[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140520200803.GA22308@logfs.org>
Date: Tue, 20 May 2014 16:08:03 -0400
From: Jörn Engel <joern@...fs.org>
To: Andi Kleen <andi@...stfloor.org>
Cc: Theodore Ts'o <tytso@....edu>, "H. Peter Anvin" <hpa@...or.com>,
lkml <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] random: mix all saved registers into entropy pool
On Tue, 20 May 2014 05:12:07 -0700, Andi Kleen wrote:
> Jörn Engel <joern@...fs.org> writes:
> >
> > An alternate high-resolution timer is the register content at the time
> > of an interrupt.
>
> So if you interrupt a cryptographic function you may hash in parts
> of the key?
Yes. And if there was an efficient way to deduce random generator
inputs, that would be a new side channel attack. An efficient way to
deduce random generator inputs would allow many other attacks as well.
I don't know of such an attack nor can I conceive it being possible
under normal circumstances.
There are of course two exceptions. If the attacker can read
arbitrary kernel memory - and therefore could read the private key
directly. And if there is so little entropy that an attacker can
enumerate all possible states of the random generator and read enough
random numbers to exclude most of those states.
The second case also allows for many more interesting attacks and is
exactly the sort of hole I want to plug with this patch.
I think leaking of private keys or similar information is not a
concern. But please prove me wrong. Better you now than someone else
later.
Jörn
--
When in doubt, punt. When somebody actually complains, go back and fix it...
The 90% solution is a good thing.
-- Rob Landley
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists