Fix seeding from random device w/o getrandom syscall

[bernd-edlinger]

Use select to wait for /dev/random in readable state,
but do not actually read anything from /dev/random,
use /dev/urandom first.

Use linux define __NR_getrandom instead of the
glibc define SYS_getrandom, in case the kernel headers
are more current than the glibc headers.

Fixes #8215

Checklist

• documentation is added or updated
• tests are added or updated

[bernd-edlinger]

This needs a kernel patch to be fully functional:
https://marc.info/?l=linux-kernel&m=155023911204953&w=2

But without the kernel patch it is also an improvement, because
the select will wait until at least 64 bits of entropy are available
instead of the usual 128 bits of entropy.
Also by not reading out data from the /dev/random it prevents
other application which use syscall getrandom from starving.

[bernd-edlinger]

Actually with the kernel patch the syscall getrandom will be faster, because the
blocking pool will be completely empty and need to wait for at least the number
of entropy bits, in /proc/sys/kernel/random/read_wakeup_threshold, 64 by default.

[kroeckx]

Any update on this?

[bernd-edlinger]

I have meanwhile posted a V5 of the linux patch here:
https://marc.info/?l=linux-kernel&m=155059615110666&w=2

I got a first reply from Theodore Y. Ts'o, but I am still waiting for his final decision.
It is possible that the patch needs to be split up in smaller pieces addressing
single issues, or some more changes will be required.

The main issues this patch addresses, are:

• the first few bytes from /dev/random after system boot can have
  less entropy in the input_pool than expected. Depends on the configuration.
  The default configuration implies 64 bits entropy.
  This is since linux 2.6.12 earlier versions are not in the git archive.
• /dev/random is readable before the /dev/urandom is fully seeded.
  This started with linux v4.8 and prevails till today.
  Before linux v4.8 it was true, that reading one byte from /dev/random
  did in fact ensure that /dev/urandom is properly seeded, but the
  first few bytes from /dev/random had less entropy than expected.

This fixes also some issues, I did not notice initially:

• Actively reading from /dev/random can prevent the CRNG from
  ever be fully seeded.
  This started with linux v4.8 and prevails till today.
• On system with little entropy input there it can happen that select on /dev/random
  indicates readability and then the CRNG is reseeded and takes so much entropy
  out of the input pool that the select changes state, without any read from /dev/random
  This started with linux v4.8 and prevails till today.
  Before v4.8 the reseeding did reserver the last 2*random_read_wakeup_bits,
  and I want to restore that behavior.
• If a system runs long enough that the jiffies overrun the CRNG re-seeding
  does not happen every 5 minutes, but immediately, since the condition for a
  reseed time_after(crng_global_init_time, crng->init_time) will start to trigger,
  after 248 days system uptime, there are systems that run such long time.
  This would make /dev/random block unexpectedly.
  This started with linux v4.8 and prevails till today.

[kroeckx]

That's all related to the kernel, and it's good to know. Does it have any effect on this PR? Can it be merged?

[bernd-edlinger]

Well yes, I think so. @levitte do you agree?

It is theoretically possible to see select blocking but only when you use a mis-configured
cross compiler, like I did, or install a new kernel without updating the kernel headers.
But over time, the kernel will be fixed.

OK, @levittes review comments are addressed, unless someone objects I'll merge this in the evening.

[bernd-edlinger]

Merged to master as 38023b8, and 1.1.1 as c352bd0. Thanks!

[slontis]

Let me know if you want more info - or want me to try something out on this platform.

[slontis]

@paulidale @jon-oracle

[t8m]

OK, something more to patch-out downstream. :(

[kroeckx]

Should we change the select on /dev/random a Linux only thing?

[bernd-edlinger]

That would make sense.