Re: Testing the PRNG driver of the Allwinner Security System A20

[Corentin LABBE <clabbe.montjoie@gmail.com>]

On 07/03/14 01:06, Sandy Harris wrote:
> On Tue, Jul 1, 2014 at 7:14 AM, Corentin LABBE
> <clabbe.montjoie@gmail.com> wrote:
> 
>> I am writing the PRNG driver for the Allwinner Security System SoC A20.
> 
> The datasheet my search turned up (v1, Feb. 2013) just says:  "160-bit
> hardware PRNG with 192-bit seed" and gives no other details. Do you
> have more info, perhaps from a more recent version or talking to the
> company?

The datasheet I used give some register info, just enough for having some "random" number out of the device.

> 
>> I didn't know how to test it, so ...
> 
> Unless you have much more info, I see no point in enabling it or
> writing a driver. You need a true hardware RNG to seed it, so you need
> random(4) /dev/random anyway and can just use /dev/urandom for PRNG
> requirements.
> 
> Using this device might have an advantage if it is much faster or less
> resource-hungry than urandom, but I see nothing in its documentation
> that indicates it is. Anyway, do your applications need that? And, if
> so, would an application-specific PRNG be better yet?
> 
> Then there is the crucial question of trusting the device. Kerckhoff's Principle
> (http://en.citizendium.org/wiki/Kerckhoffs%27_Principle)
> has been a maxim for cryptographers since the 19th century; no-one
> should even consider trusting it until full design details are made
> public and reviewed.
> 
> Even then, there might be serious doubts, since hardware can be very
> subtly sabotaged and an RNG is a tempting target for an intelligence
> agency.
> (http://arstechnica.com/security/2013/09/researchers-can-slip-an-undetectable-trojan-into-intels-ivy-bridge-cpus/)
> That article discusses Intel and the NSA, but similar worries apply
> elsewhere. Allwinner is a fabless company, so you also need to worry
> about whatever fab they use.
> 

The question of trusting is the reason that my preliminary driver made the PRNG optionnal and I think the next version will be without it.
But for people who do not care (or do not have a real RNG requirement), the output speed is better than /dev/urandom
Here is a comparison of the output speed of rng-test:
with /dev/urandom
rngtest: input channel speed: (min=623.523; avg=17402.670; max=3906250.000)Kibits/s
with /dev/hwrng and ss-rng/sunxi-ss loaded
rngtest: input channel speed: (min=1.193; avg=113.604; max=4768.372)Mibits/s
So an average speed gain of x5

Apart from trusting, does the results of rng-test are good enough ?

Thanks for your answer

Regards