From: "H. Peter Anvin" <hpa@zytor.com>
To: "Theodore Ts'o" <tytso@mit.edu>,
Linux Kernel Developers List <linux-kernel@vger.kernel.org>,
linux-crypto@vger.kernel.org
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [PATCH] random: limit the contribution of the hw rng to at most half
Date: Thu, 17 Jul 2014 16:33:36 -0700 [thread overview]
Message-ID: <53C85D50.5040901@zytor.com> (raw)
In-Reply-To: <20140717220806.GW1491@thunk.org>
On 07/17/2014 03:08 PM, Theodore Ts'o wrote:
>
> There was another complaint more recently, that wasn't related to
> nordrand. And I was rather disturbed that in
> add_interrupt_randomness() 97% of the entropy was coming from RDSEED.
> I'm willing to have some of the entropy come from RDSEED by default,
> but 97% seems to really way too much.
>
OK, the that formula was Linus' suggestion.
> And the emergency refill code in random_read() was extremely
> problematic. First of all, we're dropping 512 bytes on the stack,
> which is kind of bad, but hopefully all of the code paths which call
> random_read() won't have a terribly deep stack.
512 bytes is fine here (1K would possibly not have been.)
> Secondly, even after the emergency refill, we block anyway.
Not unless we don't get any data back. For a nonzero return we loop
back to extract_entropy_user().
> Remember, regardless of whether or not you believe (as a former head
> of NSA's technology directorate recently claimed) that the DUAL-EC p
> and q were generated using NSA's standard high-quality HW RNG system
> which they use to generate all of their crypto variables, or (as the
> NIST advisory panel has recently concluded) that it was highly likely
> that DUAL-EC was backdoored, it's the optics that matter, because
> those of us without top-drawer SI security clearances can't prove
> things one way or another.
Dual-EC was also heavily criticized by the civilian cryptographic
community since at least 2006.
> And when 99.95% of the entropy when reading large quantities of keying
> material from /dev/random is coming from RDSEED, that just has
> terrible, terrible optics....
I just want to make sure we don't negatively impact the real security of
users because of "optics". We already have a lot of problems with
people extracting long-living keys from /dev/urandom because /dev/random
is too slow.
I have no objection to the khwrngd route -- in fact, as you know, I have
been heavily encouraging the development of khwrngd with exactly this in
mind -- but it is just an issue of timing.
-hpa
next prev parent reply other threads:[~2014-07-17 23:33 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-17 10:03 [PATCH] random: limit the contribution of the hw rng to at most half Theodore Ts'o
2014-07-17 17:39 ` H. Peter Anvin
2014-07-17 22:08 ` Theodore Ts'o
2014-07-17 23:33 ` H. Peter Anvin [this message]
2014-07-18 6:23 ` Theodore Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53C85D50.5040901@zytor.com \
--to=hpa@zytor.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).