lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.63.0610110538550.4781@tla.xelerance.com>
Date:	Wed, 11 Oct 2006 05:46:35 +0200 (CEST)
From:	Paul Wouters <paul@...erance.com>
To:	Gabor Gombas <gombasg@...aki.hu>
cc:	fedora-xen@...hat.com, linux-kernel@...r.kernel.org
Subject: Re: more random device badness in 2.6.18 :(

On Wed, 11 Oct 2006, Gabor Gombas wrote:

> > Why is this happening in userland?
>
> Because whether the provided data is "random enough" is a policy
> decision, and policy does not belong in the kernel.

So is POSIX compliance. I don't see that being ripped out :)

Is there anyone that disagrees that the quality of random should
be at minimum FIPS compliant? If everyone agrees, it seems to me
that it is more useful to have a stock kernel have proper hardware
random without additional software stirring kernel and hardware
internals.

> > How about xen guests who don't have
> > direct access to the host's hardware (or software) random?
>
> If they don't have access to the host's hardware, then they do not have a
> /dev/hw_random device. What's your question? And how that's different
> from machines not having a hw rng at all?

The xen issue is a seperate, but related, issue. My xen images have far less
entropy gathering then the host system they run on. This is causing /dev/random
to be extremely slow (empty). On hosts with hw_random, it seems I cannot get this
extra entropy from the host to the guest. Though I will try to see if running
rngd on the host helps the xenu's as well. Perhaps that will solve this problem.

> No. It only has to depend on /dev/(u)random. How the entropy is obtained
> (from /dev/hw_random, from the soundcard's white noise or from
> elsewhere) is none of Openswan's business.  Tha'ts up to the system
> administrator or distribution maker to decide and set up.

Yes, again, that has always been my opinion too. We just ran into practical
issues where we couldn't. I am now doing some tests on xen and regular kernels
using VIA and Intel rngs to see if those issues are resolved, so openswan can
indeed go back to only using /dev/random. I will also test to see if running
rngd on the dom0 will benefit the xenu's, and mail a summary to the lists.

Paul
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ