linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Stephen Hemminger <shemminger@vyatta.com>
To: Jeff Garzik <jeff@garzik.org>
Cc: Robin Getz <rgetz@blackfin.uclinux.org>,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	Chris Peterson <cpeterso@cpeterso.com>,
	Matt Mackall <mpm@selenic.com>,
	David Miller <davem@davemloft.net>
Subject: Re: IRQF_SAMPLE_RANDOM question...
Date: Mon, 6 Apr 2009 11:44:32 -0700	[thread overview]
Message-ID: <20090406114432.3a554eba@nehalam> (raw)
In-Reply-To: <49DA4C85.5090806@garzik.org>

On Mon, 06 Apr 2009 14:40:05 -0400
Jeff Garzik <jeff@garzik.org> wrote:

> Robin Getz wrote:
> > Although there was some discussion  
> > http://thread.gmane.org/gmane.linux.kernel/680723
> > 
> > about removing IRQF_SAMPLE_RANDOM from the remaining network drivers in May of 
> > 2008, but they still appears to be there in 2.6.29.
> > 
> > drivers/net/ibmlana.c
> > drivers/net/macb.c
> > drivers/net/3c523.c
> > drivers/net/3c527.c
> > drivers/net/netxen/netxen_nic_main.c
> > drivers/net/cris/eth_v10.c
> > drivers/net/xen-netfront.c
> > drivers/net/atlx/atl1.c
> > drivers/net/qla3xxx.c
> > drivers/net/tg3.c
> > drivers/net/niu.c
> > 
> > So what is the plan? If I send a patch to add IRQF_SAMPLE_RANDOM to others 
> > (like the Blackfin) networking drivers - will it get rejected?
> > 
> > We have lots of embedded headless systems (no keyboard/mouse, no soundcard, no 
> > video) systems with *no* sources of entropy - and people using SSL.
> > 
> > I didn't really find any docs which describe what should have 
> > IRQF_SAMPLE_RANDOM on it or not. I did find Matt Mackall describing it as:
> >> We currently assume that IRQF_SAMPLE_RANDOM means 'this is a completely
> >> trusted unobservable entropy source' which is obviously wrong for
> >> network devices but is right for some other classes of device.
> > 
> > Currently - I see most things I see using IRQF_SAMPLE_RANDOM would also fail 
> > the "completely unobservable" test. Other than the TRNG that are inside the 
> > CPU - what does pass?
> 
> IMO it's not observation but rather that a remote host is essentially 
> your source of entropy -- which means your source of entropy is 
> potentially controllable or influenced by an attacker.
> 
> Furthermore, with hardware interrupt mitigation, non-trivial traffic 
> levels can imply that interrupts are delivered with timer-based 
> regularity.  This, too, may clearly be influenced by a remote attacker.
> 
> Thus I think IRQF_SAMPLE_RANDOM should be banned from network drivers... 
>   but that is not a universal opinion.
> 
> 	Jeff

The real problem one is xen-netfront. Because 1) it is least random,
the attacker might be another VM 2) the VM is most in need of random
samples because it doesn't have real hardware.

  reply	other threads:[~2009-04-06 18:44 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-04-06 18:30 IRQF_SAMPLE_RANDOM question Robin Getz
2009-04-06 18:40 ` Jeff Garzik
2009-04-06 18:44   ` Stephen Hemminger [this message]
2009-04-06 18:49     ` Jeff Garzik
2009-04-07  8:27       ` Jeremy Fitzhardinge
2009-04-06 19:22   ` Robin Getz
2009-04-06 19:00 ` Alan Cox
2009-04-06 19:01 ` Matt Mackall
2009-04-06 22:09   ` Sven-Haegar Koch
2009-04-06 23:35     ` Jeff Garzik
2009-04-07 21:58       ` Robin Getz
2009-04-07 22:25         ` Jeff Garzik
2009-04-07  0:16     ` Matt Mackall
2009-04-07  0:30       ` Jeff Garzik
2009-04-07 11:16   ` Robin Getz
2009-04-07 14:57     ` Matt Mackall
2009-04-07 21:39       ` Chris Peterson
2009-04-07 22:30         ` Robin Getz
2009-04-08 21:53           ` Gilles Espinasse
2009-04-08 23:16             ` Chris Friesen
2009-04-09  4:24               ` Robin Getz
2009-04-07 21:44       ` Robin Getz
2009-04-08 19:51         ` Matt Mackall
2009-04-09 13:54           ` Robin Getz
2009-04-09 17:00             ` Matt Mackall
2009-04-10  0:41               ` Robin Getz
2009-04-10  1:29               ` Chris Peterson
2009-04-10  2:27                 ` Matt Mackall

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090406114432.3a554eba@nehalam \
    --to=shemminger@vyatta.com \
    --cc=cpeterso@cpeterso.com \
    --cc=davem@davemloft.net \
    --cc=jeff@garzik.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mpm@selenic.com \
    --cc=netdev@vger.kernel.org \
    --cc=rgetz@blackfin.uclinux.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).