Thread (24 messages) 24 messages, 9 authors, 2022-08-12

Re: [PATCH] random: remove CONFIG_ARCH_RANDOM and "nordrand"

From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: 2022-07-06 15:25:37
Also in: linux-arm-kernel, linux-s390, lkml

Hi Ted,

On Wed, Jul 06, 2022 at 10:55:04AM -0400, Theodore Ts'o wrote:
On Tue, Jul 05, 2022 at 09:01:21PM +0200, Jason A. Donenfeld wrote:
quoted
Later the thinking evolved. With a properly designed RNG, using RDRAND
values alone won't harm anything, even if the outputs are malicious.
I personally think it's totally fine to remove nordrand.  However, the
reason why it was there was that there were some rather extreme
tin-foil-hatters who believed that if (the completely unavailable to
the public for auditing) RDRAND implementation *were* malicious *and*
the microcode had access to the register file and/or the instruction
pipeline, then in theory, a malicious CPU could subvert how the RDRAND
is mixed into the getrandom output to force a particular output.

Personally, I've always considered it to be insane, since a much
easier way to compromise a CPU would be to drop a Minix system hidden
into the CPU running a web server that had massive security bugs in it
that were only discovered years later.  And if you don't trust the CPU
manufacture to that extent, you should probably simply not use CPU's
from that manufacturer.  :-)
That specific attack scenario is actually something I've fixed over the
last few months, by ensuring that all RDRAND values go through the hash
function. So even if the CPU is super malicious, it'd still need a hash
preimage, which isn't considered to be computable for blake2s.

Minix in the cpu... haha.. surely that would never happen... haha
surely...

Jason
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help