>> Also, it looks like (to me) getrandom may suffer VM rollback attacks. >> So claiming a stream is high quality may be questionable if a reboot >> produces the same stream. > On which systems does getrandom() have this problem?
In theory, it could be any system. Even a hardware random-number generator can be virtualized and the underlying VM can produce any "random" numbers it likes. For tempname and coreutils I doubt whether this matters. People aren't (or at least shouldn't :-) be using the output of tempname or shuf to generate cryptographic keys; they're just trying to create names that don't clash, or shuffle their playlists. I installed the attached patch to the Gnulib doc, which attempts to address this along with the GRND_INSECURE business. At some point I suppose we should "#define GRND_INSECURE 0" on platforms that lack GRND_INSECURE.
>From fd79a21d939d829c67670e9a9bf69e0b408197cc Mon Sep 17 00:00:00 2001 From: Paul Eggert <egg...@cs.ucla.edu> Date: Mon, 1 Jun 2020 11:08:36 -0700 Subject: [PATCH] doc: improve randomness discussion Inspired by comments from Jeffrey Walton in: https://lists.gnu.org/r/bug-gnulib/2020-06/msg00002.html * doc/glibc-functions/getentropy.texi (getentropy): * doc/glibc-functions/getrandom.texi (getrandom): Improve discussion of problems with "random" data, and cite Ristenpart & Yilek. Also, mention GRND_INSECURE. --- ChangeLog | 10 ++++++++++ doc/glibc-functions/getentropy.texi | 14 +++++++++----- doc/glibc-functions/getrandom.texi | 25 ++++++++++++++++++------- 3 files changed, 37 insertions(+), 12 deletions(-) diff --git a/ChangeLog b/ChangeLog index f7adf2722..87ab168e7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2020-06-01 Paul Eggert <egg...@cs.ucla.edu> + + doc: improve randomness discussion + Inspired by comments from Jeffrey Walton in: + https://lists.gnu.org/r/bug-gnulib/2020-06/msg00002.html + * doc/glibc-functions/getentropy.texi (getentropy): + * doc/glibc-functions/getrandom.texi (getrandom): + Improve discussion of problems with "random" data, + and cite Ristenpart & Yilek. Also, mention GRND_INSECURE. + 2020-06-01 Asher Gordon <asd...@posteo.net> doc: Change '.' to '@.' where appropriate. diff --git a/doc/glibc-functions/getentropy.texi b/doc/glibc-functions/getentropy.texi index 998bcf46d..c9884ad24 100644 --- a/doc/glibc-functions/getentropy.texi +++ b/doc/glibc-functions/getentropy.texi @@ -32,8 +32,12 @@ Portability problems not fixed by Gnulib: @itemize @end itemize -Note: This function does not provides high-quality random numbers, as needed -by some crypto applications. If you want such high-quality random numbers, -use the function @code{getrandom} with the @code{GRND_RANDOM} flag or (better) -use the @samp{crypto/gc-random} module and configure with -@samp{--with-libgcrypt}. +@noindent +Although this function is intended to produce random data, the data's +security properties may not be appropriate for your application. +For example, identical ``random'' data streams might be produced by +rebooted virtual machines. If this is of concern you may need to use +additional techniques such as hedging.@footnote{Ristenpart T, Yilek +S@. @url{http://pages.cs.wisc.edu/~rist/papers/sslhedge.pdf, When good +randomness goes bad: virtual machine vulnerabilities and hedging +deployed cryptography}. NDSS 2010.} diff --git a/doc/glibc-functions/getrandom.texi b/doc/glibc-functions/getrandom.texi index 7488f6faa..f3a20a09d 100644 --- a/doc/glibc-functions/getrandom.texi +++ b/doc/glibc-functions/getrandom.texi @@ -29,12 +29,23 @@ Solaris 11.4. Portability problems not fixed by Gnulib: @itemize -This function cannot produce truly random numbers, even when the -@code{GRND_RANDOM} flag is given, on some platforms: -GNU/Hurd, Mac OS X, GNU/kFreeBSD, FreeBSD 12.0, OpenBSD 6.5, Minix 3.3, AIX 7.1, Haiku, mingw, MSVC 14. +@item +The @code{GRND_INSECURE} flag is missing on some platforms: +glibc 2.31, macOS 10.15, GNU/kFreeBSD, FreeBSD 12.0, OpenBSD 6.5, +Minix 3.3, Haiku. + +@item +The @code{GRND_RANDOM} flag has different effects on different platforms. +Some platforms ignore the flag, or yield data that can fail to be +random in some cases. @end itemize -Note: This function does not provides high-quality random numbers, as needed -by some crypto applications, even when the @code{GRND_RANDOM} flag is given. -If you want such high-quality random numbers, use the @samp{crypto/gc-random} -module and configure with @samp{--with-libgcrypt}. +@noindent +Although this function is intended to produce random data, the data's +security properties may not be appropriate for your application. +For example, identical ``random'' data streams might be produced by +rebooted virtual machines. If this is of concern you may need to use +additional techniques such as hedging.@footnote{Ristenpart T, Yilek +S@. @url{http://pages.cs.wisc.edu/~rist/papers/sslhedge.pdf, When good +randomness goes bad: virtual machine vulnerabilities and hedging +deployed cryptography}. NDSS 2010.} -- 2.17.1
