| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 02 Feb 2024 22:28:01 +0100
From: James Bottomley <jejb@...ux.ibm.com>
To: "Theodore Ts'o" <tytso@....edu>
Cc: "Jason A. Donenfeld" <Jason@...c4.com>,
"Reshetova, Elena"
<elena.reshetova@...el.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
"Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
Thomas Gleixner
<tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>,
Borislav Petkov
<bp@...en8.de>, "H. Peter Anvin" <hpa@...or.com>,
"x86@...nel.org"
<x86@...nel.org>,
Kuppuswamy Sathyanarayanan
<sathyanarayanan.kuppuswamy@...ux.intel.com>,
"Nakajima, Jun"
<jun.nakajima@...el.com>,
Tom Lendacky <thomas.lendacky@....com>,
"Kalra,
Ashish" <ashish.kalra@....com>,
Sean Christopherson <seanjc@...gle.com>,
"linux-coco@...ts.linux.dev" <linux-coco@...ts.linux.dev>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 1/2] x86/random: Retry on RDSEED failure
On Fri, 2024-02-02 at 11:05 -0500, Theodore Ts'o wrote:
> On Fri, Feb 02, 2024 at 04:47:11PM +0100, James Bottomley wrote:
> >
> > It's a lot to quote, so I cut it, but all of your solutions assume
> > a rdseed/rdrand failure equates to a system one but it really
> > doesn't: in most systems there are other entropy sources. In
> > confidential computing it is an issue because we have no other
> > trusted sources. The problem with picking on rdseed/rdrand is that
> > there are bound to be older CP s somewhere that have rng generation
> > bugs that this will
> > expose.
>
> I'm not sure what you're concerned about. As far as I know, all of
> the CPU's have some variant of Confidential Compute have some kind of
> RDRAND-like command. And while we're using the term RDRAND, I'd
> extend this to any CPU architecture-level RNG instruction which can
> return failure if it is subject to exhaustion attacks.
My big concern is older cpus where rdrand/rdseed don't produce useful
entropy. Exhaustion attacks are going to be largely against VMs not
physical systems, so I worry about physical systems with older CPUs
that might have rdrand issues which then trip our Confidential
Computing checks.
> > How about making the failure contingent on the entropy pool
> > not having any entropy when the first random number is requested?
>
> We have tried to avoid characterizing entropy sources as "valid" or
> "invalid". First of all, it's rarely quite so black-and-white.
> Something which is vulnerable to someone who can spy on inter-packet
> arrival times by having a hardware tap between the CPU and the
> network switch, or a wireless radio right next to the device being
> attacked, might not be easily carried out by someone who doesn't have
> local physical access.
>
> So we may be measuring various things that might or might not have
> "entropy". In the case of Confidential Compute, we have declared
> that none of those other sources constitute "entropy". But that's
> not a decision that can be made by the computer, or at least until
> we've tracked the AGI problem. (At which point, we might have other
> problems --- "I'm sorry, I'm afraid I can't do that.")
The signal for rdseed failing is fairly clear, so if the node has other
entropy sources, it should continue otherwise it should signal failure.
Figuring out how a confidential computing environment signals that
failure is TBD.
James
Powered by blists - more mailing lists