From: David Safford <safford@us.ibm.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>,
Leonidas Da Silva Barbosa <leosilva@linux.vnet.ibm.com>,
Ashley Lai <ashley@ashleylai.com>,
Rajiv Andrade <mail@srajiv.net>,
Marcel Selhorst <tpmdd@selhorst.net>,
Sirrix AG <tpmdd@sirrix.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Jeff Garzik <jgarzik@pobox.com>, "Ted Ts'o" <tytso@mit.edu>,
Kent Yoder <key@linux.vnet.ibm.com>,
David Safford <safford@watson.ibm.com>,
Mimi Zohar <zohar@us.ibm.com>,
"Johnston, DJ" <dj.johnston@intel.com>
Subject: Re: TPMs and random numbers
Date: Wed, 11 Sep 2013 13:22:48 -0400 [thread overview]
Message-ID: <1378920168.26698.64.camel@localhost> (raw)
>On 09/09/2013 02:11 PM, H. Peter Anvin wrote:
>> It recently came to my attention that there are no standards whatsoever
>> for random number generated by TPMs. In fact, there *are* TPMs where
>> random numbers are generated by an encrypted nonvolatile counter (I do
>> not know which ones); this is apparently considered acceptable for the
>> uses of random numbers that TPMs produce.
The TPM specifications have extensive RNG requirements, and most
major vendors do certify their RNG implementations to FIPS 140-2.
The current 1.2 spec has three pages of detailed RNG requirements.
Even the earliest spec (1.1b from 2002) required FIPS 140-1
compliant power-on self tests of the RNG, and since 2006 the specs
have required full FIPS 140-2 RNG compliance for FIPS mode.
Back when TPMs were first added to Thinkpads, I did extensive
testing of TPM RNG outputs, including start up entropy, and found
them to be an excellent source. There may well be bad TPMs out
there (I've heard rumors too), but I haven't run into one.
>> There are two issues with this from a Linux point of view. One, we
>> harvest supposed entropy from the TPM for /dev/*random use via
>> /dev/hwrng and rngd. This was something I originally proposed because
>> on a lot of platforms it is the only available entropy source with any
>> significant bandwidth. However, in light of the above it is
>> questionable at best, at least with entropy being credited.
>
>Presumably the "entropy" should be mixed in but not credited to the
>available entropy.
>
>> The other issue is that we use tpm_get_random() *directly* in
>> security/keys/trusted.c.
>
>I don't know whether this makes sense, but all but one call seem to be
>related to TPM transactions -- breaking the TPM's RNG won't have any
>effects beyond, say, breaking the TPM's SRK.
>
>The one that looks dangerous is the one just under case Opt_new: it's
>using tpm_get_random to create an encryption key *that's used by the
>kernel for software crypto*. That's IMO bogus.
>
>--Andy
Conversely, other /dev/random sources can be slow to build entropy,
particularly in embedded systems (see
https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final228.pdf)
As author of trusted.c, I think that there are advantages and
disadvantages to the different random sources. Trusted keys
already depend on the quality of TPM private keys generated
from the TPM RNG, so trusting the same RNG for symmetric key
generation seems reasonable. Several embedded systems I have
looked at are _really_ bad at gathering entropy, so the TPM,
seems a reasonably safe and convenient default.
dave
next reply other threads:[~2013-09-11 17:23 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-11 17:22 David Safford [this message]
2013-09-11 17:49 ` TPMs and random numbers Andy Lutomirski
2013-09-11 18:45 ` Theodore Ts'o
2013-09-11 19:06 ` Jeff Garzik
2013-09-11 19:08 ` Andy Lutomirski
2013-09-11 19:25 ` H. Peter Anvin
2013-09-11 20:28 ` Theodore Ts'o
2013-09-11 20:44 ` H. Peter Anvin
2013-09-11 18:47 ` David Safford
2013-09-12 21:57 ` Jörn Engel
2013-09-12 23:38 ` Andy Lutomirski
2013-09-12 23:39 ` Jeff Garzik
2013-09-12 22:13 ` Jörn Engel
2013-09-12 23:51 ` Andy Lutomirski
2013-09-12 22:23 ` Jörn Engel
2013-09-13 2:13 ` Theodore Ts'o
2013-09-13 2:22 ` Jörn Engel
2013-09-11 22:08 ` Johnston, DJ
-- strict thread matches above, loose matches on Subject: below --
2013-09-09 21:11 H. Peter Anvin
2013-09-11 1:50 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1378920168.26698.64.camel@localhost \
--to=safford@us.ibm.com \
--cc=ashley@ashleylai.com \
--cc=dj.johnston@intel.com \
--cc=hpa@zytor.com \
--cc=jgarzik@pobox.com \
--cc=key@linux.vnet.ibm.com \
--cc=leosilva@linux.vnet.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mail@srajiv.net \
--cc=safford@watson.ibm.com \
--cc=tpmdd@selhorst.net \
--cc=tpmdd@sirrix.com \
--cc=tytso@mit.edu \
--cc=zohar@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).