From: "H. Peter Anvin" <hpa@zytor.com>
To: Matt Mackall <mpm@selenic.com>
Cc: Jarod Wilson <jarod@redhat.com>,
linux-crypto@vger.kernel.org,
"Venkatesh Pallipadi (Venki)" <venki@google.com>,
Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@elte.hu>,
John Stultz <johnstul@us.ibm.com>,
Herbert Xu <herbert@gondor.hengli.com.au>,
"David S. Miller" <davem@davemloft.net>,
Steve Grubb <sgrubb@redhat.com>,
Fenghua Yu <fenghua.yu@intel.com>
Subject: Re: [PATCH 0/5] Feed entropy pool via high-resolution clocksources
Date: Sat, 18 Jun 2011 15:40:50 -0700 [thread overview]
Message-ID: <4DFD2972.7020603@zytor.com> (raw)
In-Reply-To: <1308342487.15617.552.camel@calx>
On 06/17/2011 01:28 PM, Matt Mackall wrote:
>>
>> The one use case that it is cryptographically insufficient for is to
>> seed a new PRNG, which probably means it is unsuitable for being fed
>> as-is into /dev/random.
>
> The thing to understand about the input side of /dev/random is that it's
> COMPLETELY immune to untrusted data. So there's absolutely no harm in
> sending it data of questionable entropy so long as you don't tell it to
> account it. And, of course, if it DOES contain entropy, it makes things
> better.
>
> Think of it this way: I have a coin in my pocket. You, the attacker,
> tell me to flip it. You can do that any number of times and not improve
> your guess about the coin's state over your initial guess. This is what
> it means to have a reversible mixing function: no number of iterations
> reduces the degrees of freedom of the pool.
>
What I meant is that it is unsuitable to *bypass the pool* for
/dev/random. I think we can -- and almost certainly should -- use
RDRAND on the input side; we just have to figure out the accounting.
However, RDRAND is high enough quality (and high enough bandwidth) that
it should be not just possible but desirable to completely bypass the
pool system for /dev/urandom users and pull straight from the RDRAND
instruction. I don't actually know what the exact numbers look like,
but the stall conditions being looked at are of the order of "every core
in the socket trying to execute RDRAND at the same time."
-hpa
--
H. Peter Anvin, Intel Open Source Technology Center
I work for Intel. I don't speak on their behalf.
next prev parent reply other threads:[~2011-06-18 22:44 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-13 22:06 [PATCH 0/5] Feed entropy pool via high-resolution clocksources Jarod Wilson
2011-06-13 22:06 ` [PATCH 1/5] random: add new clocksource entropy interface Jarod Wilson
2011-06-13 22:06 ` [PATCH 2/5] clocksource: add support for entropy-generation function Jarod Wilson
2011-06-17 20:52 ` Thomas Gleixner
2011-06-17 21:19 ` Jarod Wilson
2011-06-13 22:06 ` [PATCH 3/5] hpet: wire up entropy generation function Jarod Wilson
2011-06-13 22:06 ` [PATCH 4/5] tsc: " Jarod Wilson
2011-06-13 22:27 ` Venkatesh Pallipadi
2011-06-13 22:35 ` Jarod Wilson
2011-06-13 22:36 ` H. Peter Anvin
2011-06-13 23:10 ` Matt Mackall
2011-06-14 18:11 ` H. Peter Anvin
2011-06-14 0:39 ` Kent Borg
2011-06-14 1:47 ` H. Peter Anvin
2011-06-14 12:39 ` Kent Borg
2011-06-14 14:33 ` Matt Mackall
2011-06-14 17:48 ` Kent Borg
2011-06-14 18:00 ` Matt Mackall
2011-06-14 20:04 ` Kent Borg
2011-06-14 21:04 ` Matt Mackall
2011-06-14 14:02 ` Jarod Wilson
2011-06-13 23:55 ` Kent Borg
2011-06-17 20:58 ` Thomas Gleixner
2011-06-13 22:06 ` [PATCH 5/5] misc: add clocksource-based entropy generation driver Jarod Wilson
2011-06-17 21:01 ` Thomas Gleixner
2011-06-13 22:38 ` [PATCH 0/5] Feed entropy pool via high-resolution clocksources john stultz
2011-06-14 14:25 ` Jarod Wilson
2011-06-13 23:15 ` Matt Mackall
2011-06-14 15:18 ` Jarod Wilson
2011-06-14 15:22 ` Jarod Wilson
2011-06-14 17:13 ` Matt Mackall
2011-06-14 20:17 ` Jarod Wilson
2011-06-14 21:45 ` Matt Mackall
2011-06-14 22:51 ` Jarod Wilson
2011-06-14 23:12 ` Matt Mackall
2011-06-15 14:49 ` Jarod Wilson
2011-06-15 20:06 ` Matt Mackall
2011-06-17 18:51 ` Jarod Wilson
2011-06-17 19:29 ` Neil Horman
2011-06-17 20:46 ` Matt Mackall
2011-06-17 19:48 ` hpas
2011-06-17 20:28 ` Matt Mackall
2011-06-18 22:40 ` H. Peter Anvin [this message]
2011-06-19 13:38 ` Neil Horman
2011-06-19 15:07 ` Herbert Xu
2011-06-20 0:01 ` H. Peter Anvin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DFD2972.7020603@zytor.com \
--to=hpa@zytor.com \
--cc=davem@davemloft.net \
--cc=fenghua.yu@intel.com \
--cc=herbert@gondor.hengli.com.au \
--cc=jarod@redhat.com \
--cc=johnstul@us.ibm.com \
--cc=linux-crypto@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=mpm@selenic.com \
--cc=sgrubb@redhat.com \
--cc=tglx@linutronix.de \
--cc=venki@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).