From: "Ted Ts'o" <tytso@mit.edu>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Matt Mackall <mpm@selenic.com>,
"H. Peter Anvin" <hpa@linux.intel.com>,
"H. Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@elte.hu>,
Thomas Gleixner <tglx@linutronix.de>,
Fenghua Yu <fenghua.yu@intel.com>,
Herbert Xu <herbert@gondor.hengli.com.au>,
Jeff Garzik <jgarzik@pobox.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/2] random: Add support for architectural random hooks
Date: Sat, 30 Jul 2011 18:25:49 -0400 [thread overview]
Message-ID: <20110730222549.GL7361@thunk.org> (raw)
In-Reply-To: <CA+55aFwjx=E5fpO=gfx0ugPE2Cgd_NOtw1Kx52pbg4aQEgshRg@mail.gmail.com>
On Sat, Jul 30, 2011 at 09:29:18AM -1000, Linus Torvalds wrote:
> The fact is, even if you worry about some back door for the NSA, or
> some theoretical lack of perfect 32-bit randomness, we can pretty much
> depend on it. We still do our own hashing on top of whatever entropy
> we get out of rdrand, and we would still have all our other stuff.
> Plus the instruction is public and testable - if Intel did something
> wrong, they'll be *very* embarrassed.
Technically speaking, if Intel and the NSA were colluding together in
a competent way, we'd never know; it's not something that could be
tested. Intel could have implemented a incrementing counter which was
initialized to some randomness, which was then encrypted by some NSA
secret algorithm with a secret key known only to the NSA. We'd never
know, but it would be enough of a backdoor for the NSA to do what they
need to know. The only way it could leak out is via the human
channel; if someone was upset enough about it that they send the
algorithm and secret key to wikileaks.
But yeah, we can definitely depend on it if it is hashed into the pool
and it's on top of everything else that we do. And it's all a matter
of how paranoid you want to be. If you are working for government,
where the NSA is by definition one of the good guys, then using rdrand
directly is completely not a problem. If you are working for any
other government agency, you'd probably want to mix it into the a
random pool just to feel better about implicitly trusting Intel.
So I agree with Linus here.
- Ted
next prev parent reply other threads:[~2011-07-30 22:26 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-29 20:37 [RFD] Direct support for the x86 RDRAND instruction H. Peter Anvin
2011-07-29 20:37 ` [PATCH 1/2] random: Add support for architectural random hooks H. Peter Anvin
2011-07-29 21:16 ` Matt Mackall
2011-07-30 6:20 ` Linus Torvalds
2011-07-30 16:34 ` Arjan van de Ven
2011-07-30 17:45 ` Matt Mackall
2011-07-30 18:20 ` Linus Torvalds
2011-07-30 19:13 ` Matt Mackall
2011-07-30 19:29 ` Linus Torvalds
2011-07-30 22:25 ` Ted Ts'o [this message]
2011-07-31 1:13 ` Linus Torvalds
2011-07-31 1:32 ` H. Peter Anvin
2011-07-31 1:43 ` Linus Torvalds
2011-07-31 21:26 ` [PATCH v3 0/3] Add support for architectural random number generator H. Peter Anvin
2011-07-31 21:26 ` [PATCH v3 1/3] random: Add support for architectural random hooks H. Peter Anvin
2011-07-31 21:26 ` [PATCH v3 2/3] x86, random: Architectural inlines to get random integers with RDRAND H. Peter Anvin
2011-07-31 21:26 ` [PATCH v3 3/3] x86, random: Verify RDRAND functionality and allow it to be disabled H. Peter Anvin
2011-08-05 12:00 ` [PATCH v3 0/3] Add support for architectural random number generator Herbert Xu
2011-08-05 16:28 ` H. Peter Anvin
2011-08-06 0:09 ` Herbert Xu
2011-07-29 20:37 ` [PATCH 2/2] x86, random: " H. Peter Anvin
2011-07-29 21:05 ` [RFD] Direct support for the x86 RDRAND instruction Jeff Garzik
2011-07-29 21:17 ` H. Peter Anvin
2011-07-30 6:03 ` Linus Torvalds
2011-07-30 22:26 ` [PATCH v2 0/2] Add support for architectural random number generator H. Peter Anvin
2011-07-30 22:26 ` [PATCH v2 1/2] random: Add support for architectural random hooks H. Peter Anvin
2011-07-30 22:26 ` [PATCH v2 2/2] x86, random: Add support for architectural random number generator H. Peter Anvin
-- strict thread matches above, loose matches on Subject: below --
2011-07-30 23:46 [PATCH 1/2] random: Add support for architectural random hooks George Spelvin
2011-07-31 0:29 ` Linus Torvalds
2011-07-31 0:58 ` George Spelvin
2011-07-31 1:02 ` Bryan Donlan
2011-07-31 1:35 ` Linus Torvalds
2011-07-31 2:02 ` Bryan Donlan
2011-07-31 2:42 ` Henrique de Moraes Holschuh
2011-07-31 3:17 ` Bryan Donlan
2011-07-31 4:33 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110730222549.GL7361@thunk.org \
--to=tytso@mit.edu \
--cc=fenghua.yu@intel.com \
--cc=herbert@gondor.hengli.com.au \
--cc=hpa@linux.intel.com \
--cc=hpa@zytor.com \
--cc=jgarzik@pobox.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=mpm@selenic.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox