From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 35557C433F5 for ; Fri, 13 May 2022 06:26:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377299AbiEMG0Z (ORCPT ); Fri, 13 May 2022 02:26:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34998 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1377305AbiEMG0U (ORCPT ); Fri, 13 May 2022 02:26:20 -0400 Received: from isilmar-4.linta.de (isilmar-4.linta.de [136.243.71.142]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7A5E1289BD; Thu, 12 May 2022 23:26:07 -0700 (PDT) X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES Received: from owl.dominikbrodowski.net (owl.brodo.linta [10.2.0.111]) by isilmar-4.linta.de (Postfix) with ESMTPSA id A6A482013B0; Fri, 13 May 2022 06:26:05 +0000 (UTC) Received: by owl.dominikbrodowski.net (Postfix, from userid 1000) id 03B6B80980; Fri, 13 May 2022 08:19:14 +0200 (CEST) Date: Fri, 13 May 2022 08:19:13 +0200 From: Dominik Brodowski To: "Jason A. Donenfeld" Cc: Thomas Ristenpart , Yevgeniy Dodis , tytso , Nadia Heninger , Noah Stephens-Dawidowitz , Stefano Tessaro , "torvalds@linux-foundation.org" , "D. J. Bernstein" , "jeanphilippe.aumasson@gmail.com" , "jann@thejh.net" , "keescook@chromium.org" , "gregkh@linuxfoundation.org" , Peter Schwabe , "linux-crypto@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: Re: is "premature next" a real world rng concern, or just an academic exercise? Message-ID: References: <7EB51D84-90A4-4C97-9A81-14A8C32990F7@cornell.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Am Thu, May 12, 2022 at 01:47:06PM +0200 schrieb Jason A. Donenfeld: > But on the other hand, it appears that none of us really thinks that > premature next is a real problem worth complicating designs over. So > maybe we can just say that it is nice when the silicon in one way or > another helps with premature next, but maybe not an explicit must have. > So where does that leave us? > > - Systems with RDSEED/RDRAND don't have premature next, due to the above > KDF salt. This is probably the majority of systems out there these > days. This also applies to the sleep resumption notification (and the > vmgenid one), and I suspect that most systems with S3 or S0ix or > whatever else these days also probably have RDRAND. ... and most of these systems have TPM chips with a RNG, which is (alas) usually only used at system startup, as that hw_rng device sets its quality to 0 (meaning untrusted). So there's also room for improvement involving these hw rng devices. Thanks, Dominik