| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 04 Feb 2014 13:36:59 +0100 From: Stephan Mueller <smueller@...onox.de> To: Theodore Ts'o <tytso@....edu>, Jörn Engel <joern@...fs.org>, "H. Peter Anvin" <hpa@...or.com>, Linux Kernel Developers List <linux-kernel@...r.kernel.org>, macro@...ux-mips.org, ralf@...ux-mips.org, dave.taht@...il.com, blogic@...nwrt.org, andrewmcgr@...il.com, geert@...ux-m68k.org, tg@...bsd.de, sandyinchina@...il.com Subject: [RFC PATCH 0/5] CPU Jitter RNG Hi, with the previous release of the CPU Jitter RNG ([1]), concerns were raised on the presence of entropy in the CPU execution timing. With this new version of the CPU Jitter RNG, a new noise source based on memory access timings is now added and the concerns raised before are addressed with additional analyses given in [2] section 6.1. This additional noise source is again covered with extensive testing documented in [2] section 6.2. The test results allowed the explanation of the basics of that memory access noise source. To analyze the two noise sources, a bare metal testing program is used as documented in [2] section 6.3. That bare metal testing allows the analysis of the noise source without interference of an OS and interrupts. Furthermore, for the already existent noise source of the CPU execution timing, more analysis of the behavior of the CPU is provided in [2] section 6.1. The analysis, however, showed CPU behavior that cannot easily be explained. The testing shows that there is a possibility to eliminate the CPU execution timing jitter for one particular measurement using a serialization instruction. That elimination of timing jitter, however, was not visible when the individual rounds of the RNG were tested. That means that the elimination of timing jitter in one special case did not show any effects on the behavior of the RNG. The following set of patches integrate the CPU Jitter RNG as a fallback noise source into /dev/random. The reason for using it as a fallback only is the conceptual difference of the CPU Jitter RNG to the other noise sources: all other noise sources are a push mechanism whereas the CPU Jitter RNG works by pulling bits on demand. Due to the speed of the Jitter RNG, it has the capability of monopolizing all other noise sources which is prevented by only invoking it when the lower entropy threshold of the Linux RNG is reached. Ciao Stephan [1] http://thread.gmane.org/gmane.linux.kernel/1577419/focus=1586212 [2] http://www.chronox.de/jent/doc/CPU-Jitter-NPTRNG.html -- | Cui bono? | -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists