accumulated in that pool.
Clone Of:
: 1432218 1433000 (view as bug list)
Environment:
Last Closed: 2017-08-01 20:10:04 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1298643 medium CLOSED printk notifications for urandom pool initialization 2020-10-14 00:28:05 UTC
Red Hat Bugzilla 1326218 unspecified CLOSED /dev/urandom can return potentially predictable values shortly after booting 2020-10-14 00:28:05 UTC
Red Hat Product Errata RHSA-2017:1842 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2017-08-01 18:22:09 UTC

Internal Links: 1298643 1326218 1812120

Description Florian Weimer 2016-04-25 09:14:16 UTC
We have a request to add getrandom support to glibc (bug 1329996).  This makes only sense if there is kernel support because emulation in glibc will be iffy.

getrandom was introduced upstream in 3.17:

commit c6e9d6f38894798696f23c8084ca7edbf16ee895
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Thu Jul 17 04:13:05 2014 -0400

    random: introduce getrandom(2) system call

There seem to have been a couple of fixes/internal API changes since then.

Comment 1 Nick Coghlan 2016-06-23 17:14:29 UTC
Just noting that this is likely to be important for userspace/kernel container compatibility for Python runtimes, as Python runtimes built on systems with newer kernels and glibc versions will depend on the getrandom syscall (for example, this can come up when running Fedora images on OpenShift for development purposes).

For additional background, see https://www.python.org/dev/peps/pep-0522/

Comment 2 Florian Weimer 2016-06-23 17:22:14 UTC
(In reply to Nick Coghlan from comment #1)
> Just noting that this is likely to be important for userspace/kernel
> container compatibility for Python runtimes, as Python runtimes built on
> systems with newer kernels and glibc versions will depend on the getrandom
> syscall (for example, this can come up when running Fedora images on
> OpenShift for development purposes).
> 
> For additional background, see https://www.python.org/dev/peps/pep-0522/

Thanks for the background.  I'm trying to get consensus for adding a getrandom wrapper to glibc:

  https://sourceware.org/ml/libc-alpha/2016-06/msg00398.html

Comment 3 Robbie Harwood 2016-09-12 17:45:22 UTC
We would also like to be using this in krb5, though glibc support is not necessary for that use (similar to the python behavior: we both can go through syscall() to get functionality).

Comment 7 Herbert Xu 2016-12-07 09:47:15 UTC
Stanislav, I think you just need to write a program to make the new getrandom system call.

Comment 8 Stanislav Zidek 2016-12-07 09:56:58 UTC
(In reply to Herbert Xu from comment #7)
> Stanislav, I think you just need to write a program to make the new
> getrandom system call.

That seems doable, even though Hubert would probably like to test more :). Thanks for info.

Comment 9 Rafael Aquini 2017-01-17 14:00:14 UTC
Patch(es) committed on kernel repository and an interim kernel build is undergoing testing

Comment 11 Rafael Aquini 2017-01-18 13:32:36 UTC
Patch(es) available on kernel-3.10.0-544.el7

Comment 20 Herbert Xu 2017-04-26 09:53:54 UTC
Please remove the reference to file descriptor exhaustion, and modify the last bit to say "and the kernel can now request randomness from the same non-blocking entropy pool usd by /dev/urandom, but to block until at least 128 bits of entropy has been accumulated in that pool."

Thanks.

Comment 30 errata-xmlrpc 2017-08-01 20:10:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:1842

Comment 31 errata-xmlrpc 2017-08-02 00:36:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:1842


Note You need to log in before you can comment on or make changes to this bug.