lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 2 Feb 2024 07:56:07 +0000
From: "Reshetova, Elena" <elena.reshetova@...el.com>
To: "Dr. Greg" <greg@...ellic.com>, "Daniel P. Berrang??"
	<berrange@...hat.com>
CC: Theodore Ts'o <tytso@....edu>, "Jason A. Donenfeld" <Jason@...c4.com>,
	"Hansen, Dave" <dave.hansen@...el.com>, "Kirill A. Shutemov"
	<kirill.shutemov@...ux.intel.com>, Thomas Gleixner <tglx@...utronix.de>,
	"Ingo Molnar" <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, Dave Hansen
	<dave.hansen@...ux.intel.com>, "H. Peter Anvin" <hpa@...or.com>,
	"x86@...nel.org" <x86@...nel.org>, Kuppuswamy Sathyanarayanan
	<sathyanarayanan.kuppuswamy@...ux.intel.com>, "Nakajima, Jun"
	<jun.nakajima@...el.com>, Tom Lendacky <thomas.lendacky@....com>, "Kalra,
 Ashish" <ashish.kalra@....com>, Sean Christopherson <seanjc@...gle.com>,
	"linux-coco@...ts.linux.dev" <linux-coco@...ts.linux.dev>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH 2/2] x86/random: Issue a warning if RDRAND or RDSEED fails

> > > The bigger question, which I will respond to Elena with, is how much
> > > this issue calls the entire question of confidential computing into
> > > question.
> 
> > A denial of service (from a panic on RDRAND fail) doesn't undermine
> > confidental computing. Guest data confidentiality is maintained by
> > panicing on RDRAND failure and DoS protection isn't a threat that CC
> > claims to be able to mitigate in general.
> 
> Yes, if there is a problem with RDRAND we have a CoCo solution, full
> stop.
> 
> The issue that I was raising with Elena is more generic, to wit:
> 
> Her expressed concern is that a code construct looking something like this,
> rdrand() returning 0 on success:
> 
> for (i= 0; i < 9; ++i)
> 	if (!rdrand(&seed))
> 		break;
> 	sleep(some time);
> }
> if (i == 9)
> 	BUG("No entropy");
> 
> do_something_with(seed);
> 
> Could be sufficiently manipulated by a malicious hypervisor in a TDX
> environment so as to compromise its functionality.

This is not what I had in mind. How does the above can be manipulated
by a malicious hypervisor? If the above construction can be
logically manipulated we have other issues than rdrand, this is imo
already a control flow manipulation attack that you are stating here. 

What a malicious hypervisor can *in theory* do is to insert the execution
delays and make the above loop fail even if we assume that the probability
of falling the 10 retry loop is negligible in normal cases (assuming tightness
or other timing requirements). But again, this is theoretical at this point.
But if the SW refuses to proceed and panics in such cases, we have a DoS
as we already discussed.

Best Regards,
Elena.


> 
> If this level of control is indeed possible, given the long history of
> timing and side-channel attacks against cryptography, this would seem
> to pose significant questions as to whether or not CoCo can deliver on
> its stated goals.
> 
> > With regards,
> > Daniel
> 
> Have a good evening.
> 
> As always,
> Dr. Greg
> 
> The Quixote Project - Flailing at the Travails of Cybersecurity
>               https://github.com/Quixote-Project

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ