Re: [PATCH 07/10] random: add new get_random_bytes_arch() function

[Matt Mackall <mpm@selenic.com>]

On Thu, 2012-07-05 at 11:35 -0700, Linus Torvalds wrote:
> If Intel's rng really isn't trustworthy, they'll get a *huge* black
> eye for it. It would be a total PR disaster for Intel, so they have
> huge incentives to be trustworthy.

Just like the huge black eye that _every major US telecom company_ got
when they got caught colluding with the NSA to spy on Americans in
obvious violation of US law? You'll recall that it was such a *huge* PR
disaster... that they're all still doing it today(!), that Congress
retroactively changed the law(!), and that the whistleblower was
indicted for espionage(!).

I agree that Intel's hardware is very probably not backdoored, but
that's simply not a standard by which threats should be measured in this
field. Treating a backdoor scenario as outside the realm of possibility
based on appeals to reputation given such obvious, massive, and recent
precedent to the contrary is... not a typical security mindset, to put
it mildly.

Lastly, note that it would take a single well-placed engineer to insert
the backdoor, by just masking out some parts of the AES data path. No
collusion by Intel at a corporate level is actually even necessary.

Generating random bytes is not so performance critical that you should
trade all protection from potential threats for Gbps of throughput. 
By all means, USE the HWRNG's output, but not raw. Mix it with other
entropy sources first.

-- 
Mathematics is the supreme nostalgia of our time.