Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp5841657pxj;
        Wed, 23 Jun 2021 10:02:09 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyLF4GUA89zE/AsDaARdvOPEaxDGSF5mV2w1/Ep6ThswIpH9Jv0AR1DHfzzifFb/nxecuN9
X-Received: by 2002:a5d:8752:: with SMTP id k18mr407866iol.139.1624467729276;
        Wed, 23 Jun 2021 10:02:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1624467729; cv=none;
        d=google.com; s=arc-20160816;
        b=wUlJH3dieW8u3DEmYVMfzUnmJFYdbBSPtrk4Y+P8dVoFLhjMo//DVEY+fNNjfz6fSN
         H3fw2z4I35rsKmjlCjrDEPiAnNDld953b8/uGK2RFrJ5Qzq1pCV14AnCBaSoQ4cFBSXj
         CLjgQcT6KDVMSeHmAwqm8BprgrlmZDYTx0IT9zIdDoQeIfCmHV2Q7Ub+OC1uk/yUXgB8
         M1CN0KylwhOupFfFoCyt1xrlFP/mtjo5ZpLuAUNBnQ5BIhsjcKH5mK46nn4tywuUiCv5
         6mlqlMz+iloFJq0tIG/30ItzCL4bSWz4fAM7GiuZvatWzHWxtRJMIvIfxkt03mTChGTg
         CU2Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:references:message-id:in-reply-to
         :subject:cc:to:from:date:dkim-signature:dkim-filter;
        bh=L5/H7FIrkz8GoqL+W/32b5NGry8n7J+n2NEMmYkG6jM=;
        b=womALpdr6ZoY76M7pdHn/YXxSs8FOHmpx3kaGbqDKVZWCmw8TrVcNjKuAVeRA5eMBE
         oq8ilioEqBfHUe7zBsWUXY6/Eo8L02bXmqR6VE794ydSpRLiR/jMX3ULsYfpeLcSnZxT
         u7ZWf9FHaBDKrDxvT61stVd3/4SNcgs+CATlkNzD/htUVBjAmRrafMQ295sPQCnJvhNG
         IQCwwQyKt2Xd9NXb1oyCvXCiUa2QxyLuPKD526kmix8ixNOm5jrlF9/v4fYmezdCgGCE
         zQQt7ohijqNfHumxg+UfFLJ2HwAU8YNd+ZJVr3wK4hd2Eyld4IweppDLRmgRj+52gg37
         RlRA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linux.microsoft.com header.s=default header.b=h7y0rAKU;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id z21si499372iog.16.2021.06.23.10.01.45;
        Wed, 23 Jun 2021 10:02:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux.microsoft.com header.s=default header.b=h7y0rAKU;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230004AbhFWRCr (ORCPT <rfc822;austindh.kim@gmail.com>
        + 99 others); Wed, 23 Jun 2021 13:02:47 -0400
Received: from linux.microsoft.com ([13.77.154.182]:49870 "EHLO
        linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229660AbhFWRCq (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Wed, 23 Jun 2021 13:02:46 -0400
Received: by linux.microsoft.com (Postfix, from userid 1001)
        id 22BC220B7188; Wed, 23 Jun 2021 10:00:29 -0700 (PDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 22BC220B7188
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com;
        s=default; t=1624467629;
        bh=L5/H7FIrkz8GoqL+W/32b5NGry8n7J+n2NEMmYkG6jM=;
        h=Date:From:To:cc:Subject:In-Reply-To:References:From;
        b=h7y0rAKUyxJFDSCeiHCLM6LCm94bD1SnSwGrKLXNMlokmNBETkm1LwdXxqkczC2vs
         RM3Me+trkcLQvetAnKmpxcwWUsg5vfKFFu01SXXQk5bZBtFvhahBGZAW1zs1istIsb
         DO6fZsoueoVdMTDiEbQQGkLzsLMvo/mM9z19fgUM=
Received: from localhost (localhost [127.0.0.1])
        by linux.microsoft.com (Postfix) with ESMTP id 21C203070324;
        Wed, 23 Jun 2021 10:00:29 -0700 (PDT)
Date:   Wed, 23 Jun 2021 10:00:29 -0700 (PDT)
From:   James Morris <jamorris@linux.microsoft.com>
To:     Stephan Mueller <smueller@chronox.de>
cc:     =?ISO-8859-15?Q?Micka=EBl_Sala=FCn?= <mic@digikod.net>,
        David Miller <davem@davemloft.net>,
        Herbert Xu <herbert@gondor.apana.org.au>,
        John Haxby <john.haxby@oracle.com>,
        Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
        Simo Sorce <simo@redhat.com>, linux-crypto@vger.kernel.org,
        linux-kernel@vger.kernel.org,
        =?ISO-8859-15?Q?Micka=EBl_Sala=FCn?= <mic@linux.microsoft.com>,
        hpa@zytor.com, tytso@mit.edu
Subject: Re: [PATCH v1] crypto: Make the DRBG compliant with NIST SP800-90A
 rev1
In-Reply-To: <9dbbf4e751cb4953fe63079cdc917a0bb3a91670.camel@chronox.de>
Message-ID: <a4e1c071-32af-9650-e6fd-8943b3a79bb0@linux.microsoft.com>
References: <20210623120751.3033390-1-mic@digikod.net> <9dbbf4e751cb4953fe63079cdc917a0bb3a91670.camel@chronox.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

On Wed, 23 Jun 2021, Stephan Mueller wrote:

> 
> > These changes replace the use of the Linux RNG with the Jitter RNG,
> > which is NIST SP800-90B compliant, to get a proper entropy input and a
> > nonce as defined by FIPS.
> 
> Can you please help me understand what is missing in the current code which
> seemingly already has achieved this goal?

The advice we have is that if an attacker knows the internal state of the 
CPU, then the output of the Jitter RNG can be predicted.



-- 
James Morris
<jamorris@linux.microsoft.com>