All of lore.kernel.org
 help / color / mirror / Atom feed
From: "H. Peter Anvin" <hpa@zytor.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Torsten Duwe <duwe@lst.de>, "Theodore Ts'o" <tytso@mit.edu>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Matt Mackall <mpm@selenic.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	Arnd Bergmann <arnd@arndb.de>,
	Rusty Russell <rusty@rustcorp.com.au>,
	Satoru Takeuchi <satoru.takeuchi@gmail.com>,
	ingo.tuchscherer@de.ibm.com,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Hans-Georg Markgraf <MGRF@de.ibm.com>,
	Gerald Schaefer <gerald.schaefer@de.ibm.com>,
	Martin Schwidefsky <schwidefsky@de.ibm.com>,
	Heiko Carstens <heiko.carstens@de.ibm.com>,
	Joe Perches <joe@perches.com>, Greg Price <price@mit.edu>
Subject: Re: [PATCH v2 02/03]: hwrng: create filler thread
Date: Wed, 26 Mar 2014 18:55:17 -0700	[thread overview]
Message-ID: <56e20125-95d3-465f-b582-fba5ba74d2f3@email.android.com> (raw)
In-Reply-To: <CALCETrUa_y6nGAtHmKkMwfTttXEabXCWPsXv==RrJN0_T3imZA@mail.gmail.com>

There are a number of things wrong with this post, but I'll respond in detail when I get to a keyboard.

On March 26, 2014 6:11:53 PM PDT, Andy Lutomirski <luto@amacapital.net> wrote:
>[cc: Greg Price, might be working on this stuff]
>
>On Wed, Mar 26, 2014 at 6:03 PM, H. Peter Anvin <hpa@zytor.com> wrote:
>> I'm wondering more about the default.  We default to 50% for
>arch_get_random_seed, and this is supposed to be the default for in
>effect unverified hwrngs...
>
>TBH I'm highly skeptical of this kind of entropy estimation.
>/dev/random is IMO just silly, since you need to have very
>conservative entropy estimates for the concept to really work, and
>that ends up being hideously slow.  Also, in the /dev/random sense,
>most hardware RNGs have no entropy at all, since they're likely to be
>FIPS-approved DRBGs that don't have a real non-deterministic source.
>
>For the kernel's RNG to be secure, I think it should have the property
>that it still works if you rescale all the entropy estimates by any
>constant that's decently close to 1.
>
>If entropy estimates are systematically too low, then a naive
>implementation results in an excessively long window during early
>bootup in which /dev/urandom is completely insecure.
>
>If entropy estimates are systematically too high, then a naive
>implementation fails to do a catastrophic reseed, and the RNG can be
>brute-forced.
>
>So I think that the core code should do something along the lines of
>using progressively larger reseeds.  Since I think that /dev/random is
>silly, this means that we only really care about the extent to which
>"entropy" measures entropy conditioned on whatever an attacker can
>actually compute.  Since this could vary widely between devices (e.g.
>if your TPM is malicious), I think that the best we can do is to
>collect ~256 bits from everything available, shove it all in to the
>core together, and repeat.  For all I know, the core code already does
>this.
>
>The upshot is that the actual rescaling factor should barely matter.
>50% is probably fine.  So is 100% and 25%.  10% is probably asking for
>trouble during early boot if all you have is a TPM.
>
>--Andy

-- 
Sent from my mobile phone.  Please pardon brevity and lack of formatting.

  reply	other threads:[~2014-03-27  1:56 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-03-21 14:29 [PATCH v2 00/03]: khwrngd Torsten Duwe
2014-03-21 14:32 ` [Patch v2 01/03]: provide an injection point for pure hardware randomness Torsten Duwe
2014-03-21 14:33 ` [PATCH v2 02/03]: hwrng: create filler thread Torsten Duwe
2014-03-27  0:50   ` Andy Lutomirski
2014-03-27  1:03     ` H. Peter Anvin
2014-03-27  1:11       ` Andy Lutomirski
2014-03-27  1:55         ` H. Peter Anvin [this message]
2014-03-27  4:47         ` H. Peter Anvin
2014-03-27 15:03           ` Torsten Duwe
2014-03-27 16:06           ` Andy Lutomirski
2014-03-27 14:54       ` Torsten Duwe
2014-03-27 15:47         ` Andy Lutomirski
2014-04-14 16:02       ` [PATCH v3 00/03]: hwrng: an in-kernel rngd Torsten Duwe
2014-04-14 16:04         ` [PATCH v3 01/03]: hwrng: provide an injection point for pure hardware randomness Torsten Duwe
2014-04-14 16:05         ` [PATCH v3 02/03]: hwrng: create filler thread Torsten Duwe
2014-04-14 16:06         ` [PATCH v3 03/03]: hwrng: khwrngd derating per device Torsten Duwe
2014-04-14 16:41           ` Andy Lutomirski
2014-04-15  8:51             ` Torsten Duwe
2014-04-15 16:53               ` Andy Lutomirski
2014-05-27 13:41                 ` [PATCH v5 00/03]: hwrng: an in-kernel rngd Torsten Duwe
2014-05-27 13:44                   ` [Patch 01/03]: provide an injection point for pure hardware randomness Torsten Duwe
2014-05-27 13:45                   ` [Patch v5 02/03]: hwrng: create filler thread Torsten Duwe
2014-05-27 13:46                   ` [Patch v5 03/03]: hwrng: khwrngd derating per device Torsten Duwe
2014-05-27 14:11                     ` [Patch v5.1 " Torsten Duwe
2014-06-12  1:24                       ` H. Peter Anvin
2014-06-12 10:09                         ` Torsten Duwe
2014-06-14  2:40                           ` Theodore Ts'o
2014-06-14  2:44                             ` H. Peter Anvin
2014-06-15  5:11                               ` Theodore Ts'o
2014-06-16  7:31                                 ` Torsten Duwe
2014-06-16 11:22                                   ` Theodore Ts'o
2014-06-16 14:07                                     ` Torsten Duwe
2014-06-16 14:40                                       ` Theodore Ts'o
     [not found]                                     ` <20140616141444.GB1744@suse.de>
     [not found]                                       ` <20140616142812.GB19387@thunk.org>
2014-07-11 13:43                                         ` Ingo Tuchscherer
2014-07-11 14:42                                           ` Theodore Ts'o
2014-04-14 16:09         ` [PATCH v3 00/03]: hwrng: an in-kernel rngd H. Peter Anvin
2014-04-14 16:24           ` Torsten Duwe
2014-04-14 16:29             ` H. Peter Anvin
2014-04-14 16:43             ` Andy Lutomirski
2014-04-14 16:27           ` [PATCH v4 03/03]: hwrng: khwrngd derating per device Torsten Duwe
2014-03-21 14:34 ` [PATCH v2 " Torsten Duwe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56e20125-95d3-465f-b582-fba5ba74d2f3@email.android.com \
    --to=hpa@zytor.com \
    --cc=MGRF@de.ibm.com \
    --cc=arnd@arndb.de \
    --cc=duwe@lst.de \
    --cc=gerald.schaefer@de.ibm.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=heiko.carstens@de.ibm.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=ingo.tuchscherer@de.ibm.com \
    --cc=joe@perches.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=mpm@selenic.com \
    --cc=price@mit.edu \
    --cc=rusty@rustcorp.com.au \
    --cc=satoru.takeuchi@gmail.com \
    --cc=schwidefsky@de.ibm.com \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.