Lazyweb, what is the current state of entropy properties for Linux AT_RANDOM? Is it junk at early boot?
Conversation
Replying to
Same as /dev/urandom. AT_RANDOM cannot prevent an executable from being loaded in early boot ...
1
1
Replying to
So would you agree it should be classified as "suitable entropy for hardening mitigations - canary, address randomization, pointer obfuscation, etc. - but not for cryptographic entropy source?
2
1
Replying to
I'm not a cryptographer, but here's one advice, it *must not* be used except for some hardening, first, because it's only 128bits, second, because it can be read at any time by the process, it's not a secret (I'm slowly working on a patch that implements backtracking in glibc)
2
2
128 bits is the definition of sufficient for seeding a CSPRNG. It's the amount of entropy the kernel expects to consider the kernel CSPRNG initialized. Issue with it isn't the size but rather (potential) reuse and lack of blocking for /dev/urandom and other uses like AT_RANDOM.