| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 17 Mar 2014 07:53:50 -0400 From: Austin S Hemmelgarn <ahferroin7@...il.com> To: "H. Peter Anvin" <hpa@...or.com>, Kees Cook <keescook@...omium.org>, linux-kernel@...r.kernel.org CC: Matt Mackall <mpm@...enic.com>, Herbert Xu <herbert@...dor.apana.org.au>, Rusty Russell <rusty@...tcorp.com.au>, Satoru Takeuchi <satoru.takeuchi@...il.com>, linux-crypto@...r.kernel.org, Theodore Ts'o <tytso@....edu>, Andrew Morton <akpm@...ux-foundation.org> Subject: Re: [PATCH][RESEND 3] hwrng: add randomness to system from rng sources On 2014-03-16 18:56, H. Peter Anvin wrote: > On 03/03/2014 03:51 PM, Kees Cook wrote: >> When bringing a new RNG source online, it seems like it would make sense >> to use some of its bytes to make the system entropy pool more random, >> as done with all sorts of other devices that contain per-device or >> per-boot differences. >> >> Signed-off-by: Kees Cook <keescook@...omium.org> > > I would like to raise again the concept of at least optionally using a > kernel thread, rather than a user-space daemon, to feed hwrng output to > the kernel pools. The main service rngd provides is FIPS tests, but > those FIPS tests were withdrawn as a standard over 10 years ago and are > known to be extremely weak, at the very best a minimal sanity check. > Furthermore, they are completely useless against the output of any RNG > which contains a cryptographic whitener, which is the vast majority of > commercial sources -- this is especially so since rngd doesn't expect to > have to do any data reduction for output coming from hwrng. > > Furthermore, if more than one hwrng device is available, rngd will only > be able to read one of them because of the way /dev/hwrng is implemented > in the kernel. > > For contrast, the kernel could do data reduction just fine by only > crediting the entropy coming out of each hwrng driver with a fractional > amount. > > That does *not* mean that there aren't random number generators which > require significant computation better done in user space. For example, > an audio noise daemon or a lava lamp camera which requires video processing. > > -hpa I definitely second this proposal, not only does it get rid of the overhead of the FIPS tests (which can be quite significant on embedded systems), it also removes a significant percentage of the context switches that rngd needs to make. This should provide some way of disabling this behavior, probably either making it a module, or providing a command-line/sysfs option to disable it. In fact, it should probably default to being disabled (at least at first) and require the user to explicitly opt-in to using it (I know people who run simulations who use the output from /dev/hwrng directly for the simulation software exclusively, and /dev/[u]random for everything else). -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists