Bug#1013192: linux-image-5.10.0-15-amd64: ridiculously small entropy pool
Control: severity -1 normal Control: merge -1 1012835 On Saturday, 18 June 2022 21:52:41 CEST Thorsten Glaser wrote: > Version: 5.10.120-1 > Severity: serious > Tags: security There has been a HUGE changeset applied between 5.10.118 and 5.10.119 and while not entirely certain, I'm quite confident that this change was intentional. That and the severity of the bug I'm merging it with has severity normal, is the reason I'm downgrading the severity to normal. I'll leave it up to the maintainer to adjust it if needed. https://lore.kernel.org/all/20220317232804.931702-1-ja...@zx2c4.com/ is probably the closest match of the 'cause' of these changes, but there's a good chance that several patch sets were involved. Here are some more 'random' threads I have found: https://lore.kernel.org/all/20211221175047.341782-1-ja...@zx2c4.com/ https://lore.kernel.org/all/20220201161342.154666-1-ja...@zx2c4.com/ And as already mentioned in the bug I'm merging it with, you're not the only one who noticed: https://forum.openwrt.org/t/low-entropy-22-03-snapshot-change-in-kernel-entropy-pool-logic/129573 signature.asc Description: This is a digitally signed message part.
Bug#1013192: linux-image-5.10.0-15-amd64: ridiculously small entropy pool
Bastian Blank dixit: >The pool size for an RPNG is only the size of the state, nothing else. Yes, and that is the problem. It was small before, it’s ridiculous now. >might not have had any value before anyway. You just need to reseed on >a regular interval. Ugh. I recall reading something about this on LWN, but I thought I had time until bookworm to invent something to deal with this… bye, //mirabilos -- (gnutls can also be used, but if you are compiling lynx for your own use, there is no reason to consider using that package) -- Thomas E. Dickey on the Lynx mailing list, about OpenSSL
Bug#1013192: linux-image-5.10.0-15-amd64: ridiculously small entropy pool
On Saturday, 18 June 2022 22:47:01 CEST Diederik de Haas wrote: > Here are some more 'random' threads I have found: And this seems like an entire document explaining it: https://www.zx2c4.com/projects/linux-rng-5.17-5.18/ signature.asc Description: This is a digitally signed message part.
Bug#1013192: linux-image-5.10.0-15-amd64: ridiculously small entropy pool
Control: severity -1 normal Control: tags -1 wontfix On Sat, Jun 18, 2022 at 09:52:41PM +0200, Thorsten Glaser wrote: > /proc/sys/kernel/random/poolsize is now 256 instead of 4096 bits, > which was already small before. The pool size for an RPNG is only the size of the state, nothing else. It does not in any way describe how much you could get out. > Why was such a change allowed into stable? Because upstream considered it important enough for their stable release, aka it fixes something important. > This also breaks rngd’s --fill-watermark option when not set to > percent values. Another reason this should not be changed within > a stable series. The kernel does not longer provide a number that could be used here. It might not have had any value before anyway. You just need to reseed on a regular interval. Bastian -- Ahead warp factor one, Mr. Sulu.
Bug#1013192: linux-image-5.10.0-15-amd64: ridiculously small entropy pool
Package: src:linux Version: 5.10.120-1 Severity: serious Tags: security X-Debbugs-Cc: Debian Security Team /proc/sys/kernel/random/poolsize is now 256 instead of 4096 bits, which was already small before. Why was such a change allowed into stable? This also breaks rngd’s --fill-watermark option when not set to percent values. Another reason this should not be changed within a stable series. -- Package-specific info: ** Version: Linux version 5.10.0-15-amd64 (debian-ker...@lists.debian.org) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP Debian 5.10.120-1 (2022-06-09) ** Command line: root=UUID=078df9a0-34f7-4171-b531-0cb628963204 ro clocksource=acpi_pm verbose ** Not tainted ** Kernel log: Unable to read kernel log; any relevant messages should be attached ** Model information ** Loaded modules: binfmt_misc nfsd auth_rpcgss nfs_acl nfs lockd grace nfs_ssc fscache sunrpc joydev evdev serio_raw virtio_rng rng_core pcspkr virtio_balloon cirrus drm_kms_helper cec drm button ext4 crc16 mbcache jbd2 crc32c_generic hid_generic usbhid hid virtio_blk virtio_net net_failover failover ata_generic crc32c_intel psmouse virtio_pci virtio_ring virtio i2c_piix4 ata_piix uhci_hcd libata floppy ehci_hcd scsi_mod usbcore usb_common ** PCI devices: 00:00.0 Host bridge [0600]: Intel Corporation 440FX - 82441FX PMC [Natoma] [8086:1237] (rev 02) Subsystem: Red Hat, Inc. Qemu virtual machine [1af4:1100] Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B- DisINTx- Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- SERR- TAbort- SERR- TAbort- SERR- TAbort- SERR- TAbort- SERR- TAbort- SERR- TAbort- SERR- TAbort- SERR- TAbort- SERR- TAbort- SERR- ii firmware-linux-free 20200122-1 Versions of packages linux-image-5.10.0-15-amd64 suggests: pn debian-kernel-handbook pn grub-pc | grub-efi-amd64 | extlinux pn linux-doc-5.10 Versions of packages linux-image-5.10.0-15-amd64 is related to: pn firmware-amd-graphics pn firmware-atheros pn firmware-bnx2 pn firmware-bnx2x pn firmware-brcm80211 pn firmware-cavium pn firmware-intel-sound pn firmware-intelwimax pn firmware-ipw2x00 pn firmware-ivtv pn firmware-iwlwifi pn firmware-libertas pn firmware-linux-nonfree pn firmware-misc-nonfree pn firmware-myricom pn firmware-netxen pn firmware-qlogic pn firmware-realtek pn firmware-samsung pn firmware-siano pn firmware-ti-connectivity pn xen-hypervisor -- no debconf information