|
101 | 101 | * Exported interfaces ---- output |
102 | 102 | * =============================== |
103 | 103 | * |
104 | | - * There are three exported interfaces; the first is one designed to |
105 | | - * be used from within the kernel: |
| 104 | + * There are four exported interfaces; two for use within the kernel, |
| 105 | + * and two or use from userspace. |
106 | 106 | * |
107 | | - * void get_random_bytes(void *buf, int nbytes); |
108 | | - * |
109 | | - * This interface will return the requested number of random bytes, |
110 | | - * and place it in the requested buffer. |
| 107 | + * Exported interfaces ---- userspace output |
| 108 | + * ----------------------------------------- |
111 | 109 | * |
112 | | - * The two other interfaces are two character devices /dev/random and |
| 110 | + * The userspace interfaces are two character devices /dev/random and |
113 | 111 | * /dev/urandom. /dev/random is suitable for use when very high |
114 | 112 | * quality randomness is desired (for example, for key generation or |
115 | 113 | * one-time pads), as it will only return a maximum of the number of |
|
122 | 120 | * this will result in random numbers that are merely cryptographically |
123 | 121 | * strong. For many applications, however, this is acceptable. |
124 | 122 | * |
| 123 | + * Exported interfaces ---- kernel output |
| 124 | + * -------------------------------------- |
| 125 | + * |
| 126 | + * The primary kernel interface is |
| 127 | + * |
| 128 | + * void get_random_bytes(void *buf, int nbytes); |
| 129 | + * |
| 130 | + * This interface will return the requested number of random bytes, |
| 131 | + * and place it in the requested buffer. This is equivalent to a |
| 132 | + * read from /dev/urandom. |
| 133 | + * |
| 134 | + * For less critical applications, there are the functions: |
| 135 | + * |
| 136 | + * u32 get_random_u32() |
| 137 | + * u64 get_random_u64() |
| 138 | + * unsigned int get_random_int() |
| 139 | + * unsigned long get_random_long() |
| 140 | + * |
| 141 | + * These are produced by a cryptographic RNG seeded from get_random_bytes, |
| 142 | + * and so do not deplete the entropy pool as much. These are recommended |
| 143 | + * for most in-kernel operations *if the result is going to be stored in |
| 144 | + * the kernel*. |
| 145 | + * |
| 146 | + * Specifically, the get_random_int() family do not attempt to do |
| 147 | + * "anti-backtracking". If you capture the state of the kernel (e.g. |
| 148 | + * by snapshotting the VM), you can figure out previous get_random_int() |
| 149 | + * return values. But if the value is stored in the kernel anyway, |
| 150 | + * this is not a problem. |
| 151 | + * |
| 152 | + * It *is* safe to expose get_random_int() output to attackers (e.g. as |
| 153 | + * network cookies); given outputs 1..n, it's not feasible to predict |
| 154 | + * outputs 0 or n+1. The only concern is an attacker who breaks into |
| 155 | + * the kernel later; the get_random_int() engine is not reseeded as |
| 156 | + * often as the get_random_bytes() one. |
| 157 | + * |
| 158 | + * get_random_bytes() is needed for keys that need to stay secret after |
| 159 | + * they are erased from the kernel. For example, any key that will |
| 160 | + * be wrapped and stored encrypted. And session encryption keys: we'd |
| 161 | + * like to know that after the session is closed and the keys erased, |
| 162 | + * the plaintext is unrecoverable to someone who recorded the ciphertext. |
| 163 | + * |
| 164 | + * But for network ports/cookies, stack canaries, PRNG seeds, address |
| 165 | + * space layout randomization, session *authentication* keys, or other |
| 166 | + * applications where the sensitive data is stored in the kernel in |
| 167 | + * plaintext for as long as it's sensitive, the get_random_int() family |
| 168 | + * is just fine. |
| 169 | + * |
| 170 | + * Consider ASLR. We want to keep the address space secret from an |
| 171 | + * outside attacker while the process is running, but once the address |
| 172 | + * space is torn down, it's of no use to an attacker any more. And it's |
| 173 | + * stored in kernel data structures as long as it's alive, so worrying |
| 174 | + * about an attacker's ability to extrapolate it from the get_random_int() |
| 175 | + * CRNG is silly. |
| 176 | + * |
| 177 | + * Even some cryptographic keys are safe to generate with get_random_int(). |
| 178 | + * In particular, keys for SipHash are generally fine. Here, knowledge |
| 179 | + * of the key authorizes you to do something to a kernel object (inject |
| 180 | + * packets to a network connection, or flood a hash table), and the |
| 181 | + * key is stored with the object being protected. Once it goes away, |
| 182 | + * we no longer care if anyone knows the key. |
| 183 | + * |
| 184 | + * prandom_u32() |
| 185 | + * ------------- |
| 186 | + * |
| 187 | + * For even weaker applications, see the pseudorandom generator |
| 188 | + * prandom_u32(), prandom_max(), and prandom_bytes(). If the random |
| 189 | + * numbers aren't security-critical at all, these are *far* cheaper. |
| 190 | + * Useful for self-tests, random error simulation, randomized backoffs, |
| 191 | + * and any other application where you trust that nobody is trying to |
| 192 | + * maliciously mess with you by guessing the "random" numbers. |
| 193 | + * |
125 | 194 | * Exported interfaces ---- input |
126 | 195 | * ============================== |
127 | 196 | * |
|
0 commit comments