lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5230D649.3090608@zytor.com>
Date:	Wed, 11 Sep 2013 13:44:57 -0700
From:	"H. Peter Anvin" <hpa@...or.com>
To:	"Theodore Ts'o" <tytso@....edu>,
	Andy Lutomirski <luto@...capital.net>,
	Jeff Garzik <jgarzik@...ox.com>,
	David Safford <safford@...ibm.com>,
	Leonidas Da Silva Barbosa <leosilva@...ux.vnet.ibm.com>,
	Ashley Lai <ashley@...leylai.com>,
	Rajiv Andrade <mail@...jiv.net>,
	Marcel Selhorst <tpmdd@...horst.net>,
	Sirrix AG <tpmdd@...rix.com>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	Kent Yoder <key@...ux.vnet.ibm.com>,
	David Safford <safford@...son.ibm.com>,
	Mimi Zohar <zohar@...ibm.com>,
	"Johnston, DJ" <dj.johnston@...el.com>
Subject: Re: TPMs and random numbers

On 09/11/2013 01:28 PM, Theodore Ts'o wrote:
> On Wed, Sep 11, 2013 at 12:25:48PM -0700, H. Peter Anvin wrote:
>> This of course has been a long-running debate.  Similarly, we could
>> make much better use of RDRAND if instead of doing data reduction in
>> rngd we could feed it to the pool and just credit fractional bits.
>> The FIPS tests that rngd runs are weak and obsoleted, but perhaps
>> better than nothing (now when we don't shut down rngd due to false
>> positives.)
> 
> /dev/urandom is using RDRAND already, and that's what most of the
> applications which are generating ssh host keys, session keys, etc.,
> are using.
> 
> /dev/random is using RDRAND as well, but we're not giving any entropy
> credit, so it will take longer to get the necessary randomness to
> generate a GPG key.
> 

We're using RDRAND in two ways: in the kernel, we're "washing" the pool
output with it (with the notion that we'll always get the best of both
worlds) -- we don't give any entropy credit for that.

We are also using RDRAND with the architecturally required 512:1 data
reduction in rngd, to produce "creditable entropy".  This is in part
because rngd doesn't really have a way to deal with fractional entropy,
in the light of FIPS tests and all (which don't make sense anyway for
postconditioned output, from RDRAND, TPM or any other similar source.)

One could thus posit that it would make more sense for that type of
source to feed the kernel entropy pools directly from a kernel thread
rather than taking a trip to user space.  In the case of RDRAND
specifically, a kernel thread or similar could feed RDRAND to the pools
and credit 1/512 of the data volume as entropy.  Since the factor of 512
is an architectural lower bound (and *very* conservative) it would be
better to let the pool system do the data reduction than doing it in
userspace.

Now, I'm pretty sure that some cryptographers are very unhappy about the
fact that we use a linear operation to do the pool insertion mixing.  I
personally am not qualified to say to what extent that is an actual problem.

	-hpa

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ