From: Matt Mackall <mpm@selenic.com>
To: Jason Cooper <jason@lakedaemon.net>
Cc: Kees Cook <keescook@chromium.org>, Theodore Ts'o <tytso@mit.edu>,
LKML <linux-kernel@vger.kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
Rusty Russell <rusty@rustcorp.com.au>,
Satoru Takeuchi <satoru.takeuchi@gmail.com>,
linux-crypto <linux-crypto@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH][RESEND 3] hwrng: add randomness to system from rng sources
Date: Wed, 05 Mar 2014 18:52:27 -0600 [thread overview]
Message-ID: <1394067147.17842.45.camel@calx> (raw)
In-Reply-To: <20140305211145.GV1872@titan.lakedaemon.net>
On Wed, 2014-03-05 at 16:11 -0500, Jason Cooper wrote:
> > In other words, if there are 4096 bits of "unknownness" in X to start
> > with, and I can get those same 4096 bits of "unknownness" back by
> > unmixing X' and Y, then there must still be 4096 bits of "unknownness"
> > in X'. If X' is 4096 bits long, then we've just proven that
> > reversibility means the attacker can know nothing about the contents of
> > X' by his choice of Y.
>
> Well, this reinforces my comfortability with loadable modules. The pool
> is already initialized by the point at which the driver is loaded.
>
> Unfortunately, any of the drivers in hw_random can be built in. When
> built in, hwrng_register is going to be called during the kernel
> initialization process. In that case, the unknownness in X is not 4096
> bits, but far less. Also, the items that may have seeded X (MAC addr,
> time, etc) are discoverable by a potential attacker. This is also well
> before random-seed has been fed in.
To which I would respond.. so?
If the pool is in an attacker-knowable state at early boot, adding
attacker-controlled data does not make the situation any worse. In fact,
if the attacker has less-than-perfect control of the inputs, mixing more
things in will make things exponentially harder for the attacker.
Put another way: mixing can't ever removes unknownness from the pool, it
can only add more. So the only reason you should ever choose not to mix
something into the pool is performance.
--
Mathematics is the supreme nostalgia of our time.
next prev parent reply other threads:[~2014-03-06 0:52 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-03 23:51 [PATCH][RESEND 3] hwrng: add randomness to system from rng sources Kees Cook
2014-03-04 15:38 ` Jason Cooper
2014-03-04 19:01 ` Kees Cook
2014-03-04 19:53 ` Jason Cooper
2014-03-04 19:59 ` Kees Cook
2014-03-04 22:39 ` Matt Mackall
2014-03-05 21:11 ` Jason Cooper
2014-03-05 21:51 ` Kees Cook
2014-03-06 0:52 ` Matt Mackall [this message]
2014-03-06 1:34 ` Kees Cook
2014-03-06 12:54 ` Jason Cooper
2014-03-17 2:12 ` H. Peter Anvin
2014-03-06 12:55 ` Jason Cooper
2014-03-10 12:22 ` Herbert Xu
2014-03-16 22:56 ` H. Peter Anvin
2014-03-17 11:53 ` Austin S Hemmelgarn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1394067147.17842.45.camel@calx \
--to=mpm@selenic.com \
--cc=akpm@linux-foundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=jason@lakedaemon.net \
--cc=keescook@chromium.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rusty@rustcorp.com.au \
--cc=satoru.takeuchi@gmail.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.