Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp113759imm; Tue, 17 Jul 2018 22:11:10 -0700 (PDT) X-Google-Smtp-Source: AAOMgpd7DNSw2CE/I5C6VtHUUSBG9CSfpi2Ufd388VhHPHp8V2x8iEd9IdD4fAA8UkE9/Zyq9q4l X-Received: by 2002:a63:1126:: with SMTP id g38-v6mr4300715pgl.122.1531890670199; Tue, 17 Jul 2018 22:11:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531890670; cv=none; d=google.com; s=arc-20160816; b=Imwvt8aeZTbGJc1avoriPdwhu9RT5QNpAWW1O29YOWRm+cg/U9DcR68eBDc05y1rID F1c1lywM887rJMfTx81oX8yWdnQN4TNv92LHlwCj2Td3t7i2QHDgqq6aYb6HFJk8uzpf kZiFRd8Ri02S8VyADMyGOuFUUcGRKMiEP5dcQyQUi/k7QNrM3GeoYxx0vZSK0ry4ovDH jwauuY2zq50mEB72wBx7tw2sVV34LBWUFhJcNB5jW3frRRtQzSHzP1dJ+ixJBG2WfLoy tvKKfLFm0VUpcKa2QqjhJL6Ye1CJQNtYpkoWC969MiKSSLun4Ssxm6euHSl56m+VyR2f /dCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=5K9tPEqAy8PZSrCoKX62EWhTeQINIW/ixDh0w3IobDE=; b=GLwFxGxzMDLEdYxcaof2K4x8NSxQUxVni/rHJQRN9yRDMNrI3z7Tc02mtM1NatrZGU tLAdV5ZCVdbnmQDGIdH0h0tzW8+kTVL6G5rerRLbBbjdeeO4itjiKB0ix1Xve/QBSFe/ Ecb3ntK2Y2CJgRqrZQAlyi6RPjYlzIRLuj4dWjq9l0h28z2JSc23I5EfuW2UV/EAFXXY fpcDul6JoYH/hxrhHbMW8L+JptSZ9yqm3gl8C8YSsE4SJhOZDblSwXU2X/L+sgiS8AVz duijKgEiETYRQTygd+KlwrlWRcCejG+Lhm+9HQsGqAESTbEi4LUgr25JYFiS+oNztbd9 QmHA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=l0e8rHQu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z18-v6si2570594pgg.332.2018.07.17.22.10.55; Tue, 17 Jul 2018 22:11:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=l0e8rHQu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726514AbeGRFpS (ORCPT + 99 others); Wed, 18 Jul 2018 01:45:18 -0400 Received: from merlin.infradead.org ([205.233.59.134]:59038 "EHLO merlin.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725728AbeGRFpS (ORCPT ); Wed, 18 Jul 2018 01:45:18 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To:Subject:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=5K9tPEqAy8PZSrCoKX62EWhTeQINIW/ixDh0w3IobDE=; b=l0e8rHQuQwSpo70mt0TOfu3Jxy 8Idx71eVQRtvjiRy66i19WpvFEMq1CpZs2gHQAUgX9IxGGWhktN/TyplkoCkF/m0B7rVLbpsDQEBR diXA+MlfYR8GxoPQ+x2lUijgE+FpTXEJRszxmFOM5MXEV/UkRbRsX+0Vngjl7msBck0/yG/SD2Prm eEcSECKTW4d/G5shTpBBbU9r5+oV7f/iKVF19Oh+0QVSzfQkFj4L4jPzNjNrk9SfquSF5FZJmUvZz IyPhCZrwEhaZwFbUxENRJt01NHYjp0pFptnlBRFOked0xX+aVDcfoDPyI4eWE6nHdv1Rodajd61b+ pjAE9CDQ==; Received: from static-50-53-52-16.bvtn.or.frontiernet.net ([50.53.52.16] helo=dragon.dunlab) by merlin.infradead.org with esmtpsa (Exim 4.90_1 #2 (Red Hat Linux)) id 1ffeiB-0007Zt-0B; Wed, 18 Jul 2018 05:09:15 +0000 Subject: Re: [PATCH] random: add a config option to trust the CPU's hwrng To: Theodore Ts'o , linux-crypto@vger.kernel.org, Linux Kernel Developers List Cc: labbott@redhat.com References: <20180718014344.1309-1-tytso@mit.edu> From: Randy Dunlap Message-ID: Date: Tue, 17 Jul 2018 22:09:10 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20180718014344.1309-1-tytso@mit.edu> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 07/17/2018 06:43 PM, Theodore Ts'o wrote: > This gives the user building their own kernel (or a Linux > distribution) the option of deciding whether or not to trust the CPU's > hardware random number generator (e.g., RDRAND for x86 CPU's) as being > correctly implemented and not having a back door introduced (perhaps > courtesy of a Nation State's law enforcement or intelligence > agencies). > > This will prevent getrandom(2) from blocking, if there is a > willingness to trust the CPU manufacturer. > > Signed-off-by: Theodore Ts'o > --- > > I'm not sure Linux distro's will thank us for this. The problem is > trusting the CPU manfuacturer can be an emotional / political issue. > > For example, assume that China has decided that as a result of the > "death sentence" that the US government threatened to impose on ZTE > after they were caught introducing privacy violating malware on US > comsumers, that they needed to be self-sufficient in their technology > sector, and so they decided the needed to produce their own CPU. > > Even if I were convinced that Intel hadn't backdoored RDRAND (or an > NSA agent backdoored RDRAND for them) such that the NSA had a NOBUS > (nobody but us) capability to crack RDRAND generated numbers, if we > made a change to unconditionally trust RDRAND, then I didn't want the > upstream kernel developers to have to answer the question, "why are > you willing to trust Intel, but you aren't willing to trust a company > owned and controlled by a PLA general?" (Or a company owned and > controlled by one of Putin's Oligarchs, if that makes you feel > better.) > > With this patch, we don't put ourselves in this position --- but we > do put the Linux distro's in this position intead. The upside is it > gives the choice to each person building their own Linux kernel to > decide whether trusting RDRAND is worth it to avoid hangs due to > userspace trying to get cryptographic-grade entropy early in the boot > process. (Note: I trust RDRAND more than I do Jitter Entropy.) > > drivers/char/Kconfig | 14 ++++++++++++++ > drivers/char/random.c | 11 ++++++++++- > 2 files changed, 24 insertions(+), 1 deletion(-) > > diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig > index 212f447938ae..fe2930c4ecf0 100644 > --- a/drivers/char/Kconfig > +++ b/drivers/char/Kconfig > @@ -554,3 +554,17 @@ config ADI > > endmenu > Hi Ted, In case you go further with this: > +config RANDOM_TRUST_CPU > + bool "Trust the CPU manufacturer to initialize Linux's CRNG" > + depends on (X86 || X86_64 || X86_32 || S390 || PPC) depends on X86 || S390 || PPC should be sufficient. > + default n > + help and all 4 lines above should be indented with one tab instead of spaces. > + Assume that CPU manufacurer (e.g., Intel or AMD for RDSEED or manufacturer > + RDRAND, IBM for the S390 and Power PC architectures) is trustworthy > + for the purposes of initializing Linux's CRNG. Since this is not > + something that can be indepedently audited, this amounts to trusting independently > + that CPU manufacturer (perhaps with the insistance or requirement insistence > + of a Nation State's intelligence or law enforcement agencies) > + has not installed a hidden back door to compromise the CPU's > + random number generation facilities. -- ~Randy