From: "H. Peter Anvin" <hpa@zytor.com>
To: "Theodore Ts'o" <tytso@mit.edu>,
Linux Kernel Developers List <linux-kernel@vger.kernel.org>,
linux-crypto@vger.kernel.org
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [PATCH] random: limit the contribution of the hw rng to at most half
Date: Thu, 17 Jul 2014 16:33:36 -0700 [thread overview]
Message-ID: <53C85D50.5040901@zytor.com> (raw)
In-Reply-To: <20140717220806.GW1491@thunk.org>
On 07/17/2014 03:08 PM, Theodore Ts'o wrote:
>
> There was another complaint more recently, that wasn't related to
> nordrand. And I was rather disturbed that in
> add_interrupt_randomness() 97% of the entropy was coming from RDSEED.
> I'm willing to have some of the entropy come from RDSEED by default,
> but 97% seems to really way too much.
>
OK, the that formula was Linus' suggestion.
> And the emergency refill code in random_read() was extremely
> problematic. First of all, we're dropping 512 bytes on the stack,
> which is kind of bad, but hopefully all of the code paths which call
> random_read() won't have a terribly deep stack.
512 bytes is fine here (1K would possibly not have been.)
> Secondly, even after the emergency refill, we block anyway.
Not unless we don't get any data back. For a nonzero return we loop
back to extract_entropy_user().
> Remember, regardless of whether or not you believe (as a former head
> of NSA's technology directorate recently claimed) that the DUAL-EC p
> and q were generated using NSA's standard high-quality HW RNG system
> which they use to generate all of their crypto variables, or (as the
> NIST advisory panel has recently concluded) that it was highly likely
> that DUAL-EC was backdoored, it's the optics that matter, because
> those of us without top-drawer SI security clearances can't prove
> things one way or another.
Dual-EC was also heavily criticized by the civilian cryptographic
community since at least 2006.
> And when 99.95% of the entropy when reading large quantities of keying
> material from /dev/random is coming from RDSEED, that just has
> terrible, terrible optics....
I just want to make sure we don't negatively impact the real security of
users because of "optics". We already have a lot of problems with
people extracting long-living keys from /dev/urandom because /dev/random
is too slow.
I have no objection to the khwrngd route -- in fact, as you know, I have
been heavily encouraging the development of khwrngd with exactly this in
mind -- but it is just an issue of timing.
-hpa
next prev parent reply other threads:[~2014-07-17 23:33 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-17 10:03 [PATCH] random: limit the contribution of the hw rng to at most half Theodore Ts'o
2014-07-17 17:39 ` H. Peter Anvin
2014-07-17 22:08 ` Theodore Ts'o
2014-07-17 23:33 ` H. Peter Anvin [this message]
2014-07-18 6:23 ` Theodore Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53C85D50.5040901@zytor.com \
--to=hpa@zytor.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.