From: Sandy Harris <sandyinchina@gmail.com>
To: Pavel Machek <pavel@ucw.cz>
Cc: "Petr Tesarik" <ptesarik@suse.cz>,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
"Torsten Duwe" <duwe@lst.de>,
"Marcelo Henrique Cerri" <marcelo.cerri@canonical.com>,
"Theodore Y. Ts'o" <tytso@mit.edu>,
"Linus Torvalds" <torvalds@linux-foundation.org>,
"Stephan Müller" <smueller@chronox.de>,
"Willy Tarreau" <w@1wt.eu>,
"Linux Crypto Mailing List" <linux-crypto@vger.kernel.org>,
"Nicolai Stange" <nstange@suse.de>,
LKML <linux-kernel@vger.kernel.org>,
"Arnd Bergmann" <arnd@arndb.de>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"Alexander E. Patrakov" <patrakov@gmail.com>,
"Ahmed S. Darwish" <darwish.07@gmail.com>,
"Matthew Garrett" <mjg59@srcf.ucam.org>,
"Vito Caputo" <vcaputo@pengaru.com>,
"Andreas Dilger" <adilger.kernel@dilger.ca>,
"Jan Kara" <jack@suse.cz>, "Ray Strode" <rstrode@redhat.com>,
"William Jon McCann" <mccann@jhu.edu>,
zhangjs <zachary@baishancloud.com>,
"Andy Lutomirski" <luto@kernel.org>,
"Florian Weimer" <fweimer@redhat.com>,
"Lennart Poettering" <mzxreary@0pointer.de>,
"Peter Matthias" <matthias.peter@bsi.bund.de>,
"Neil Horman" <nhorman@redhat.com>,
"Randy Dunlap" <rdunlap@infradead.org>,
"Julia Lawall" <julia.lawall@inria.fr>,
"Dan Carpenter" <dan.carpenter@oracle.com>,
"And y Lavr" <andy.lavr@gmail.com>,
"Eric Biggers" <ebiggers@kernel.org>,
"Ard Biesheuvel" <ardb@kernel.org>,
simo@redhat.com
Subject: Re: drivers/char/random.c needs a (new) maintainer
Date: Fri, 8 Jan 2021 16:42:11 +0800 [thread overview]
Message-ID: <CACXcFmknEkN7YZrG3uU7Ty35SDxxCwTSU1HcePWCa=xyuUUH+w@mail.gmail.com> (raw)
In-Reply-To: <20201224191953.GD22388@amd>
Pavel Machek <pavel@ucw.cz> wrote:
> To play devil's advocate, does RNG subsystem need to evolve? Its task
> is to get random numbers. Does it fail at the task?
>
> Problem is, random subsystem is hard to verify, and big rewrite is
> likely to cause security problems...
Parts of the problem, though, are dead easy in many of today's
environments.
Many CPUs, e,g. Intel, have an instruction that gives random
numbers. Some systems have another hardware RNG. Some
can add one using a USB device or Denker's Turbid
(https://www.av8n.com/turbid/). Many Linux instances run on
VMs so they have an emulated HWRNG using the host's
/dev/random.
None of those is necessarily 100% trustworthy, though the
published analysis for Turbid & for (one version of) the Intel
device seem adequate to me. However, if you use any
of them to scribble over the entire 4k-bit input pool and/or
a 512-bit Salsa context during initialisation, then it seems
almost certain you'll get enough entropy to block attacks.
They are all dirt cheap so doing that, and using them
again later for incremental squirts of randomness, looks
reasonable.
In many cases you could go further. Consider a system
with an intel CPU and another HWRNG, perhaps a VM.
Get 128 bits from each source & combine them using
the 128-bit finite field multiplication from the GSM
authentication. Still cheap & it cannot be worse than
the better of the two sources. If both sources are
anywhere near reasonable, this should produce 128
bits of very high grade random material, cheaply.
I am not suggesting any of these should be used for
output, but using them for initialisation whenever
possible looks obvious to me.
next prev parent reply other threads:[~2021-01-08 8:43 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-30 15:12 drivers/char/random.c needs a (new) maintainer Torsten Duwe
2020-11-30 15:15 ` Jason A. Donenfeld
2020-11-30 16:53 ` Theodore Y. Ts'o
2020-12-01 11:42 ` Jason A. Donenfeld
2020-12-18 13:25 ` Marcelo Henrique Cerri
2020-12-23 12:28 ` Torsten Duwe
2020-12-23 14:10 ` Petr Tesarik
2020-12-23 14:32 ` Jason A. Donenfeld
2020-12-23 15:22 ` Stephan Mueller
2020-12-23 15:33 ` Jason A. Donenfeld
2020-12-23 16:00 ` Petr Tesarik
2020-12-23 16:03 ` Jason A. Donenfeld
2020-12-23 16:12 ` Jason A. Donenfeld
2020-12-24 19:19 ` Pavel Machek
2021-01-08 8:42 ` Sandy Harris [this message]
2020-12-24 19:14 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACXcFmknEkN7YZrG3uU7Ty35SDxxCwTSU1HcePWCa=xyuUUH+w@mail.gmail.com' \
--to=sandyinchina@gmail.com \
--cc=Jason@zx2c4.com \
--cc=adilger.kernel@dilger.ca \
--cc=andy.lavr@gmail.com \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=dan.carpenter@oracle.com \
--cc=darwish.07@gmail.com \
--cc=duwe@lst.de \
--cc=ebiederm@xmission.com \
--cc=ebiggers@kernel.org \
--cc=fweimer@redhat.com \
--cc=jack@suse.cz \
--cc=julia.lawall@inria.fr \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=marcelo.cerri@canonical.com \
--cc=matthias.peter@bsi.bund.de \
--cc=mccann@jhu.edu \
--cc=mjg59@srcf.ucam.org \
--cc=mzxreary@0pointer.de \
--cc=nhorman@redhat.com \
--cc=nstange@suse.de \
--cc=patrakov@gmail.com \
--cc=pavel@ucw.cz \
--cc=ptesarik@suse.cz \
--cc=rdunlap@infradead.org \
--cc=rstrode@redhat.com \
--cc=simo@redhat.com \
--cc=smueller@chronox.de \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=vcaputo@pengaru.com \
--cc=w@1wt.eu \
--cc=zachary@baishancloud.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).