| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 11 May 2014 20:22:28 -0700 From: "H. Peter Anvin" <hpa@...ux.intel.com> To: Stephan Mueller <smueller@...onox.de> CC: Theodore Ts'o <tytso@....edu>, LKML <linux-kernel@...r.kernel.org>, linux-crypto@...r.kernel.org Subject: Re: arch_random_refill On 05/11/2014 04:01 PM, Stephan Mueller wrote: > Hi Peter, > > some time back when the RDRAND instruction was debated, a patch was offered > for driver/char/random.c that in essence turned /dev/random into a frontend > for RDRAND in case that instruction was available. The patch kind of > monopolized the noise sources such that if a user space "random number hog" > pulled data from /dev/random endlessly, the (almost) only noise source was > RDRAND. As that patch treated RDRAND to provide entropy, the blocking behavior > went away for /dev/random. > This is false in a number of ways. First of all... we NEVER pulled either /dev/random or /dev/urandom directly from RDRAND. We used RDRAND directly for kernel internal randomness uses. Users did object to this. > That patch did not sit well with some developers and it got finally changed > such that the output of RDRAND is now just XORed with the output of the > "classic" /dev/random behavior -- /dev/random is still blocking. Mixing in RDRAND into /dev/random and /dev/urandom is actually > With the current development cycle for 3.15, the function arch_random_refill > is added as presented in [1]. It now uses RDSEED instead of RDRAND. Yet, the > way this function is called in random_read seems (as I have no system with an > RDSEED, I cannot test) to show the very same behavior as the aforementioned > RDRAND patch: the blocking behavior of /dev/random will be gone and RDSEED > will monopolize the noise sources in case of a user space hog. There is a huge difference between this and what people objected to earlier: we filter everything through the kernel random number pool system, which would require a herculean mathematical effort to reverse even if the output of RDSEED was 100% predictable. > Note, I do not see an issue with the patch that adds RDSEED as part of > add_interrupt_randomness outlined in [2]. The reason is that this patch does > not monopolizes the noise sources. > > I do not want to imply that Intel (or any other chip manufacturer that will > hook into arch_random_refill) intentionally provides bad entropy (and this > email shall not start a discussion about entropy again), but I would like to > be able to only use noise sources that I can fully audit. As it is with > hardware, I am not able to see what it is doing. I have to point out the irony in this given your previous proposals, however... > Thus, may I ask that arch_random_refill is revised such that it will not > monopolize the noise sources? If somebody wants that, he can easily use rngd. Feel free to build the kernel without CONFIG_ARCH_RANDOM, or use the "nordrand" option to the kernel. These options are there for a reason. Now when you mention it, though, the nordrand option should turn off RDSEED as well as RDRAND. It currently doesn't; that is a bug, plain and simple. -hpa -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists