Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp4189230ybp; Mon, 7 Oct 2019 04:48:52 -0700 (PDT) X-Google-Smtp-Source: APXvYqxHNa7V+v2E9+mZ15QW/4Gpyr2ODNYvtDweE4LSmvR0/14h8VI+5f3XTv2bBN+HlWS5QvtV X-Received: by 2002:a17:906:6d53:: with SMTP id a19mr16061422ejt.332.1570448931905; Mon, 07 Oct 2019 04:48:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570448931; cv=none; d=google.com; s=arc-20160816; b=yLme0+BbxfQ/ksFcTNBPde7hPzNBQV21MbJlAGUDE++9NbntklJ0BWwnbHc02d9Z1G TFLmsrC57kTF6h1NEcmh7XzH7vXoQbKVa816LYVi0BT4gJfdVo529LKb7f2XRSEA4I+U O2yNXQXJF5MyryE/lDJpHFbPBPEPSEsAr4oSTxSHKl3FawFNjPHYr2PammitZJXJcuo9 Wey/swUfG/RxFOyhWg0hc8jYxs1TfSzeizZfaxYMwvUJlYfgcS12WXNjnNMSREXo9dBO GFpbX98XHD/4FXLSe0LahuNyRaJqMvzGOfFBX9fTZxqw4ikvE/Rzd1CAdNbi0RGTFgmY pkCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=VYyjtjnR+VUUAUW3bfL5q9BFsj7JzsBnZ1ak1LisVB4=; b=F+HEA2uX4IBBGGG1R2m1aoLD/92B2X9EbKV/6Igjaf7OW/C4KZmUY7mL3R+MR5w3VD LgFGQOD4RGIC5xbuSDGXWz4SqZtxp0Wz1WCQqtq4CIw7Uo7t+6RSR1ksYd10iPXe4NvR 3jQL1x73+EEU9bNNIHMwtZBow3AlUBraYYFXsspxkT+3HTQtaa/5wZ6l+6Oyo9MvU8yM 9cLemQfjUZq/qSsgyR1w0RWezHOjGOy3mSbKcsJBMdocrqxLOH9R2jEq5+odItFMOQpS i1lmeMzJsphZcEzqg1SMMnwoEsZIXil3Ov+PrH5YpcH9gcwkycCuAQpzaKbbu2HNyn9p 9FJg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e57si8530844ede.356.2019.10.07.04.48.28; Mon, 07 Oct 2019 04:48:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727572AbfJGLsG (ORCPT + 99 others); Mon, 7 Oct 2019 07:48:06 -0400 Received: from outgoing-auth-1.mit.edu ([18.9.28.11]:48527 "EHLO outgoing.mit.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727395AbfJGLsG (ORCPT ); Mon, 7 Oct 2019 07:48:06 -0400 Received: from callcc.thunk.org (guestnat-104-133-0-98.corp.google.com [104.133.0.98] (may be forged)) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x97BlYZx002081 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 7 Oct 2019 07:47:35 -0400 Received: by callcc.thunk.org (Postfix, from userid 15806) id 6FF0242045A; Mon, 7 Oct 2019 07:47:34 -0400 (EDT) Date: Mon, 7 Oct 2019 07:47:34 -0400 From: "Theodore Y. Ts'o" To: Pavel Machek Cc: Linus Torvalds , Thomas Gleixner , "Ahmed S. Darwish" , LKML , Nicholas Mc Guire , the arch/x86 maintainers , Andy Lutomirski , Kees Cook Subject: Re: x86/random: Speculation to the rescue Message-ID: <20191007114734.GA6104@mit.edu> References: <20191006114129.GD24605@amd> <20191006173501.GA31243@amd> <20191006182103.GA2394@amd> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20191006182103.GA2394@amd> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Oct 06, 2019 at 08:21:03PM +0200, Pavel Machek wrote: > Even without cycle counter... if we _know_ we are trying to generate > entropy and have MMC available, we don't care about power and > performance. > > So we can just... > > issue read request on MMC > while (!interrupt_done) > i++ > > ...and then use i++ as poor man's version of cycle counter. I suggest that you try that and see how much uncertainty you really have before you assume that this is actually going to work. Again, on "System on a Chip" systems, there is very likely a single master oscillator, and the eMMC is going to be on the the same silicon die as the CPU. At least for spinning rust platters it's on a physically separate peripheral, and there was a physical claim about how chaotic air turbulence might add enough uncertainty that timing HDD reads could be unpredictable (although note that the paper[1] which claimed this was written 25 years ago, and HDD's have had to get more precise, not less, in order to cram more bits into the same squire millimeter). more.) [1] D. Davis, R. Ihaka, P.R. Fenstermacher, "Cryptographic Randomness from Air Turbulence in Disk Drives", in Advances in Cryptology -- CRYPTO '94 Conference Proceedings, edited by Yvo G. Desmedt, pp.114--120. Lecture Notes in Computer Science #839. Heidelberg: Springer-Verlag, 1994 But for a flash device that is on the same silicon as the CPU, and driven off of the same clock crystal, and where you are doing *reads*, so you can't even depend on SSD GC and uncertainties in programming the flash cell --- I'm going to be dubious. If someone wants to use this as a last ditch hope, then we can let systemd do this, where there's at least a bit more uncertainty in userspace, and maybe you could be doing something useful, like running fsck on the stateful partitions of the system. Ultimately, though, we really want to try to get a hardware RNG, and for that matter, a cryptographic secure element built into these devices, and the sooner we can pound it into CPU manufacturers' heads that not doing this should be professional malpractice, the better. - Ted P.S. Note that this Don Davis's paper[1] claims that they were able to extract 100 independent unpredictable bits per _minute_. Given that modern init scripts want us to be able to boot in under a few seconds, and we need at least 128 independent bits to securely initialize the CRNG, people who think that we can get secure random bits suitable for long-term cryptographic keys (say, such as initializing the host's SSH key) during early boot based only on HDD timings may be a bit.... optimistic. P.P.S. I actually knew Don; he was at MIT Project Athena as a staff member at the same time I was working on Kerberos as my day job, and Linux's e2fsprogs, /dev/random, etc. as a hobby...