From: "Austin S. Hemmelgarn" <ahferroin7@gmail.com>
To: Tomas Mraz <tmraz@redhat.com>, Stephan Mueller <smueller@chronox.de>
Cc: "Theodore Ts'o" <tytso@mit.edu>, "David Jaša" <djasa@redhat.com>,
"Andi Kleen" <andi@firstfloor.org>,
sandyinchina@gmail.com,
"Jason Cooper" <cryptography@lakedaemon.net>,
"John Denker" <jsd@av8n.com>,
"H. Peter Anvin" <hpa@linux.intel.com>,
"Joe Perches" <joe@perches.com>, "Pavel Machek" <pavel@ucw.cz>,
"George Spelvin" <linux@horizon.com>,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v4 0/5] /dev/random - a new approach
Date: Tue, 21 Jun 2016 13:18:33 -0400 [thread overview]
Message-ID: <e70c9e01-5e48-a26a-d485-ca512c111cbc@gmail.com> (raw)
In-Reply-To: <1466515196.17017.8.camel@redhat.com>
On 2016-06-21 09:19, Tomas Mraz wrote:
> On Út, 2016-06-21 at 09:05 -0400, Austin S. Hemmelgarn wrote:
>> On 2016-06-20 14:32, Stephan Mueller wrote:
>>>
>>> [1] http://www.chronox.de/jent/doc/CPU-Jitter-NPTRNG.pdf
>> Specific things I notice about this:
>> 1. QEMU systems are reporting higher values than almost anything
>> else
>> with the same ISA. This makes sense, but you don't appear to have
>> accounted for the fact that you can't trust almost any of the entropy
>> in
>> a VM unless you have absolute trust in the host system, because the
>> host
>> system can do whatever the hell it wants to you, including
>> manipulating
>> timings directly (with a little patience and some time spent working
>> on
>> it, you could probably get those number to show whatever you want
>> just
>> by manipulating scheduling parameters on the host OS for the VM
>> software).
>
> You have to trust the host for anything, not just for the entropy in
> timings. This is completely invalid argument unless you can present a
> method that one guest can manipulate timings in other guest in such a
> way that _removes_ the inherent entropy from the host.
When dealing with almost any type 2 hypervisor, it is fully possible for
a user other than the one running the hypervisor to manipulate
scheduling such that entropy is reduced. This does not imply that the
user who is doing this has any other control over the target VM, and
importantly, often does not require administrative access on the host,
only regular user access. Such an attack is very difficult to effect
outside of a clean-room environment, but is still possible. You can't
use this to force generation of arbitrary data, but you can definitely
starve a VM for entropy. By nature, something that relies on interrupt
timings will be more impacted by such an attack than something that does
not.
In most cases, such an attack will be a DoS attack on the host as well
(as that's the simplest way to do this). This is less of an issue with
proper practices on a type 1 hypervisor, but is still possible there too
(although pulling this off on at least Xen when you have proper VCPU
isolation is functionally impossible without administrative access to
the control domain).
next prev parent reply other threads:[~2016-06-21 18:24 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-31 18:37 [PATCH v4 0/5] /dev/random - a new approach Stephan Mueller
2016-05-31 18:37 ` [PATCH v4 1/5] crypto: DRBG - externalize DRBG functions for LRNG Stephan Mueller
2016-05-31 18:38 ` [PATCH v4 2/5] random: conditionally compile code depending on LRNG Stephan Mueller
2016-05-31 18:39 ` [PATCH v4 3/5] crypto: Linux Random Number Generator Stephan Mueller
2016-05-31 18:39 ` [PATCH v4 4/5] crypto: LRNG - enable compile Stephan Mueller
2016-05-31 18:39 ` [PATCH v4 5/5] random: add interrupt callback to VMBus IRQ handler Stephan Mueller
2016-05-31 22:34 ` [PATCH v4 0/5] /dev/random - a new approach George Spelvin
2016-06-15 16:17 ` David Jaša
2016-06-15 16:58 ` Stephan Mueller
2016-06-17 13:56 ` David Jaša
2016-06-17 15:26 ` Sandy Harris
2016-06-18 8:22 ` Stephan Mueller
2016-06-18 8:21 ` Stephan Mueller
2016-06-18 14:44 ` Theodore Ts'o
2016-06-18 16:31 ` Stephan Mueller
2016-06-20 17:07 ` Austin S. Hemmelgarn
2016-06-20 18:32 ` Stephan Mueller
2016-06-21 13:05 ` Austin S. Hemmelgarn
2016-06-21 13:19 ` Tomas Mraz
2016-06-21 17:18 ` Austin S. Hemmelgarn [this message]
2016-06-21 17:23 ` Stephan Mueller
2016-06-21 17:54 ` Austin S. Hemmelgarn
2016-06-21 18:05 ` Stephan Mueller
2016-06-21 13:20 ` Stephan Mueller
2016-06-21 17:51 ` Austin S. Hemmelgarn
2016-06-21 18:04 ` Stephan Mueller
2016-06-21 19:31 ` Austin S. Hemmelgarn
2016-06-22 5:16 ` Stephan Mueller
2016-06-22 12:54 ` Austin S. Hemmelgarn
2016-06-22 13:25 ` Stephan Mueller
2016-06-21 13:42 ` Pavel Machek
2016-06-21 17:17 ` Austin S. Hemmelgarn
2016-06-21 12:25 ` David Jaša
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e70c9e01-5e48-a26a-d485-ca512c111cbc@gmail.com \
--to=ahferroin7@gmail.com \
--cc=andi@firstfloor.org \
--cc=cryptography@lakedaemon.net \
--cc=djasa@redhat.com \
--cc=hpa@linux.intel.com \
--cc=joe@perches.com \
--cc=jsd@av8n.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@horizon.com \
--cc=pavel@ucw.cz \
--cc=sandyinchina@gmail.com \
--cc=smueller@chronox.de \
--cc=tmraz@redhat.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).