Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp981694iob; Fri, 13 May 2022 18:29:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzxXJwpTTWU9hVdDvG1bk9XmL78wVUs6vCQsV73boH3zRrtwqFKKMpuFOtNNPG3wdSKQEGe X-Received: by 2002:adf:dd8b:0:b0:20c:d72f:7d05 with SMTP id x11-20020adfdd8b000000b0020cd72f7d05mr5910108wrl.636.1652491793757; Fri, 13 May 2022 18:29:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652491793; cv=none; d=google.com; s=arc-20160816; b=BxTFRHnHn3p1d5xLkgxpVXjcWOa6O1DJbH19KYo18i+wjxSqrRGCkqF3kx7FWeOfcm Rc3BiUEDnN4HExqs+sTdzXj76ZdhESN2bLqydhAGrGQVN7igNKnRxL/APKE5hGe3a9/l aZSdfpg9gaC48qm+5gEWUKKJBAKOVCJWJcA6VPJKfSbHssE4lmfjReAusIC3CrLhehsy pza1kwkBV4TvsZugHsWphEI0ru95gSlDvYCA92+smzjNOMFfocoMs5ypTKYLg6+IWdxg BThvFw0jr+0jTHeQ/KCVMxFigmjRu3fvYV+Kw22hyZF/L9qVzUNYC/30DlxHjw7Iffd+ BJLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=uVg5rfSuxyxNyuyB0/bz3+Rp9fWj7/jDO02wMdkLyLQ=; b=cW8sKDnyKsZBlpdBKTquNjTTlUQlqtybW9oa6DTy1bspGrhCJtiP3GnsQxYMsdCUGV 4sPLtNJnrrcSxqsE1+IdyI3yi6+KWUYBmCGktUKvtraLlpFw10F7VxP3vZZBMl8YL4Ob V6174NvM8BkJtf9BzgV89jqQrWUUIqeSY1hxTulvSSAn795pE17Bh4lIIwRc/QyDc+nN oX1fkROHQdWimRLTDTukbsLbG3gT/YLIgT4Ar+2I/AAmhsYRO31yCMrdkj8dT05a3EUe T5CE2Kp9AgymOjtA+HtlRNG86f3X0R9T4118DqPbxZ5AKT5YJY/S6slFDMtBxMZpv3T7 WsnQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id 3-20020a056000156300b0020acf56c58esi4761255wrz.506.2022.05.13.18.29.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 May 2022 18:29:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id B1E1A3F6627; Fri, 13 May 2022 16:58:23 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377299AbiEMG0Z (ORCPT + 99 others); Fri, 13 May 2022 02:26:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34998 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1377305AbiEMG0U (ORCPT ); Fri, 13 May 2022 02:26:20 -0400 Received: from isilmar-4.linta.de (isilmar-4.linta.de [136.243.71.142]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7A5E1289BD; Thu, 12 May 2022 23:26:07 -0700 (PDT) X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES Received: from owl.dominikbrodowski.net (owl.brodo.linta [10.2.0.111]) by isilmar-4.linta.de (Postfix) with ESMTPSA id A6A482013B0; Fri, 13 May 2022 06:26:05 +0000 (UTC) Received: by owl.dominikbrodowski.net (Postfix, from userid 1000) id 03B6B80980; Fri, 13 May 2022 08:19:14 +0200 (CEST) Date: Fri, 13 May 2022 08:19:13 +0200 From: Dominik Brodowski To: "Jason A. Donenfeld" Cc: Thomas Ristenpart , Yevgeniy Dodis , tytso , Nadia Heninger , Noah Stephens-Dawidowitz , Stefano Tessaro , "torvalds@linux-foundation.org" , "D. J. Bernstein" , "jeanphilippe.aumasson@gmail.com" , "jann@thejh.net" , "keescook@chromium.org" , "gregkh@linuxfoundation.org" , Peter Schwabe , "linux-crypto@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: Re: is "premature next" a real world rng concern, or just an academic exercise? Message-ID: References: <7EB51D84-90A4-4C97-9A81-14A8C32990F7@cornell.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Am Thu, May 12, 2022 at 01:47:06PM +0200 schrieb Jason A. Donenfeld: > But on the other hand, it appears that none of us really thinks that > premature next is a real problem worth complicating designs over. So > maybe we can just say that it is nice when the silicon in one way or > another helps with premature next, but maybe not an explicit must have. > So where does that leave us? > > - Systems with RDSEED/RDRAND don't have premature next, due to the above > KDF salt. This is probably the majority of systems out there these > days. This also applies to the sleep resumption notification (and the > vmgenid one), and I suspect that most systems with S3 or S0ix or > whatever else these days also probably have RDRAND. ... and most of these systems have TPM chips with a RNG, which is (alas) usually only used at system startup, as that hw_rng device sets its quality to 0 (meaning untrusted). So there's also room for improvement involving these hw rng devices. Thanks, Dominik