| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 16 May 2008 12:19:49 +0200 From: Andi Kleen <andi@...stfloor.org> To: Alan Cox <alan@...rguk.ukuu.org.uk> CC: Jeff Garzik <jeff@...zik.org>, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, Andrew Morton <akpm@...ux-foundation.org>, "Brandeburg, Jesse" <jesse.brandeburg@...el.com>, Chris Peterson <cpeterso@...terso.com>, tpmdd-devel@...ts.sourceforge.net, tpm@...horst.net, Herbert Xu <herbert@...dor.apana.org.au> Subject: Re: [PATCH] Re: [PATCH] drivers/net: remove network drivers' last few uses of IRQF_SAMPLE_RANDOM Alan Cox wrote: > On Fri, 16 May 2008 02:27:36 +0200 > Andi Kleen <andi@...stfloor.org> wrote: > >> Jeff Garzik <jeff@...zik.org> writes: >>> A hw_random driver for TPM still needs to (a) parse the TPM header for >>> return code, (b) extract RNG bytes out at offset 14, and (c) figure >>> out some way to get a tpm_chip pointer. >> (d) auto feed the information into random.c. Otherwise it'll be useless >> for most people. > > No - you don't want to do FIPS randomness verification in kernel space. Just think a little bit: system has no randomness source except the hardware RNG. you do your strange randomness verification. if it fails what do you do? You don't feed anything into your entropy pool and all your random output is predictable (just boot time) If you add anything predictable from another source it's still predictable, no difference. Also in general what happens in the hypothetical case that your random generator e.g. generates all zeros (which is very unlikely but let's assume it): your entropy doesn't get significantly worse than it was before. Previously it was just seeded with the boot time (or other sources) and now you're adding some zeroes. The output is still as random as the previous state. While that changes the state of the entropy pool it doesn't make it any easier to predict. The only problem you got from possible bogus input is that the entropy counts will be wrong, but in my experience nearly all programs use /dev/urandom anyways because /dev/random is just a DoS waiting to happen and user space programmers know that. Basically with this insisting on FIPS you're violating the strong variant of Steinbach's rule: not only "never test for an error condition you don't know how to handle", but "never test for an error condition you can't handle" Also why do you not trust your random generator but trust your CPU to correctly execute the cryptographic algorithm? Not trusting your own hardware doesn't really make any sense here. > Plus all the other random generator inputs are done via the user space > daemon as they should be. Yes and which makes them about useless because distros don't run that daemon by default so users don't get the feature. Besides it's all not needed anyways because the FIPS verification is pointless. -Andi -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists