| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 9 Aug 2016 14:04:44 +0000 From: Jason Cooper <jason@...edaemon.net> To: Theodore Ts'o <tytso@....edu>, "Pan, Miaoqing" <miaoqing@....qualcomm.com>, Stephan Mueller <smueller@...onox.de>, "Sepehrdad, Pouyan" <pouyans@....qualcomm.com>, "herbert@...dor.apana.org.au" <herbert@...dor.apana.org.au>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>, ath9k-devel <ath9k-devel@....qualcomm.com>, "linux-wireless@...r.kernel.org" <linux-wireless@...r.kernel.org>, "ath9k-devel@...ts.ath9k.org" <ath9k-devel@...ts.ath9k.org>, Kalle Valo <kvalo@...eaurora.org> Subject: Re: [PATCH v2] RANDOM: ATH9K RNG delivers zero bits of entropy Hi Ted, On Tue, Aug 09, 2016 at 07:56:22AM -0400, Theodore Ts'o wrote: > On Tue, Aug 09, 2016 at 06:30:03AM +0000, Pan, Miaoqing wrote: > > Agree with Jason's point, also understand Stephan's concern. The > > date rate can be roughly estimated by 'cat /dev/random |rngtest -c > > 1000', the average speed is 1111.294Kibits/s. I will sent the patch > > to disable ath9k RNG by default. > > If the ATH9K is generating some random amount of data, but you don't > know how random, and you're gathering it opportunistically --- for > example, suppose a wireless driver gets the radio's signal strength > through the normal course of its operation, and while there might not > be that much randomness for someone who can observe the exact details > of how the phone is positioned in the room --- but for which the > analyst sitting in Fort Meade won't know whether or not the phone is > on the desk, or in a knapsack under the table, the right interface to > use is: > > void add_device_randomness(const void *buf, unsigned int size); > > This won't increase the entropy count, but if you have the bit of > potential randomness "for free", you might as well contribute it to > the entropy pool. If it turns out that the chip was manufactured in > China, and the MSS has backdoored it out the wazoo, it won't do any > harm --- where as using the hwrng framework would be disastrous. Ok, I get that. However, we have Documentation/hw_random.txt saying: This data is NOT CHECKED by any fitness tests, and could potentially be bogus (if the hardware is faulty or has been tampered with). Data is only output if the hardware "has-data" flag is set, but nevertheless a security-conscious person would run fitness tests on the data before assuming it is truly random. Which I would read as "Don't assume 1 bit read from /dev/hwrng equals 1 bit of entropy." Which runs counter to Stephan's reading of the rngd code. And then we have drivers like timeriomem-rng.c that appear to be spitting out the raw 32bit register value of $SOC's timer. Thankfully, most hw_random drivers don't set the quality. So unless the user sets the default_quality param, it's zero. iiuc, Ted, you're saying using the hw_random framework would be disasterous because despite most drivers having a default quality of 0, rngd assumes 1 bit of entropy for every bit read? thx, Jason.
Powered by blists - more mailing lists