prefer RDRAND over getrandom() and /dev/urandom when we don't need the very best randomness#10676
Merged
keszybz merged 8 commits intosystemd:masterfrom Nov 8, 2018
Merged
Conversation
It's more descriptive, since we also have a function random_bytes() which sounds very similar. Also rename pseudorandom_bytes() to pseudo_random_bytes(). This way the two functions are nicely systematic, one returning genuine random bytes and the other pseudo random ones.
This should normally not happen, but given that the man page suggests something about this in the context of interruption, let's handle this and propagate an I/O error.
… parameter No change in behaviour, just some refactoring.
When generating the salt for the firstboot password logic, let's use getrandom() blocking mode, and insist in the very best entropy.
Originally, the high_quality_required boolean argument controlled two things: whether to extend any random data we successfully read with pseudo-random data, and whether to return -ENODATA if we couldn't read any data at all. The boolean got replaced by RANDOM_EXTEND_WITH_PSEUDO, but this name doesn't really cover the second part nicely. Moreover hiding both changes of behaviour under a single flag is confusing. Hence, let's split this part off under a new flag, and use it from random_bytes().
We only use this when we don't require the best randomness. The primary usecase for this is UUID generation, as this means we don't drain randomness from the kernel pool for them. Since UUIDs are usually not secrets RDRAND should be goot enough for them to avoid real-life collisions.
545b170 to
cc83d51
Compare
keszybz
reviewed
Nov 8, 2018
Member
keszybz
left a comment
There was a problem hiding this comment.
Looks great apart from this one small thing.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This has the benefit that on x86-64 we won't drain the random pool so much.
Whenever we require randomness for the sake of keeping secrets stick to getrandom(), but for stuff such as UUID generation and seed generation for hash tables use RDRAND when it is available.