lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <53703E74.9020700@linux.intel.com>
Date:	Sun, 11 May 2014 20:22:28 -0700
From:	"H. Peter Anvin" <hpa@...ux.intel.com>
To:	Stephan Mueller <smueller@...onox.de>
CC:	Theodore Ts'o <tytso@....edu>, LKML <linux-kernel@...r.kernel.org>,
	linux-crypto@...r.kernel.org
Subject: Re: arch_random_refill

On 05/11/2014 04:01 PM, Stephan Mueller wrote:
> Hi Peter,
> 
> some time back when the RDRAND instruction was debated, a patch was offered 
> for driver/char/random.c that in essence turned /dev/random into a frontend 
> for RDRAND in case that instruction was available. The patch kind of 
> monopolized the noise sources such that if a user space "random number hog" 
> pulled data from /dev/random endlessly, the (almost) only noise source was 
> RDRAND. As that patch treated RDRAND to provide entropy, the blocking behavior 
> went away for /dev/random.
> 

This is false in a number of ways.

First of all... we NEVER pulled either /dev/random or /dev/urandom
directly from RDRAND.  We used RDRAND directly for kernel internal
randomness uses.  Users did object to this.

> That patch did not sit well with some developers and it got finally changed 
> such that the output of RDRAND is now just XORed with the output of the 
> "classic" /dev/random behavior -- /dev/random is still blocking. 

Mixing in RDRAND into /dev/random and /dev/urandom is actually

> With the current development cycle for 3.15, the function arch_random_refill 
> is added as presented in [1]. It now uses RDSEED instead of RDRAND. Yet, the 
> way this function is called in random_read seems (as I have no system with an 
> RDSEED, I cannot test) to show the very same behavior as the aforementioned 
> RDRAND patch: the blocking behavior of /dev/random will be gone and RDSEED 
> will monopolize the noise sources in case of a user space hog.

There is a huge difference between this and what people objected to
earlier: we filter everything through the kernel random number pool
system, which would require a herculean mathematical effort to reverse
even if the output of RDSEED was 100% predictable.

> Note, I do not see an issue with the patch that adds RDSEED as part of 
> add_interrupt_randomness outlined in [2]. The reason is that this patch does 
> not monopolizes the noise sources.
> 
> I do not want to imply that Intel (or any other chip manufacturer that will 
> hook into arch_random_refill) intentionally provides bad entropy (and this 
> email shall not start a discussion about entropy again), but I would like to 
> be able to only use noise sources that I can fully audit. As it is with 
> hardware, I am not able to see what it is doing.

I have to point out the irony in this given your previous proposals,
however...

> Thus, may I ask that arch_random_refill is revised such that it will not 
> monopolize the noise sources? If somebody wants that, he can easily use rngd.

Feel free to build the kernel without CONFIG_ARCH_RANDOM, or use the
"nordrand" option to the kernel.  These options are there for a reason.

Now when you mention it, though, the nordrand option should turn off
RDSEED as well as RDRAND.  It currently doesn't; that is a bug, plain
and simple.

	-hpa

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ