[Toybox] You've seen the /dev/random shenanigans, right?

Rob Landley rob at landley.net
Wed Sep 20 04:19:34 PDT 2023


On 9/19/23 14:44, enh wrote:
>> And I just noticed because somebody mentioned Android involvement. (I still try
>> to check that mailing list twice/month for anything of obvious interest.)
>>
>> http://lists.busybox.net/pipermail/busybox/2023-September/090471.html
> 
> (i think they were just talking about the busybox-for-android configuration?)

I dunno what's AOSP and what's vendor mods off the top of my head. :)

>> Might not matter on systems with a hardware random number generator with a
>> kernel driver hooked up to it, but it breaks the embedded world. (Then again the
>> embedded linux projects I've seen recently have been reverting _back_ to the 2.6
>> kernel...)
> 
> yeah, our high- and mid-end devices usually have a hw rng, but the
> lowest of the low-end devices don't even necessarily have an rtc that
> survives reboots. (i've definitely helped weaken CTS tests a few times
> to allow this kind of thing.)

That last board I banged on in that category was pre-pandemic, but the solution
at the time involved:

A) ifconfig -a > /dev/random in the boot scripts to get the mac addresses in
there so it was at least per-board unique. (No, the kernel driver didn't do this.)

B) dd-ing 32 bytes of random data into flash and back between boots,

C) Never use /dev/random, use /dev/urandom to avoid blocking because "I'll use
your data but it doesn't COUNT" did not, in fact, help.

The result produced different keys each board and each boot, which was the
proximate goal. (We were just trying to 80/20 the paranoia: state actors would
just rip them out and strap extra hardware on or do something clever with a yagi
antenna.)

> A more insidious problem, perhaps, is that a seed written to the RNG
> before it initializes will not actually be used until after the pool
> is initialized properly; "you might write in a perfectly good seed to
> /dev/urandom, but what you read out for the subsequent seed may be
> complete deterministic crap", Donenfeld said. The data that gets

That's the annoying bit. Even with the above boot dance, your initial session
keys are then crap during the wake-up call.

I don't claim to be an expert here, I'm just going "oh goddess, they're kicking
THIS anthill again..."

Rob


More information about the Toybox mailing list