Re: [chrony-users] Chrony vs. Linux RNG

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]


On 04/23/18 11:04, Miroslav Lichvar wrote:
On Sun, Apr 22, 2018 at 07:15:12PM +0200, Holger Hoffstätte wrote:
I test stable/LTS kernels to help Greg KH and just updated to 4.16.4-rc1.
This contains a few patches that are supposed to help with CVEs around
randomness, and which cause an interesting catch-22 that affects chrony,
hence this mail.

Thanks for the heads up.

I tried booting a VM with 4.17-rc2, which should include the patches

Yeah, I could have mentioned that..

you are referring to, but didn't see any delays problems.

On what distro do you test it? Does it save and restore the random
seed on boot (e.g. the systemd-random-seed)?

Gentoo using OpenRC, chronyd 3.3. It uses start-stop-daemon and it
was definitely chronyd hanging the boot sequence; for tests I disabled
chronyd from the default runlevel and all was back to smooth sailing.
Since s-s-d relies on chronyd going into the background, the temporary
fix was to add the --background flag to s-s-d so that OpenRC returns
immediately.

I just saw that it does indeed have a "urandom" service in the boot
runlevel, reading/writing from/to /var/lib/misc/random-seed.
But that happens way before chrony's default runlevel.

glibc is 2.26, so it should be using getrandom() and not use the
urandom fallbacks. Unfortunately it's really hard to trace/debug
this since the bug only manifests itself during the early stages, and
as soon as I do anything on a freshly booted system I create entropy,
initialising the crng and thus making everything work.

I guess it could use a non-blocking read for the urandom device (or
getrandom() syscall) and fall back to random(), but I'm not sure if it
would be a good idea from the security point of view.

I found in util.c that it *should* be using getrandom() already?
Maybe the HAVE_GETRANDOM detection didn't work, but even then the
urandom fallback should not be blocking either. I'll double-check the
package script's autoconf log.

thanks,
Holger

--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject. For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/