Received: by 2002:a05:7412:bbc7:b0:fc:a2b0:25d7 with SMTP id kh7csp61472rdb; Thu, 1 Feb 2024 01:59:59 -0800 (PST) X-Google-Smtp-Source: AGHT+IH1dAG9NTZ6BBL+P/92VBJwJYg3/BtUtvbNvuTlICZOMWe5yDum5K9j1mDdQmFsBhVRFwQi X-Received: by 2002:a05:6214:1245:b0:686:a202:ee55 with SMTP id r5-20020a056214124500b00686a202ee55mr5165721qvv.28.1706781599588; Thu, 01 Feb 2024 01:59:59 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706781599; cv=pass; d=google.com; s=arc-20160816; b=nD3feEgwz0ApSOGA2fqEZoE+l6eOjBmIrK+1dMiI+Upqmfpq/NQDrzMg640WKl0Mt/ g/mJ/YCnCSve3pFqaA0E8W57AkJdO4s7ggzXHYX5TV1II6AND0EaGnDnSfFQweCHT4aA px2bUuzpdsKZV37FokPm7/HvNoN6PLCVQlJFiYy7GlITg95fv9rINUanGcBdMXjojIh8 E//7dyU5FdTQe7m+PHsj1mkjXIawpVeH1PAsPOHLBuKYc29qdTaNm8ydA2oHnX33Nvvn RHB5cKd3RFVVvRAOmP5czoEKwSB6p9ahDMM1+jpZac9Qc9Wch9yYEf8DkpuW9o7JtrQl g7dQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:in-reply-to:content-disposition:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:references :reply-to:message-id:subject:cc:to:from:date; bh=zuvO6zjtU2JiT+HPfXx6jsAo+NKOxtP5CnkkhEK26kc=; fh=v4jlJD6i8BETOCS52/Sr8wbrH/qLvsrPyJUHbv+qcC0=; b=di/EkXIZWx7iklVKjQ8kRU/9q6e4niI7KdPCU0crQUFtZ2Nt+3OtXmKxGL8E2Hf2By TAlWQ/cC2eAie3lJqzUZoNVeWDZMhp81BSKrWhe9/QSD5yqUTiB+Cb005M3zaalMBU7s ZXwMR4vM5KZwyrLC53bW2E3r24wpbtYsdqfYYhZ9rC7sM9SZzZywsN52sqo/V1UsaC4s ByDUfrqpLSciap1AGiaFK7tKb9LWuIkYs/27vvBVYgzYqO6Eiz7C+RSfnGA5el1Qrfed VJ6OYNxCrjE/Oey5d941NPllh48ppwdHG1+7vBpURGHqvv1lwR9qgNLKIUhbVMEnmudy 94jQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=wind.enjellic.com); spf=pass (google.com: domain of linux-kernel+bounces-47921-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-47921-linux.lists.archive=gmail.com@vger.kernel.org" X-Forwarded-Encrypted: i=1; AJvYcCUZKGK7aqJWGm+I4sybH/zClfv55evlO+vFDjK/ctqnmHf0mC5Wazfifnu2znhlLiIi/MqPcN2m+WWLQmy1W3tdfuG4IBqVx4LyS/JhMQ== Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id pn22-20020a056214131600b00680f6edff7dsi14211876qvb.357.2024.02.01.01.59.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 01 Feb 2024 01:59:59 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-47921-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=wind.enjellic.com); spf=pass (google.com: domain of linux-kernel+bounces-47921-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-47921-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 3AA641C28D7E for ; Thu, 1 Feb 2024 09:59:59 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E05D81586E4; Thu, 1 Feb 2024 09:59:52 +0000 (UTC) Received: from wind.enjellic.com (wind.enjellic.com [76.10.64.91]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 51B0A4D9F4 for ; Thu, 1 Feb 2024 09:59:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=76.10.64.91 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706781592; cv=none; b=Ij0e9+GwW95NMK8jL7DDuky0GWHSEClUuAayOFAMslZQNSDXIyKT9aV5mYEPm+Y/Z6rKI2ZNJVpIKNUQ+4uvJZ5HZqFsr43oMKEXi/ZuKeblvY/HSInSt8TCQGWqfzO7qKYcMDeWqNkJ+gIWiPMb/xzC2o2WAKs/myvdZDPG0jA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706781592; c=relaxed/simple; bh=HpRKshTR53h1WMYXI/4/LpBIWmTwxTMmuHtPn3QrAg4=; h=Date:From:To:Cc:Subject:Message-ID:References:Mime-Version: Content-Type:Content-Disposition:In-Reply-To; b=XHLaQAAdHH7eoWeySvTCc0zCVUUm2QHo/tDFY6CWfr5N1Kl6rzSiF0d7Gxc4p2ACsx+iKFFXq2r8tgAJddaYQxzPCn7+nkkISAeSTENfx9oQAe9Ki68mxlVrePALTy4SlOu2VqjIFgSXxIG/vPa9jx5g5ujGpq6NsWktWwFjDms= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=enjellic.com; spf=pass smtp.mailfrom=wind.enjellic.com; arc=none smtp.client-ip=76.10.64.91 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=enjellic.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=wind.enjellic.com Received: from wind.enjellic.com (localhost [127.0.0.1]) by wind.enjellic.com (8.15.2/8.15.2) with ESMTP id 4119sqmr017945; Thu, 1 Feb 2024 03:54:52 -0600 Received: (from greg@localhost) by wind.enjellic.com (8.15.2/8.15.2/Submit) id 4119sp8g017944; Thu, 1 Feb 2024 03:54:51 -0600 Date: Thu, 1 Feb 2024 03:54:51 -0600 From: "Dr. Greg" To: "Theodore Ts'o" Cc: "Jason A. Donenfeld" , "Reshetova, Elena" , "Daniel P. Berrang??" , "Hansen, Dave" , "Kirill A. Shutemov" , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , "x86@kernel.org" , Kuppuswamy Sathyanarayanan , "Nakajima, Jun" , Tom Lendacky , "Kalra, Ashish" , Sean Christopherson , "linux-coco@lists.linux.dev" , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH 2/2] x86/random: Issue a warning if RDRAND or RDSEED fails Message-ID: <20240201095451.GA17612@wind.enjellic.com> Reply-To: "Dr. Greg" References: <20240130083007.1876787-2-kirill.shutemov@linux.intel.com> <88a72370-e300-4bbc-8077-acd1cc831fe7@intel.com> <20240131203531.GA12035@wind.enjellic.com> <20240201044735.GC2356784@mit.edu> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240201044735.GC2356784@mit.edu> User-Agent: Mutt/1.4i X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.3 (wind.enjellic.com [127.0.0.1]); Thu, 01 Feb 2024 03:54:53 -0600 (CST) On Wed, Jan 31, 2024 at 11:47:35PM -0500, Theodore Ts'o wrote: > On Wed, Jan 31, 2024 at 02:35:32PM -0600, Dr. Greg wrote: > > I think it would demonstrate a lack of appropriate engineering > > diligence on the part of our community to declare RDRAND 'busted' at > > this point. > > > > While it appeares to be trivially easy to force RDSEED into depletion, > > there does not seem to be a suggestion, at least in the open > > literature, that this directly or easily translates into stalling > > output from RDRAND in any type of relevant adversarial fashion. > > > > If this were the case, given what CVE's seem to be worth on a resume, > > someone would have rented a cloud machine and come up with a POC > > against RDRAND in a multi-tenant environment and then promptly put up > > a web-site called 'Random Starve' or something equally ominous. > I suspect the reason why DOS attacks aren't happening in practice, is > because of concerns over the ability to trust the RDRAND (how do you > prove that the NSA didn't put a backdoor into the hardware with > Intel's acquisence --- after all, the NSA absolutely positively didn't > encourage the kneecaping of WEP and absolutely didn't put a trapdoor > into DUAL_EC_DRBG...) since it can not externally audited and verfied > by a third party, in contrast to the source code for the /dev/random > driver or the RNG used in OpenSSL. > > As a result, most random number generators use RDRAND in combination > with other techniques. If RDRAND is absolutely trustworthy, the extra > sources won't hurt --- and if it isn't trustworthy mixing in other > sources will likely make things harder for Fort Meade. And even if > these other sources might be observable for someone who can listen in > on the inter-packet arrival times on the LAN (for example), it might > not be so easy for an analyst sitting at their desk in Fort Meade. > > And once you do _that_, you don't need to necessarily loop on RDRAND, > because it's one of multiple sources of entropies that are getting > mixed togethwer. Hence, even if someone drives RDRAND into depletion, > if they are using getrandom(2), it's not a big deal. All well taken points, the Linux RNG and associated community has benefited from your and Jason's concerns and work on all of this. However, whether or not DOS attacks based on RNG depletion are happening in the wild, and the reasons they are not, are orthogonal to whether or not they can be proven to exist, which was the point I was trying to make. Demonstrating a vulnerability in something as critical as Intel's RNG implementation would be a big motivation for some research group. The fact that hasn't occurred would seem to suggest that the RDRAND resource depletion we are concerned with is not adversarially exploitable. I suspect that the achievable socket core count cannot effectively overwhelm the 1022x amplification factor inherent in the design of the RDSEED based seeding of RDRAND. We will see if Elena can come up with what Intel engineering's definition of 'astronomical' is.. :-) > There's a special case with Confidential Compute VM's, since the > assumption is that you want to protect against even a malicious > hypervisor who could theoretically control all other sources of > timing uncertainty. And so, yes, in that case, the only thing we > can do is Panic if RDRAND fails. Indeed. The bigger question, which I will respond to Elena with, is how much this issue calls the entire question of confidential computing into question. > - Ted Have a good day, it has been a long time since you and I were standing around with Phil Hughes in the Galleria in Atlanta argueing about whether or not Active Directory was going to dominate enterprise computing. It does seem to have gained some significant amount of traction... :-) As always, Dr. Greg The Quixote Project - Flailing at the Travails of Cybersecurity https://github.com/Quixote-Project