Re: early x86 unseeded randomness

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Willy Tarreau <w@1wt.eu>
To: "Theodore Ts'o" <tytso@mit.edu>, Borislav Petkov <bp@alien8.de>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	x86-ml <x86@kernel.org>, "Jason A. Donenfeld" <Jason@zx2c4.com>,
	lkml <linux-kernel@vger.kernel.org>
Subject: Re: early x86 unseeded randomness
Date: Tue, 15 Aug 2017 08:44:37 +0200	[thread overview]
Message-ID: <20170815064437.GA1986@1wt.eu> (raw)
In-Reply-To: <20170815013124.2afytkibspxrikdn@thunk.org>

Hi Ted,

On Mon, Aug 14, 2017 at 09:31:24PM -0400, Theodore Ts'o wrote:
> The real fix is to do what OpenBSD does, which is to teach the
> bootloader (e.g., grub) to read from some file such as
> /var/lib/urandom/random-seed, and then to have the init scripts
> overwrite it with a new set of entropy generated from getrandom(2) as
> early as possible.
> 
> It won't solve the CD-ROM install problem (although there is enough
> entropy during the install process that after the install is done, we
> should be fine, and again, *hopefully* the distro people won't be
> stupid enough to generate high-value keys during the installation
> process, or certainly not early in the installation process).  But it
> does solve most of the problem.

In my opinion what matters is to combine multiple sources of entropy. I
remember in the good old days when I was coding under DOS, I used to
build my own random numbers using a phase detection method, counting
the time it takes for the RTC to switch to the next second, similar to
this :

  rand:
     xor edx, edx
     mov al, 0
     out 70h, al
     in al, 71h
     mov ah, al
  count:
     inc edx
     in al, 71h
     cmp al, ah
     jz count
     mov eax, edx
     ret

Nowadays we could use similar methods using RDTSC providing more accurate
counting. This doesn't provide a lot of entropy of course, given that a
2 GHz machine will at most count 31 bits there. But I tend to think that
what matters during early boot is to transform something highly predictable
into something unlikely to be predicted (ie: an exploit having to scan 2^31
possible addresses will not be really usable). It's also possible to do the
same with the PIT0 counter ticking at 18.2 Hz without any correlation with
the RTC by the way, and roughly provide 25 more bits. And if you expect
that the BIOS has emitted a 800 Hz beep at boot, you could still have a
divider of 1491 in PIT2 providing 10 more bits, though with a bit of
correlation with PIT0 since they use the same 1.19 MHz source. These
methods increase the boot time by up to one second though, but my point
here is that when you have nothing it's always a bit better.

Willy

next prev parent reply	other threads:[~2017-08-15  6:45 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-08-14 17:35 early x86 unseeded randomness Borislav Petkov
2017-08-14 17:47 ` Linus Torvalds
2017-08-14 18:00   ` Borislav Petkov
2017-08-14 18:17     ` Linus Torvalds
2017-08-14 19:00       ` Borislav Petkov
2017-08-15  1:31         ` Theodore Ts'o
2017-08-15  6:44           ` Willy Tarreau [this message]
2017-08-15  7:42             ` Ingo Molnar
2017-08-15  8:01               ` Willy Tarreau
2017-08-15  8:05                 ` Ingo Molnar
2017-08-15 12:09                   ` Theodore Ts'o
2017-08-15 13:26                     ` Willy Tarreau
2017-08-15 10:47               ` Thomas Gleixner
2017-08-15 13:45                 ` Borislav Petkov
2017-08-15 13:48                   ` Thomas Gleixner
2017-08-15 14:25                     ` Theodore Ts'o
2017-08-15 14:42                       ` Thomas Gleixner
2017-08-15 15:26                         ` Borislav Petkov
2017-08-15 17:37                         ` Thomas Gleixner
2017-08-16  3:35                           ` Theodore Ts'o
2017-08-16  9:13                             ` Thomas Gleixner
2017-08-16  9:56                               ` Will Deacon
2017-08-16  3:21                         ` Theodore Ts'o
2017-08-15 15:24                     ` Borislav Petkov
2017-08-15 12:48               ` Michael Ellerman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170815064437.GA1986@1wt.eu \
    --to=w@1wt.eu \
    --cc=Jason@zx2c4.com \
    --cc=bp@alien8.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=tytso@mit.edu \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox