From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932171AbdC1Qsx convert rfc822-to-8bit (ORCPT ); Tue, 28 Mar 2017 12:48:53 -0400 Received: from mail-wm0-f67.google.com ([74.125.82.67]:36307 "EHLO mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752077AbdC1Qsv (ORCPT ); Tue, 28 Mar 2017 12:48:51 -0400 Date: Tue, 28 Mar 2017 19:48:24 +0300 From: Krzysztof Kozlowski To: Stephan =?utf-8?Q?M=C3=BCller?= Cc: PrasannaKumar Muralidharan , Kukjin Kim , Javier Martinez Canillas , Matt Mackall , Herbert Xu , "David S. Miller" , linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-samsung-soc@vger.kernel.org, linux-crypto@vger.kernel.org, Bartlomiej Zolnierkiewicz , Arnd Bergmann , Olof Johansson Subject: Re: [PATCH v3 1/3] crypto: hw_random - Add new Exynos RNG driver Message-ID: <20170328164824.3qjaojqzf2riwpqj@kozik-lap> References: <20170325162654.3827-1-krzk@kernel.org> <4479175.Jfq03yCxQW@tauon.atsec.com> <1564458.pWTRdRYEuG@positron.chronox.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8BIT In-Reply-To: <1564458.pWTRdRYEuG@positron.chronox.de> User-Agent: Mutt/1.6.2-neo (2016-08-21) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 27, 2017 at 03:53:03PM +0200, Stephan Müller wrote: > Am Montag, 27. März 2017, 06:23:11 CEST schrieb PrasannaKumar Muralidharan: > > Hi PrasannaKumar, > > > > Oh my, if you are right with your first guess, this is a bad DRNG design. > > > > > > Just out of curiousity: what happens if a caller invokes the seed function > > > twice or more times (each time with the sufficient amount of bits)? What > > > is > > > your guess here? > > > > Should the second seed use the random data generated by the device? > > A DRNG should be capable of processing an arbitrary amount of seed data. It > may be the case that the seed data must be processed in chunks though. > As I said, I do not know the implementation details about hardware. They are just not disclossed. > That said, it may be the case that after injecting one chunk of seed the > currently discussed RNG simply needs to generate a random number to process > the input data before another seed can be added. But that is pure speculation. > > But I guess that can be easily tested: inject a known seed into the DRNG, > generate a random number, inject the same seed again and again generate a > random number. If both are identical (which I do not hope), then the internal > state is simply overwritten (strange DRNG design). > > A similar test can be made to see whether a larger set of seed simply > overwrites the state or is really processed. > > 1. seed > 2. generate random data > 3. reset > 4. seed with anther seed > 5. generate random data > 6. reset > 7. seed with same data from 1 > 8. seed with same data from 2 > 9. generate random data > > If data from 9 is identical to 2, then additional seed data is discarded -> > bad design. If data from 9 is identical to 5, then the additional data > overwrites the initial data -> bad DRNG design. If data from 9 neither matches > 2 or 5, then all seed is taken -> good design. I tested a little bit and: 1. Seeding with some value 2. generating random, 3. kcapi_rng_destroy+kcrng_init, (I cannot do a hardware reset except reboot of entire system) 4. seeding with the same value as in (1) - different random numbers. Doing a system reboot and repeating above - different random numbers (all are different: step (2) and in (4)). Your test case also produces different random values every time. Best regards, Krzysztof