tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: getrandom and getentropy



Taylor R Campbell wrote:
> In NetBSD-current, there's a distinction between:
> - incorporating what samples we have, and
> - confidently achieving full entropy.
> This distinction is made between sources that maybe might have
> entropy, like interrupt timings, but we can't honestly put a lower
> bound on the amount, and hardware random number generators, which are
> engineered with specific physical designs to have a certain advertised
> minimum amount of entropy.
> 
> Right now, reading from /dev/urandom on NetBSD generally gives at
> least as good a result as you get on any of the other systems -- the
> pool will have been seeded with whatever we can get, including cycle
> counts sampled at various times during kernel startup and a seed on
> disk or HWRNG samples if available; it's never reading from an
> _uninitialized_ pool.
>
> However, reading from /dev/random might wait _longer_ on NetBSD, for
> what it can more confidently call full entropy based either on
> automatic counting from HWRNG drivers, or on intervention by the
> operator.
> 
> Given that, I think it is reasonable to implement getentropy(...)  as
> an alias for getrandom(..., GRND_INSECURE) == read from /dev/urandom
> == sysctl kern.arandom (as nia@ just committed the other day), which
> is consistent with the somewhat nuanced interpretation of the
> semantics above, and to provide getrandom(...,0) as I originally
> suggested alongside it.

The getentropy() man pages on OpenBSD, FreeBSD, and Linux all say it
returns "high-quality" entropy, and do not caution against using it
for security critical purposes such as key generation, so presumably
applications do in fact use if for such purposes.  Given that,
implementing it as getrandom(..., GRND_INSECURE) seems like a bad
idea.

Also, two of the man pages explicitly mention blocking, so any
portable software using getentropy() should already deal with it.
So why not do the safe thing and implement it as getrandom(..., 0)
== read from /dev/random?
-- 
Andreas Gustafsson, gson%gson.org@localhost


Home | Main Index | Thread Index | Old Index