Closed mmahut closed 4 years ago
I'd guess that the problem lies here https://github.com/shimunn/ctap/blob/ctap_hmac/src/crypto.rs#L26 but I'm not sure what to do about it since it might not be a good idea to substitute the randomness with a static seed or similar.
Can we maybe add an option, to print out output a message asking user to perform any actions to gather entry while we are waiting for CRNG to get initialized? That way the user is aware of the staling and can react, as just waiting for several seconds until moving your mouse is not obvious in most cases.
It actually works pretty good with kernels from 5.4 as per https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=50ee7529ec4500c88f8664560770a7a1b65db72b
One of the issue I'm seeing using fido2luks is that when the system is booting and fido2luks is run during the initrd process, it can take several seconds to initialize because of limited entropy from the pool. Mostly on machines without
CONFIG_RANDOM_TRUST_CPU
.This is even worse on GRUB as it is not using the UEFI random number protocol that ought to seed the kernel PRNG on boot.
Are they any
getrandom()
calls we can remove during the open process? Are there any missingGRND_NONBLOCK
flags?