Oh my. Apparently, AMD CPUs will sometimes return bad results from RDRAND after a suspend. That's bad, but if everyone has been following the cryptographer's advice and _just used getrandom()_ that's not a problem. ... nope! systemd of course didn't!https://github.com/systemd/systemd/issues/11810#issuecomment-489727505 …
-
Show this thread
-
Now I'm kind of scared to go look what genuine_random_bytes does... OK, WTF, what is pseudo randomness exactly, and why on earth would you want some "genuine" randomness with a splash of "pseudo" on top. https://github.com/systemd/systemd/blob/33dbab6fde5423ce61b5544ca49afa13495477a8/src/basic/random-util.h#L15-L17 …pic.twitter.com/ceja1rEjim
8 replies 18 retweets 125 likesShow this thread -
Oh... oh. Pseudo-randomness is literally rand(). You know, the predictable one. Not some AES-CTR thing. Literally rand(). WHY WOULD YOU EVER WANT HALF CRYPTO AND HALF PREDICTABLE RANDOMNESS. https://github.com/systemd/systemd/blob/c55a447ab4b567d1d9f308ae11a3293ff1a7d682/src/basic/random-util.c#L229-L249 …pic.twitter.com/DPDJSEWKX5
11 replies 50 retweets 176 likesShow this thread -
Oh, that's why. Because the entropy bowl might be empty! The amount of damage the Linux kernel might have made by convincing everyone entropy somehow magically runs out is incalculable.pic.twitter.com/Z3Ng6xV93o
7 replies 72 retweets 226 likesShow this thread -
So inconsiderate for the caller to insist on good data.pic.twitter.com/EZzdL61fj2
1 reply 5 retweets 62 likesShow this thread -
Anyway, the reason we were in this sadness pit in the first place was to find out why they'd use straight RDRAND. And there it is. Not to waste the precious mythical entropy-that-runs-out, this legendary silver coloured fluid that leaks from pools. ENTROPY
DOES
NOT
RUN
OUTpic.twitter.com/ZtfIvXUNhQ
9 replies 72 retweets 234 likesShow this thread -
But Filippo, I'm sure these are all just misguided perf optimizations and that the defaults use the set of flags equivalent to getrandom()… Nah. random_bytes will use straight RDRAND, fall back on a single getrandom() call, and fill the rest with rand(). (╯°□°)╯︵ ┻━┻pic.twitter.com/UgdXgNzilq
4 replies 10 retweets 74 likesShow this thread -
Filippo Valsorda 🇮🇹 Retweeted Matteo Panella
Filippo Valsorda 🇮🇹 added,
3 replies 2 retweets 39 likesShow this thread -
Filippo Valsorda 🇮🇹 Retweeted The Register
Bonus: apparently not even holding RDRAND right. NOT THAT IT SHOULD MATTER, because nothing general-purpose in userspace should ever touch RDRAND and instead USE getrandom() and fall back to urandom.https://twitter.com/TheRegister/status/1125842536914935813 …
Filippo Valsorda 🇮🇹 added,
The RegisterVerified account @TheRegisterFWIW the underlying RDRAND bug was reported years ago and appears to affect older AMD processors, not Zen-based CPUs After a suspend, RDRAND returns -1 which stuffs up software higher up the stack https://twitter.com/FiloSottile/status/1125840275346198529 …Show this thread5 replies 9 retweets 80 likesShow this thread
Naturally, the comments saying systemd should just use getrandom()/urandom have been marked off-topic.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.