Re: TPMs and random numbers

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "H. Peter Anvin" <hpa@zytor.com>
To: "Theodore Ts'o" <tytso@mit.edu>,
	Andy Lutomirski <luto@amacapital.net>,
	Jeff Garzik <jgarzik@pobox.com>,
	David Safford <safford@us.ibm.com>,
	Leonidas Da Silva Barbosa <leosilva@linux.vnet.ibm.com>,
	Ashley Lai <ashley@ashleylai.com>,
	Rajiv Andrade <mail@srajiv.net>,
	Marcel Selhorst <tpmdd@selhorst.net>,
	Sirrix AG <tpmdd@sirrix.com>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Kent Yoder <key@linux.vnet.ibm.com>,
	David Safford <safford@watson.ibm.com>,
	Mimi Zohar <zohar@us.ibm.com>,
	"Johnston, DJ" <dj.johnston@intel.com>
Subject: Re: TPMs and random numbers
Date: Wed, 11 Sep 2013 13:44:57 -0700	[thread overview]
Message-ID: <5230D649.3090608@zytor.com> (raw)
In-Reply-To: <20130911202831.GC13397@thunk.org>

On 09/11/2013 01:28 PM, Theodore Ts'o wrote:
> On Wed, Sep 11, 2013 at 12:25:48PM -0700, H. Peter Anvin wrote:
>> This of course has been a long-running debate.  Similarly, we could
>> make much better use of RDRAND if instead of doing data reduction in
>> rngd we could feed it to the pool and just credit fractional bits.
>> The FIPS tests that rngd runs are weak and obsoleted, but perhaps
>> better than nothing (now when we don't shut down rngd due to false
>> positives.)
> 
> /dev/urandom is using RDRAND already, and that's what most of the
> applications which are generating ssh host keys, session keys, etc.,
> are using.
> 
> /dev/random is using RDRAND as well, but we're not giving any entropy
> credit, so it will take longer to get the necessary randomness to
> generate a GPG key.
> 

We're using RDRAND in two ways: in the kernel, we're "washing" the pool
output with it (with the notion that we'll always get the best of both
worlds) -- we don't give any entropy credit for that.

We are also using RDRAND with the architecturally required 512:1 data
reduction in rngd, to produce "creditable entropy".  This is in part
because rngd doesn't really have a way to deal with fractional entropy,
in the light of FIPS tests and all (which don't make sense anyway for
postconditioned output, from RDRAND, TPM or any other similar source.)

One could thus posit that it would make more sense for that type of
source to feed the kernel entropy pools directly from a kernel thread
rather than taking a trip to user space.  In the case of RDRAND
specifically, a kernel thread or similar could feed RDRAND to the pools
and credit 1/512 of the data volume as entropy.  Since the factor of 512
is an architectural lower bound (and *very* conservative) it would be
better to let the pool system do the data reduction than doing it in
userspace.

Now, I'm pretty sure that some cryptographers are very unhappy about the
fact that we use a linear operation to do the pool insertion mixing.  I
personally am not qualified to say to what extent that is an actual problem.

	-hpa

next prev parent reply	other threads:[~2013-09-11 20:50 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-09-11 17:22 TPMs and random numbers David Safford
2013-09-11 17:49 ` Andy Lutomirski
2013-09-11 18:45   ` Theodore Ts'o
2013-09-11 19:06     ` Jeff Garzik
2013-09-11 19:08       ` Andy Lutomirski
2013-09-11 19:25         ` H. Peter Anvin
2013-09-11 20:28           ` Theodore Ts'o
2013-09-11 20:44             ` H. Peter Anvin [this message]
2013-09-11 18:47   ` David Safford
2013-09-12 21:57     ` Jörn Engel
2013-09-12 23:38       ` Andy Lutomirski
2013-09-12 23:39       ` Jeff Garzik
2013-09-12 22:13         ` Jörn Engel
2013-09-12 23:51           ` Andy Lutomirski
2013-09-12 22:23             ` Jörn Engel
2013-09-13  2:13               ` Theodore Ts'o
2013-09-13  2:22                 ` Jörn Engel
2013-09-11 22:08   ` Johnston, DJ
  -- strict thread matches above, loose matches on Subject: below --
2013-09-09 21:11 H. Peter Anvin
2013-09-11  1:50 ` Andy Lutomirski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5230D649.3090608@zytor.com \
    --to=hpa@zytor.com \
    --cc=ashley@ashleylai.com \
    --cc=dj.johnston@intel.com \
    --cc=jgarzik@pobox.com \
    --cc=key@linux.vnet.ibm.com \
    --cc=leosilva@linux.vnet.ibm.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=mail@srajiv.net \
    --cc=safford@us.ibm.com \
    --cc=safford@watson.ibm.com \
    --cc=tpmdd@selhorst.net \
    --cc=tpmdd@sirrix.com \
    --cc=tytso@mit.edu \
    --cc=zohar@us.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.