| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 7 Apr 2014 19:26:11 -0400 From: Theodore Ts'o <tytso@....edu> To: Sebastian Andrzej Siewior <sebastian@...akpoint.cc> Cc: "Luck, Tony" <tony.luck@...el.com>, Andi Kleen <andi@...stfloor.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Andi Kleen <ak@...ux.intel.com>, tglx@...utronix.de, Herbert Xu <herbert@...dor.apana.org.au>, Russell King <rmk+kernel@....linux.org.uk>, Arnd Bergmann <arnd@...db.de>, Felipe Balbi <balbi@...com>, shawn.guo@...aro.org, grant.likely@...aro.org, Richard Kuo <rkuo@...eaurora.org>, Mikael Starvik <starvik@...s.com>, David Howells <dhowells@...hat.com>, Hirokazu Takata <takata@...ux-m32r.org>, Geert Uytterhoeven <geert@...ux-m68k.org> Subject: Re: [PATCH 01/11] random: don't feed stack data into pool when interrupt regs NULL On Mon, Apr 07, 2014 at 09:30:57PM +0200, Sebastian Andrzej Siewior wrote: > > You dropped that part where I suggested to use something like AES+CTR > and create the numbers on demand and dropping that attempt to create as > much random data with custom functions as possible. You completly dislike > that approach? And if so, why? Where are you going to get the "few random bits" from? Which crypto primitive you use and how you gather the entropy are two completely orothognal issue. If we can get at least 128 bits of secure randomness before the embedded platform trying to generate RSA private keys or otherwise depending on the RNG, we're fine. This is true regardless of whether we use the current /dev/random machinery or AES+CTR. The reason why we are grabbing lots of bits from the interrupt handler is that we're hoping that *some* of them will not be guessable by the attacker. If we knew which ones were random, we wouldn't have to do this, yes. But that's like say, "playing the stock market is easy; all you have to do is buy low and sell high!" > Yes. Usually there is generic function doing something sane but not as > good as it could do with arch specific code. Or the code is completly > disabled unless the architecture wires it up. Dropping a new function and > hoping everyone will wire it up in no time is, ehm, brave. Nobody implemented > random_get_entropy(), everyone falls back to get_cycles. From a quick > grep I can see that atleast Hexagon, Cris, Frv, m32r and m68k return 0. I > put some of the maintainers Cc, I am curious if they know about the side > effects. What we have right now is now worse than what we had before. We introduced random_get_entryop() done because MIPS had a register which wouldn't qualify for get_cycles(), but was good enough for what the random driver had, so it allowed MIPS to be able to do a better job. Basically, I had a MIPS developer who was highly motiviated to improve security for home routers (which typically us MIPS), and I worked with him. If there is some ARM developer who is interested in woring with me, that's great. I would love to have that. I've reached out to a few people in Linaro about this over the past couple of months, but nothing has happened yet. - Ted -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists