[opensuse-factory] FYI: broken RDRAND and luks2 makes system unbootable
Reported here: https://bugzilla.opensuse.org/show_bug.cgi?id=1173022 Cryptsetup uses json-c to read data from luks2. Json-c on initialization reads some randomness, using RDRAND if present. It's not checking if RDRAND is working correctly, nor if "nordrand" kernel parameter is used. As a result it's just looping forever, making system unbootable.
Should be fixed by https://build.opensuse.org/request/show/815403 Adam Mizerski <adam@mizerski.pl> writes:
Reported here: https://bugzilla.opensuse.org/show_bug.cgi?id=1173022
Cryptsetup uses json-c to read data from luks2. Json-c on initialization reads some randomness, using RDRAND if present. It's not checking if RDRAND is working correctly, nor if "nordrand" kernel parameter is used. As a result it's just looping forever, making system unbootable.
-- Dan Čermák <dcermak@suse.com> Software Engineer Development tools SUSE Software Solutions Germany GmbH Maxfeldstr. 5 90409 Nuremberg Germany (HRB 36809, AG Nürnberg) Managing Director: Felix Imendörffer
On Wed, Jun 17, 2020 at 4:14 AM Dan Čermák <dcermak@suse.com> wrote:
Should be fixed by https://build.opensuse.org/request/show/815403
Why we continue papering over kernel issues.. ? if rdrand is broken without certain microcode or cpu revision the kernel should just clear the cpu capability and be done with it. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wednesday 2020-06-17 14:21, Cristian Rodríguez wrote:
On Wed, Jun 17, 2020 at 4:14 AM Dan Čermák <dcermak@suse.com> wrote:
Should be fixed by https://build.opensuse.org/request/show/815403
Why we continue papering over kernel issues.. ? if rdrand is broken without certain microcode or cpu revision the kernel should just clear the cpu capability and be done with it.
And userspace should use getrandom(), but here we are :-D -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Jun 17, 2020 at 9:25 AM Jan Engelhardt <jengelh@inai.de> wrote:
And userspace should use getrandom(), but here we are :-D
Yes, I'm writing a patch against this thing to clear it one it for all since Im pretty sure this code will come back to hunt people later. In this case it shouldn't do either, the cryptographically secure seed is fed to jenkins hash, which has never been a cryptographically secure in the first place -.- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Jun 17, 2020 at 9:39 AM Cristian Rodríguez <crrodriguez@opensuse.org> wrote:
On Wed, Jun 17, 2020 at 9:25 AM Jan Engelhardt <jengelh@inai.de> wrote:
And userspace should use getrandom(), but here we are :-D
Yes, I'm writing a patch against this thing to clear it one it for all since Im pretty sure this code will come back to hunt people later. In this case it shouldn't do either, the cryptographically secure seed is fed to jenkins hash, which has never been a cryptographically secure in the first place
I issued request id 815601 to never have to deal with this particular nasty again. :-) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (4)
-
Adam Mizerski -
Cristian Rodríguez -
Dan Čermák -
Jan Engelhardt