From: "Jörn Engel" <joern@logfs.org>
To: Andi Kleen <andi@firstfloor.org>
Cc: "Theodore Ts'o" <tytso@mit.edu>, "H. Peter Anvin" <hpa@zytor.com>,
lkml <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] random: mix all saved registers into entropy pool
Date: Tue, 20 May 2014 16:08:03 -0400 [thread overview]
Message-ID: <20140520200803.GA22308@logfs.org> (raw)
In-Reply-To: <8761l0r6nc.fsf@tassilo.jf.intel.com>
On Tue, 20 May 2014 05:12:07 -0700, Andi Kleen wrote:
> Jörn Engel <joern@logfs.org> writes:
> >
> > An alternate high-resolution timer is the register content at the time
> > of an interrupt.
>
> So if you interrupt a cryptographic function you may hash in parts
> of the key?
Yes. And if there was an efficient way to deduce random generator
inputs, that would be a new side channel attack. An efficient way to
deduce random generator inputs would allow many other attacks as well.
I don't know of such an attack nor can I conceive it being possible
under normal circumstances.
There are of course two exceptions. If the attacker can read
arbitrary kernel memory - and therefore could read the private key
directly. And if there is so little entropy that an attacker can
enumerate all possible states of the random generator and read enough
random numbers to exclude most of those states.
The second case also allows for many more interesting attacks and is
exactly the sort of hole I want to plug with this patch.
I think leaking of private keys or similar information is not a
concern. But please prove me wrong. Better you now than someone else
later.
Jörn
--
When in doubt, punt. When somebody actually complains, go back and fix it...
The 90% solution is a good thing.
-- Rob Landley
next prev parent reply other threads:[~2014-05-20 20:09 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-19 21:17 [PATCH] random: mix all saved registers into entropy pool Jörn Engel
2014-05-19 21:23 ` Jörn Engel
2014-05-19 22:18 ` H. Peter Anvin
2014-05-19 22:39 ` Jörn Engel
2014-05-19 23:05 ` H. Peter Anvin
2014-05-19 23:18 ` Jörn Engel
2014-05-20 12:12 ` Andi Kleen
2014-05-20 20:08 ` Jörn Engel [this message]
2014-05-21 19:39 ` Andi Kleen
2014-05-21 20:29 ` Jörn Engel
2014-05-21 20:38 ` Jörn Engel
2014-06-04 23:17 ` Jörn Engel
2014-06-10 16:14 ` Theodore Ts'o
2014-06-11 0:10 ` Jörn Engel
2014-06-11 15:27 ` Theodore Ts'o
2014-06-12 20:25 ` Jörn Engel
2014-06-12 20:05 ` Jörn Engel
-- strict thread matches above, loose matches on Subject: below --
2014-02-02 20:36 [PATCH,RFC] random: collect cpu randomness Jörn Engel
2014-02-03 15:50 ` Jörn Engel
2014-02-03 16:37 ` Theodore Ts'o
2014-02-03 18:48 ` Jörn Engel
2014-03-23 18:00 ` [PATCH] random: mix all saved registers into entropy pool Jörn Engel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140520200803.GA22308@logfs.org \
--to=joern@logfs.org \
--cc=andi@firstfloor.org \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.