random: document get_random_int() family

Explain what these functions are for and when they offer an advantage over get_random_bytes(). (We still need documentation on rng_is_initialized(), the random_ready_callback system, and early boot in general.) Signed-off-by: George Spelvin <lkml@sdf.org> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
author: George Spelvin <lkml@sdf.org> 2019-04-19 23:48:20 -0400
committer: Theodore Ts'o <tytso@mit.edu> 2019-04-19 23:48:25 -0400
commit: 92e507d216139b356a375afbda2824e85235e748 (patch)
tree: 1d33b4529e627068fa8a50e0b87984a1dac0951a /drivers/char/random.c
parent: fe6f1a6a8eedc1aa538fee0baa612b6a59639cf8 (diff)
1 files changed, 76 insertions, 7 deletions
diff --git a/drivers/char/random.c b/drivers/char/random.c
index f3ef5db4ca94..587df86c1661 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -101,15 +101,13 @@
 * Exported interfaces ---- output
 * ===============================
 *
- * There are three exported interfaces; the first is one designed to
+ * There are four exported interfaces; two for use within the kernel,
- * be used from within the kernel:
+ * and two or use from userspace.
 *
- *      void get_random_bytes(void *buf, int nbytes);
+ * Exported interfaces ---- userspace output
- *
+ * -----------------------------------------
- * This interface will return the requested number of random bytes,
- * and place it in the requested buffer.
 *
- * The two other interfaces are two character devices /dev/random and
+ * The userspace interfaces are two character devices /dev/random and
 * /dev/urandom.  /dev/random is suitable for use when very high
 * quality randomness is desired (for example, for key generation or
 * one-time pads), as it will only return a maximum of the number of
@@ -122,6 +120,77 @@
 * this will result in random numbers that are merely cryptographically
 * strong.  For many applications, however, this is acceptable.
 *
+ * Exported interfaces ---- kernel output
+ * --------------------------------------
+ *
+ * The primary kernel interface is
+ *
+ *      void get_random_bytes(void *buf, int nbytes);
+ *
+ * This interface will return the requested number of random bytes,
+ * and place it in the requested buffer.  This is equivalent to a
+ * read from /dev/urandom.
+ *
+ * For less critical applications, there are the functions:
+ *
+ *      u32 get_random_u32()
+ *      u64 get_random_u64()
+ *      unsigned int get_random_int()
+ *      unsigned long get_random_long()
+ *
+ * These are produced by a cryptographic RNG seeded from get_random_bytes,
+ * and so do not deplete the entropy pool as much.  These are recommended
+ * for most in-kernel operations *if the result is going to be stored in
+ * the kernel*.
+ *
+ * Specifically, the get_random_int() family do not attempt to do
+ * "anti-backtracking".  If you capture the state of the kernel (e.g.
+ * by snapshotting the VM), you can figure out previous get_random_int()
+ * return values.  But if the value is stored in the kernel anyway,
+ * this is not a problem.
+ *
+ * It *is* safe to expose get_random_int() output to attackers (e.g. as
+ * network cookies); given outputs 1..n, it's not feasible to predict
+ * outputs 0 or n+1.  The only concern is an attacker who breaks into
+ * the kernel later; the get_random_int() engine is not reseeded as
+ * often as the get_random_bytes() one.
+ *
+ * get_random_bytes() is needed for keys that need to stay secret after
+ * they are erased from the kernel.  For example, any key that will
+ * be wrapped and stored encrypted.  And session encryption keys: we'd
+ * like to know that after the session is closed and the keys erased,
+ * the plaintext is unrecoverable to someone who recorded the ciphertext.
+ *
+ * But for network ports/cookies, stack canaries, PRNG seeds, address
+ * space layout randomization, session *authentication* keys, or other
+ * applications where the sensitive data is stored in the kernel in
+ * plaintext for as long as it's sensitive, the get_random_int() family
+ * is just fine.
+ *
+ * Consider ASLR.  We want to keep the address space secret from an
+ * outside attacker while the process is running, but once the address
+ * space is torn down, it's of no use to an attacker any more.  And it's
+ * stored in kernel data structures as long as it's alive, so worrying
+ * about an attacker's ability to extrapolate it from the get_random_int()
+ * CRNG is silly.
+ *
+ * Even some cryptographic keys are safe to generate with get_random_int().
+ * In particular, keys for SipHash are generally fine.  Here, knowledge
+ * of the key authorizes you to do something to a kernel object (inject
+ * packets to a network connection, or flood a hash table), and the
+ * key is stored with the object being protected.  Once it goes away,
+ * we no longer care if anyone knows the key.
+ *
+ * prandom_u32()
+ * -------------
+ *
+ * For even weaker applications, see the pseudorandom generator
+ * prandom_u32(), prandom_max(), and prandom_bytes().  If the random
+ * numbers aren't security-critical at all, these are *far* cheaper.
+ * Useful for self-tests, random error simulation, randomized backoffs,
+ * and any other application where you trust that nobody is trying to
+ * maliciously mess with you by guessing the "random" numbers.
+ *
 * Exported interfaces ---- input
 * ==============================
 *
author	George Spelvin <lkml@sdf.org>	2019-04-19 23:48:20 -0400
committer	Theodore Ts'o <tytso@mit.edu>	2019-04-19 23:48:25 -0400
commit	92e507d216139b356a375afbda2824e85235e748 (patch)
tree	1d33b4529e627068fa8a50e0b87984a1dac0951a /drivers/char/random.c
parent	fe6f1a6a8eedc1aa538fee0baa612b6a59639cf8 (diff)

diff --git a/drivers/char/random.c b/drivers/char/random.c index f3ef5db4ca94..587df86c1661 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c
@@ -101,15 +101,13 @@
101	* Exported interfaces ---- output	101	* Exported interfaces ---- output
102	* ===============================	102	* ===============================
103	*	103	*
104	* There are three exported interfaces; the first is one designed to	104	* There are four exported interfaces; two for use within the kernel,
105	* be used from within the kernel:	105	* and two or use from userspace.
106	*	106	*
107	* void get_random_bytes(void *buf, int nbytes);	107	* Exported interfaces ---- userspace output
108	*	108	* -----------------------------------------
109	* This interface will return the requested number of random bytes,
110	* and place it in the requested buffer.
111	*	109	*
112	* The two other interfaces are two character devices /dev/random and	110	* The userspace interfaces are two character devices /dev/random and
113	* /dev/urandom. /dev/random is suitable for use when very high	111	* /dev/urandom. /dev/random is suitable for use when very high
114	* quality randomness is desired (for example, for key generation or	112	* quality randomness is desired (for example, for key generation or
115	* one-time pads), as it will only return a maximum of the number of	113	* one-time pads), as it will only return a maximum of the number of
@@ -122,6 +120,77 @@
122	* this will result in random numbers that are merely cryptographically	120	* this will result in random numbers that are merely cryptographically
123	* strong. For many applications, however, this is acceptable.	121	* strong. For many applications, however, this is acceptable.
124	*	122	*
		123	* Exported interfaces ---- kernel output
		124	* --------------------------------------
		125	*
		126	* The primary kernel interface is
		127	*
		128	* void get_random_bytes(void *buf, int nbytes);
		129	*
		130	* This interface will return the requested number of random bytes,
		131	* and place it in the requested buffer. This is equivalent to a
		132	* read from /dev/urandom.
		133	*
		134	* For less critical applications, there are the functions:
		135	*
		136	* u32 get_random_u32()
		137	* u64 get_random_u64()
		138	* unsigned int get_random_int()
		139	* unsigned long get_random_long()
		140	*
		141	* These are produced by a cryptographic RNG seeded from get_random_bytes,
		142	* and so do not deplete the entropy pool as much. These are recommended
		143	* for most in-kernel operations *if the result is going to be stored in
		144	* the kernel*.
		145	*
		146	* Specifically, the get_random_int() family do not attempt to do
		147	* "anti-backtracking". If you capture the state of the kernel (e.g.
		148	* by snapshotting the VM), you can figure out previous get_random_int()
		149	* return values. But if the value is stored in the kernel anyway,
		150	* this is not a problem.
		151	*
		152	* It is safe to expose get_random_int() output to attackers (e.g. as
		153	* network cookies); given outputs 1..n, it's not feasible to predict
		154	* outputs 0 or n+1. The only concern is an attacker who breaks into
		155	* the kernel later; the get_random_int() engine is not reseeded as
		156	* often as the get_random_bytes() one.
		157	*
		158	* get_random_bytes() is needed for keys that need to stay secret after
		159	* they are erased from the kernel. For example, any key that will
		160	* be wrapped and stored encrypted. And session encryption keys: we'd
		161	* like to know that after the session is closed and the keys erased,
		162	* the plaintext is unrecoverable to someone who recorded the ciphertext.
		163	*
		164	* But for network ports/cookies, stack canaries, PRNG seeds, address
		165	* space layout randomization, session authentication keys, or other
		166	* applications where the sensitive data is stored in the kernel in
		167	* plaintext for as long as it's sensitive, the get_random_int() family
		168	* is just fine.
		169	*
		170	* Consider ASLR. We want to keep the address space secret from an
		171	* outside attacker while the process is running, but once the address
		172	* space is torn down, it's of no use to an attacker any more. And it's
		173	* stored in kernel data structures as long as it's alive, so worrying
		174	* about an attacker's ability to extrapolate it from the get_random_int()
		175	* CRNG is silly.
		176	*
		177	* Even some cryptographic keys are safe to generate with get_random_int().
		178	* In particular, keys for SipHash are generally fine. Here, knowledge
		179	* of the key authorizes you to do something to a kernel object (inject
		180	* packets to a network connection, or flood a hash table), and the
		181	* key is stored with the object being protected. Once it goes away,
		182	* we no longer care if anyone knows the key.
		183	*
		184	* prandom_u32()
		185	* -------------
		186	*
		187	* For even weaker applications, see the pseudorandom generator
		188	* prandom_u32(), prandom_max(), and prandom_bytes(). If the random
		189	* numbers aren't security-critical at all, these are far cheaper.
		190	* Useful for self-tests, random error simulation, randomized backoffs,
		191	* and any other application where you trust that nobody is trying to
		192	* maliciously mess with you by guessing the "random" numbers.
		193	*
125	* Exported interfaces ---- input	194	* Exported interfaces ---- input
126	* ==============================	195	* ==============================
127	*	196	*