[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140407232611.GA17857@thunk.org>
Date: Mon, 7 Apr 2014 19:26:11 -0400
From: Theodore Ts'o <tytso@....edu>
To: Sebastian Andrzej Siewior <sebastian@...akpoint.cc>
Cc: "Luck, Tony" <tony.luck@...el.com>,
Andi Kleen <andi@...stfloor.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Andi Kleen <ak@...ux.intel.com>, tglx@...utronix.de,
Herbert Xu <herbert@...dor.apana.org.au>,
Russell King <rmk+kernel@....linux.org.uk>,
Arnd Bergmann <arnd@...db.de>, Felipe Balbi <balbi@...com>,
shawn.guo@...aro.org, grant.likely@...aro.org,
Richard Kuo <rkuo@...eaurora.org>,
Mikael Starvik <starvik@...s.com>,
David Howells <dhowells@...hat.com>,
Hirokazu Takata <takata@...ux-m32r.org>,
Geert Uytterhoeven <geert@...ux-m68k.org>
Subject: Re: [PATCH 01/11] random: don't feed stack data into pool when
interrupt regs NULL
On Mon, Apr 07, 2014 at 09:30:57PM +0200, Sebastian Andrzej Siewior wrote:
>
> You dropped that part where I suggested to use something like AES+CTR
> and create the numbers on demand and dropping that attempt to create as
> much random data with custom functions as possible. You completly dislike
> that approach? And if so, why?
Where are you going to get the "few random bits" from? Which crypto
primitive you use and how you gather the entropy are two completely
orothognal issue. If we can get at least 128 bits of secure
randomness before the embedded platform trying to generate RSA private
keys or otherwise depending on the RNG, we're fine. This is true
regardless of whether we use the current /dev/random machinery or
AES+CTR.
The reason why we are grabbing lots of bits from the interrupt handler
is that we're hoping that *some* of them will not be guessable by the
attacker. If we knew which ones were random, we wouldn't have to do
this, yes. But that's like say, "playing the stock market is easy;
all you have to do is buy low and sell high!"
> Yes. Usually there is generic function doing something sane but not as
> good as it could do with arch specific code. Or the code is completly
> disabled unless the architecture wires it up. Dropping a new function and
> hoping everyone will wire it up in no time is, ehm, brave. Nobody implemented
> random_get_entropy(), everyone falls back to get_cycles. From a quick
> grep I can see that atleast Hexagon, Cris, Frv, m32r and m68k return 0. I
> put some of the maintainers Cc, I am curious if they know about the side
> effects.
What we have right now is now worse than what we had before. We
introduced random_get_entryop() done because MIPS had a register which
wouldn't qualify for get_cycles(), but was good enough for what the
random driver had, so it allowed MIPS to be able to do a better job.
Basically, I had a MIPS developer who was highly motiviated to improve
security for home routers (which typically us MIPS), and I worked with
him.
If there is some ARM developer who is interested in woring with me,
that's great. I would love to have that. I've reached out to a few
people in Linaro about this over the past couple of months, but
nothing has happened yet.
- Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists