Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp144919pxb; Fri, 8 Jan 2021 00:45:13 -0800 (PST) X-Google-Smtp-Source: ABdhPJy8ROdHlvE5TszGLdlozPaYbP9KBDAj2MYM9eO1lV9wdUsNPWluWZiJm5laEGERoPJvL3gH X-Received: by 2002:a17:906:6448:: with SMTP id l8mr2039673ejn.357.1610095513588; Fri, 08 Jan 2021 00:45:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610095513; cv=none; d=google.com; s=arc-20160816; b=sV7nasUp+S1YiMD5JN2GuUwsf7FR92OiAVNUusxTOTvNw5UT+ArM4BHObpyl1/a+b4 InJHVsO7g+qVcvHzRLl+tHl3Bw3jfYPZ3D5d0t9ig4BLxfvoH4M8AlH72CCXsME4iG/Q 5T0M1VGM5GaSKONZfSd8aYkm62CS6PiuCKkJ89vlgCF7NhkF2tf3CWhEd+t2UuPNiyVA dX0m7mJ3pOeiC4dE0ZD86mIfnj/AfivAkWWhiArctTFw1v2uOQa31/sZx3+XEVqBsZ9V iC5FiC0LccWS6Z4qk0OyAxXeC8SKGVQQfTx5oWSmnfKzpNZnCQ+Xr4TCdgRhLj3iVSaJ o2hg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=kM11/a2ZtU2lx1AuIWWMEnbQRiaILH2o+LlIumf/C84=; b=Fe13Q3UIZebrk5Y898Yoty/5lEev2hD0cwtDfsbbhb/6raelI+KP9+JV7zw2FmRkIw P1jhVTiQj9AcvmA3bjPZoVBogKPELB2I4FYpgpC7rZq4RrIvqWpBp7Y1WQXi9D7u5Fdd KEQbkwvpAhKfGi+w9JzlxyS8JfUVLgxzTUmsNwWtcemGtpCri8twji+nCrUjF5UZa126 BZshpSCdaiDvU1e30CgMWInJPdUxPfF/yDNz4jNDVEayI0OFGp2or3YDm3FsdZTTiP6f iUBmeBU+jysRKhM07fmM8zDvUJFSvzNQ+/pzzo8hkOdFLp5ja0NHVr9ghMdGvUyUcu6c ICGA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=XXtL7fEu; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id hh14si3219756ejb.457.2021.01.08.00.44.54; Fri, 08 Jan 2021 00:45:13 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=XXtL7fEu; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727582AbhAHInF (ORCPT + 99 others); Fri, 8 Jan 2021 03:43:05 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57510 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726784AbhAHInE (ORCPT ); Fri, 8 Jan 2021 03:43:04 -0500 Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 50E7AC0612F5; Fri, 8 Jan 2021 00:42:24 -0800 (PST) Received: by mail-wr1-x42e.google.com with SMTP id 91so8172213wrj.7; Fri, 08 Jan 2021 00:42:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kM11/a2ZtU2lx1AuIWWMEnbQRiaILH2o+LlIumf/C84=; b=XXtL7fEu/Ksu0rrgZA5ERDrn+Xhf93wjnUy+qG0X+g8c2EunbEUC2d9qgohzewOTP+ HAimR2Mk2dWpC0PwR1KnqMjyX/pMYeUgm6ZtTW/oA9je63niTNjKWAxO1Z8G8njrtxgT pSSvNSuNa2aeEJZLromj3Nk/Gmji9whB9aZ9209rMLgJBbUsiE4EEMjePV7iKOZwwdSp NDHTElADPBM0pTYcsneP+hxzx9zUoLoA8HhAffTvnglShXY5FDt3fvX8/phv1DrpgNYZ qpojvr7y3sC2hSZidhVNypZ06asusVm3KO86AmbbpvvD2vz12CogR992CpWYHflXDfUH FXZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kM11/a2ZtU2lx1AuIWWMEnbQRiaILH2o+LlIumf/C84=; b=mQg8LPNOzkzLN4apyj/aAqtGu3Xmx79n6rN7m78d7RJy15RPMPbsIEoJmvWj9/uXak tx+E2z1Yquz/WaxrQVVyrGCW13QjIT+dQDzzu7sdaP8xA/8c4MHiYKaN8d1THR0HLSxK cHejDMGl0fcH5cSoglh1HiXAvfsTzJlfhUxnJAL0O/zk36aydNZUdFCOeRx8XoNmlF7e a2T1SGDbjHaCfG6VTBijEOtE07Y3mYXrKzWmf8kvA4N4Tk/FKprp4Ttk+Oq6Eroo+WcT wm/z/tLLKliQR5PpC1UQQgBBnCqf4DKuiApOulk3CoCETqevqW/AGYxfaPbRWqIRy83r fCSQ== X-Gm-Message-State: AOAM530Xc3GMQXgaR/elmxT/9H57EeGxBGW/feh+leHVdqkrd8zHld0X If7xhesR/4V3Ujz95oMRVjhVu2C5cVpW3FURM7A= X-Received: by 2002:adf:f891:: with SMTP id u17mr2536046wrp.253.1610095343093; Fri, 08 Jan 2021 00:42:23 -0800 (PST) MIME-Version: 1.0 References: <20201130151231.GA24862@lst.de> <20201130165339.GE5364@mit.edu> <20201218132519.kj3nz7swsx7vvlr5@valinor.lan> <20201223132851.55d19271@blackhole.lan> <20201223151014.57caf98b@ezekiel.suse.cz> <20201223170057.7c8fd710@ezekiel.suse.cz> <20201224191953.GD22388@amd> In-Reply-To: <20201224191953.GD22388@amd> From: Sandy Harris Date: Fri, 8 Jan 2021 16:42:11 +0800 Message-ID: Subject: Re: drivers/char/random.c needs a (new) maintainer To: Pavel Machek Cc: Petr Tesarik , "Jason A. Donenfeld" , Torsten Duwe , Marcelo Henrique Cerri , "Theodore Y. Ts'o" , Linus Torvalds , =?UTF-8?Q?Stephan_M=C3=BCller?= , Willy Tarreau , Linux Crypto Mailing List , Nicolai Stange , LKML , Arnd Bergmann , "Eric W. Biederman" , "Alexander E. Patrakov" , "Ahmed S. Darwish" , Matthew Garrett , Vito Caputo , Andreas Dilger , Jan Kara , Ray Strode , William Jon McCann , zhangjs , Andy Lutomirski , Florian Weimer , Lennart Poettering , Peter Matthias , Neil Horman , Randy Dunlap , Julia Lawall , Dan Carpenter , And y Lavr , Eric Biggers , Ard Biesheuvel , simo@redhat.com Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Pavel Machek wrote: > To play devil's advocate, does RNG subsystem need to evolve? Its task > is to get random numbers. Does it fail at the task? > > Problem is, random subsystem is hard to verify, and big rewrite is > likely to cause security problems... Parts of the problem, though, are dead easy in many of today's environments. Many CPUs, e,g. Intel, have an instruction that gives random numbers. Some systems have another hardware RNG. Some can add one using a USB device or Denker's Turbid (https://www.av8n.com/turbid/). Many Linux instances run on VMs so they have an emulated HWRNG using the host's /dev/random. None of those is necessarily 100% trustworthy, though the published analysis for Turbid & for (one version of) the Intel device seem adequate to me. However, if you use any of them to scribble over the entire 4k-bit input pool and/or a 512-bit Salsa context during initialisation, then it seems almost certain you'll get enough entropy to block attacks. They are all dirt cheap so doing that, and using them again later for incremental squirts of randomness, looks reasonable. In many cases you could go further. Consider a system with an intel CPU and another HWRNG, perhaps a VM. Get 128 bits from each source & combine them using the 128-bit finite field multiplication from the GSM authentication. Still cheap & it cannot be worse than the better of the two sources. If both sources are anywhere near reasonable, this should produce 128 bits of very high grade random material, cheaply. I am not suggesting any of these should be used for output, but using them for initialisation whenever possible looks obvious to me.