Received: by 2002:a05:7412:d1aa:b0:fc:a2b0:25d7 with SMTP id ba42csp1607547rdb; Wed, 31 Jan 2024 04:04:25 -0800 (PST) X-Google-Smtp-Source: AGHT+IFNbaHp8L2tB9qnr6/mnV4Fik1hzlXN+yYzMee3tKN/Jxz0kO3iLkgvk1ZB2zdJ21dnTgXQ X-Received: by 2002:ac8:7e90:0:b0:429:d3a4:ad7a with SMTP id w16-20020ac87e90000000b00429d3a4ad7amr1890248qtj.67.1706702665780; Wed, 31 Jan 2024 04:04:25 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706702665; cv=pass; d=google.com; s=arc-20160816; b=AliHppGg2MfZTN4undyTzKviJhzWuIXDNSAhkQVkNBF0YTlPQ7JozcodRNkYLs9iL7 aoKJsy40OFhPmqsyUHYetgAHNmKAq+KCFKSgt/5Lon2b6rN/07lwzaTNMi1n0MCsbaNz hPwy36mAgZEnIwZTvtDObikeXKEUYuvb2jotkq8B39TsRnZ3T6f4ippMtXhXHIubWeIv koBiLiWb7UJDQ6VrteBIUcatakwkRqMt25g8tx6+f7QiQ8skXzg2VeMi2zkxGqRQkEGY WuF4eiBqOZsedEq1gLyCWPZx1c9gGPw9yre+Tis1ASR04s2RH9f96WjyCNKmYnrJp1or tx/Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:in-reply-to:content-disposition:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:references :reply-to:message-id:subject:cc:to:from:date; bh=ZmevArccWqA4/euqaHlR0fvzMjASs64ap5LFZ9m39p8=; fh=rEKir2KGn3ohGgy3+EUFbzDAcCSE0sjeB/7gSUaVmIU=; b=VzCIqRT6ZEBc/T0mVm5w49IqmXKHwHalEsL54vR1KcUaNQkzyf8GLq9Ok0/hRruvjj 9IvU1gO8VYl/+bf1bWZPvcB4+eFDYtc9l15Zpt7OQ3MxnQi3K3dIbY570nfDNnGeg5qs oZjpXchhv7BUXesEMpIjd3FyoRhCtjXGa53scOrHyHY+6L3ktWAyj+XoBP3Ix39D0kfA igiSAVzUmbIhzBHulvmg4u1ZIj0lVW1v/ng+8P+QrxwYXHObQ1wZ2WHUjUkUwhScIKAG wBybIzvoTJ11iZ3czgzZl9RdIjpgsN8PK+8zRg5yHFEY7/OQQKvNfH2Fvn8ZI1RkhCH4 KU1w==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=wind.enjellic.com); spf=pass (google.com: domain of linux-kernel+bounces-46396-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-46396-linux.lists.archive=gmail.com@vger.kernel.org" X-Forwarded-Encrypted: i=1; AJvYcCV+0gMJbz2wEj8a3t3xCxd52sRdqfrdnq0zSVa5ut7IaP628682ntQ6Zmmzi94IcazFqoi7q51e3RgwANEg3+xQ0R4LENr/0NuE8XalBQ== Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id f13-20020a05622a1a0d00b0042a5def90casi8941762qtb.59.2024.01.31.04.04.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 31 Jan 2024 04:04:25 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-46396-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=wind.enjellic.com); spf=pass (google.com: domain of linux-kernel+bounces-46396-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-46396-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 2F63C1C253B9 for ; Wed, 31 Jan 2024 12:04:25 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B69B77762C; Wed, 31 Jan 2024 12:04:16 +0000 (UTC) Received: from wind.enjellic.com (wind.enjellic.com [76.10.64.91]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 8068071B39 for ; Wed, 31 Jan 2024 12:04:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=76.10.64.91 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706702656; cv=none; b=OtNjzdS/zFx7fXpAXtPWNyElIhb3Iu8/fPbDFQxkgexE/haxckfougOsB7wX6Nus0a/dHYLJzfJZ/oxgi6E87Si0wsOLq5+Xu5hahSb1SbZgrBFQpaAdkddwDNTnRDJcfN7Nu9je/RJizfsqo7uRBgGoSXCkrVLYcLvk79Z55t0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706702656; c=relaxed/simple; bh=/0iLm9Atvy/JSiwLXNWauydouf0fB7129/ouQ1lxNas=; h=Date:From:To:Cc:Subject:Message-ID:References:Mime-Version: Content-Type:Content-Disposition:In-Reply-To; b=ns3dbIs+H81xWwfF+SmfWbW4N0SluOH19d9xenDqgwbh//y0/dvnxRNF0PfTOOoev4Kry+q0Y9ZnfJaJPiEl7MSFeC1pzVb7m6t2K3GrjiokfUZ2IBJWGmKXQbQkJSlOC6Znq2TgtNwdxunfulbWfOy9u6a6EKGyCzq5Zi804xY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=enjellic.com; spf=pass smtp.mailfrom=wind.enjellic.com; arc=none smtp.client-ip=76.10.64.91 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=enjellic.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=wind.enjellic.com Received: from wind.enjellic.com (localhost [127.0.0.1]) by wind.enjellic.com (8.15.2/8.15.2) with ESMTP id 40VBx1Dj007499; Wed, 31 Jan 2024 05:59:01 -0600 Received: (from greg@localhost) by wind.enjellic.com (8.15.2/8.15.2/Submit) id 40VBx0nZ007498; Wed, 31 Jan 2024 05:59:00 -0600 Date: Wed, 31 Jan 2024 05:59:00 -0600 From: "Dr. Greg" To: "Reshetova, Elena" Cc: "Daniel P. Berrang??" , "Jason A. Donenfeld" , "Hansen, Dave" , "Kirill A. Shutemov" , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , "x86@kernel.org" , "Theodore Ts'o" , Kuppuswamy Sathyanarayanan , "Nakajima, Jun" , Tom Lendacky , "Kalra, Ashish" , Sean Christopherson , "linux-coco@lists.linux.dev" , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH 2/2] x86/random: Issue a warning if RDRAND or RDSEED fails Message-ID: <20240131115900.GA7394@wind.enjellic.com> Reply-To: "Dr. Greg" References: <20240130083007.1876787-1-kirill.shutemov@linux.intel.com> <20240130083007.1876787-2-kirill.shutemov@linux.intel.com> <88a72370-e300-4bbc-8077-acd1cc831fe7@intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.3 (wind.enjellic.com [127.0.0.1]); Wed, 31 Jan 2024 05:59:01 -0600 (CST) On Wed, Jan 31, 2024 at 08:16:56AM +0000, Reshetova, Elena wrote: Good morning, I hope the week is going well for everyone. > > On Tue, Jan 30, 2024 at 06:49:15PM +0100, Jason A. Donenfeld wrote: > > > On Tue, Jan 30, 2024 at 6:32???PM Dave Hansen wrote: > > > > > > > > On 1/30/24 05:45, Reshetova, Elena wrote: > > > > >> You're the Intel employee so you can find out about this with much > > > > >> more assurance than me, but I understand the sentence above to be _way > > > > >> more_ true for RDRAND than for RDSEED. If your informed opinion is, > > > > >> "RDRAND failing can only be due to totally broken hardware" > > > > > No, this is not the case per Intel SDM. I think we can live under a simple > > > > > assumption that both of these instructions can fail not just due to broken > > > > > HW, but also due to enough pressure put into the whole DRBG construction > > > > > that supplies random numbers via RDRAND/RDSEED. > > > > > > > > I don't think the SDM is the right thing to look at for guidance here. > > > > > > > > Despite the SDM allowing it, we (software) need RDRAND/RDSEED failures > > > > to be exceedingly rare by design. If they're not, we're going to get > > > > our trusty torches and pitchforks and go after the folks who built the > > > > broken hardware. > > > > > > > > Repeat after me: > > > > > > > > Regular RDRAND/RDSEED failures only occur on broken hardware > > > > > > > > If it's nice hardware that's gone bad, then we WARN() and try to make > > > > the best of it. If it turns out that WARN() was because of a broken > > > > hardware _design_ then we go sharpen the pitchforks. > > > > > > > > Anybody disagree? > > > > > > Yes, I disagree. I made a trivial test that shows RDSEED breaks easily > > > in a busy loop. So at the very least, your statement holds true only > > > for RDRAND. > > > > > > But, anyway, if the statement "RDRAND failures only occur on broken > > > hardware" is true, then a WARN() in the failure path there presents no > > > DoS potential of any kind, and so that's a straightforward conclusion > > > to this discussion. However, that really hinges on "RDRAND failures > > > only occur on broken hardware" being a true statement. > > > > There's a useful comment here from an Intel engineer > > > > https://web.archive.org/web/20190219074642/https://software.intel.com/en- > > us/blogs/2012/11/17/the-difference-between-rdrand-and-rdseed > > > > "RDRAND is, indeed, faster than RDSEED because it comes > > from a hardware-based pseudorandom number generator. > > One seed value (effectively, the output from one RDSEED > > command) can provide up to 511 128-bit random values > > before forcing a reseed" > > > > We know we can exhaust RDSEED directly pretty trivially. Making your > > test program run in parallel across 20 cpus, I got a mere 3% success > > rate from RDSEED. > > > > If RDRAND is reseeding every 511 values, RDRAND output would have > > to be consumed significantly faster than RDSEED in order that the > > reseed will happen frequently enough to exhaust the seeds. > > > > This looks pretty hard, but maybe with a large enough CPU count > > this will be possible in extreme load ? > > > > So I'm not convinced we can blindly wave away RDRAND failures as > > guaranteed to mean broken hardware. > This matches both my understanding (I do have cryptography > background and understanding how cryptographic RNGs work) and > official public docs that Intel published on this matter. Given > that the physical entropy source is limited anyhow, and by giving > enough pressure on the whole construction you should be able to make > RDRAND fail because if the intermediate AES-CBC MAC extractor/ > conditioner is not getting its min entropy input rate, it wont > produce a proper seed for AES CTR DRBG. Of course exact > details/numbers can wary between different generations of Intel DRNG > implementation, and the platforms where it is running on, so be > careful to sticking to concrete numbers. > > That said, I have taken an AR to follow up internally on what can be > done to improve our situation with RDRAND/RDSEED. But I would still > like to finish the discussion on what people think should be done in > the meanwhile keeping in mind that the problem is not intel > specific, despite us intel people bringing it for public discussion > first. The old saying is still here: "Please don't shoot the > messenger" )) We are actually trying to be open about these things > and create a public discussion. Based on Dave Hansen's comments above, it appears that the COCO community needs to break out the oil and whetstones and hone the tips of their pitchforks.. :-) The positive issue in all of this is that, to date, TDX hardware has not seen significant public availability. I suspect that when that happens, if this problem isn't corrected, there will be the usual flood of papers demonstrating quasi-practical lab attacks that stem from the fruits of a poisonable random number source. The problem reproduces pretty easily, albeit on somewhat dated hardware. One of our lab machines, that reports a model name of 'Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz', shows a consistent failure rate of 65% for RDSEED on a single-threaded test. It gets worse when more simultaneous demand is placed on the hardware randomness source, as was demonstrated elsewhere. Corrupted randomness has the potential to strike pretty deeply into the TDX attestation architecture, given the need to generate signed attestation reports and the SGX/TDX key generation architecture that requires 'wearout protection'. Beyond that, there is the subsequent need to conduct userspace attestation, currently by IMA as I believe is the intent, that in turn requires cryptography with undeniable integrity. At this point, given that all this is about confidentiality, that in turn implies a trusted platform, there is only one option, panic and hard fail the boot if there is any indication that the hardware has not been able to provide sound instruction based randomness. Doing anything else breaks the 'contract' that a user is pushing a workload into a trusted/confidential environment. RDSEED is the root of hardware instruction based randomness and its randomness comes from quantum noise across a diode junction (simplistically). The output of RDSEED drives the AES derived RDRAND randomness. Additional clarification from inside of Intel on this is needed, but the problem would appear to be that the above infrastructure (RDSEED/RDRAND) is part of the 'Uncore' architecture, rather than being core specific. This creates an incestuous relationship across all of the cores sharing a resource, that as in the past, creates security issues. This issue was easily anticipated and foreshadowed by the demonstration of the CVE-2020-0543/CrossTalk vulnerability. If the above interpretion is correct, a full fix should be 'straight forward', for some definition of 'straight forward'... :-) On TDX capable hardare, the RDSEED noise source needs to come from a piece of core specific silicon. If the boot of a TDX VM is core locked, this would create an environment where a socket based sibling adversary would be unable to compromise the root of the randomness source. Once the Linux random number generator is properly seeded, the issue should be over, given that by now, everyone has agreed that a properly initialized Linux RNG cannot 'run out' of randomness. Given that it seems pretty clear that timing and other 'noise' information in a COCO environment can't be trusted, having core specific randomness would be a win for the overall cryptographic health of VM's that are running in a COCO environment. Once again, an attack doesn't need to be practical, only demonstrable. Once demonstrated, faith is lost in the technology, SGX clearly demonstrated that, as did the micro-architectural attacks. Both SGX and TDX operate from the notion of 'you trust Intel and the silicon', so the fix is for Intel to implement a secure silicon based source of randomness. AMD will probably need the same thing. > Best Regards, > Elena. Hopefuly the above is helpful in furthering these discussions. Have a good remainder of the week. As always, Dr. Greg The Quixote Project - Flailing at the Travails of Cybersecurity https://github.com/Quixote-Project