|
Message-ID: <CACXcFmmx0cGXoF7ng+OKcXeP7w-Q39H8Fe2LMeRkyvX3NdAL3g@mail.gmail.com> Date: Fri, 2 Jun 2017 20:20:26 -0400 From: Sandy Harris <sandyinchina@...il.com> To: "Jason A. Donenfeld" <Jason@...c4.com> Cc: "Theodore Ts'o" <tytso@....edu>, Stephan Mueller <smueller@...onox.de>, Linux Crypto Mailing List <linux-crypto@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, kernel-hardening@...ts.openwall.com Subject: Re: Re: get_random_bytes returns bad randomness before seeding is complete The only sensible & general solution for the initialisation problem that I have seen is John Denker's. http://www.av8n.com/computer/htm/secure-random.htm#sec-boot-image If I read that right, it would require only minor kernel changes & none to the API Ted & others are worrying about. It would be secure except against an enemy who can read your kernel image or interfere with your install process. Assuming permissions are set sensibly, that means an enemy who already has root & such an enemy has lots of much easier ways to break things, so we need not worry about that case. The difficulty is that it would require significant changes to installation scripts. Still, since it is a general solution to a real problem, it might be better to implement that rather than work on the other suggestions in the thread.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.