From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.3 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 413E8C10F14 for ; Mon, 7 Oct 2019 00:05:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 1CF962084B for ; Mon, 7 Oct 2019 00:05:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726307AbfJGAF3 (ORCPT ); Sun, 6 Oct 2019 20:05:29 -0400 Received: from mga12.intel.com ([192.55.52.136]:28126 "EHLO mga12.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726269AbfJGAF3 (ORCPT ); Sun, 6 Oct 2019 20:05:29 -0400 X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Oct 2019 17:05:28 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.67,265,1566889200"; d="scan'208";a="204904213" Received: from mwebb1-mobl.ger.corp.intel.com (HELO localhost) ([10.251.93.103]) by orsmga002.jf.intel.com with ESMTP; 06 Oct 2019 17:05:22 -0700 Date: Mon, 7 Oct 2019 03:05:20 +0300 From: Jarkko Sakkinen To: "Safford, David (GE Global Research, US)" Cc: Mimi Zohar , "Wiseman, Monty (GE Global Research, US)" , "linux-integrity@vger.kernel.org" , "stable@vger.kernel.org" , David Howells , Herbert Xu , "David S. Miller" , "open list:ASYMMETRIC KEYS" , "open list:CRYPTO API" , open list Subject: Re: [PATCH] KEYS: asym_tpm: Switch to get_random_bytes() Message-ID: <20191007000520.GA17116@linux.intel.com> References: <20190926171601.30404-1-jarkko.sakkinen@linux.intel.com> <1570024819.4999.119.camel@linux.ibm.com> <20191003114119.GF8933@linux.intel.com> <1570107752.4421.183.camel@linux.ibm.com> <20191003175854.GB19679@linux.intel.com> <1570128827.5046.19.camel@linux.ibm.com> <20191004182711.GC6945@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo User-Agent: Mutt/1.10.1 (2018-07-13) Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org On Fri, Oct 04, 2019 at 07:56:01PM +0000, Safford, David (GE Global Research, US) wrote: > > > From: linux-integrity-owner@vger.kernel.org > owner@vger.kernel.org> On Behalf Of Jarkko Sakkinen > > Sent: Friday, October 4, 2019 2:27 PM > > Subject: EXT: Re: [PATCH] KEYS: asym_tpm: Switch to get_random_bytes() > > > > If you are able to call tpm_get_random(), the driver has already registered > > TPN as hwrng. With this solution you fail to follow the principle of defense in > > depth. If the TPM random number generator is compromissed (has a bug) > > using the entropy pool will decrease the collateral damage. > > And if the entropy pool has a bug or is misconfigured, you lose everything. > That does not sound like defense in depth to me. In the real world > I am not aware of a single instance of RNG vulnerability on a TPM. > I am directly aware of several published vulnerabilities in embedded systems > due to a badly ported version of the kernel random pool. In addition, > the random generator in a TPM is hardware isolated, and less likely to be > vulnerable to side channel or memory manipulation errors. The TPM > RNG is typically FIPS certified. The use of the TPM RNG was a deliberate > design choice in trusted keys. Hmm... so is RDRAND opcode FIPS certified. Kernel has the random number generator for two reasons: 1. To protect against bugs in hwrng's. 2. To protect against deliberate backdoors in hwrng's. How TPM RNG is guaranteed to protect against both 1 and 2? If I would agree what you say, that'd be argument against using kernel random number generator *anywhere* in the kernel. Even with the entropy issues it is least worst thing to use for key generations for better or worse. /Jarkko