Linux fix for untrustworthy hardware random # generator

William Muriithi william.muriithi-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Fri Jan 3 01:04:18 UTC 2014


FYI

This commit allow Linux to use untrusted hardware random number generator.

commit a9f069e38cc36d6c4ab3c831bc4bef 2ae1a16e96 Author: Theodore Ts'o <
tytso-3s7WtUTddSA at public.gmane.org> Date: Tue Dec 17 21:16:39 2013 -0500

random: use the architectural HWRNG for the SHA's IV in extract_buf()

To help assuage the fears of those who think the NSA can introduce a
massive hack into the instruction decode and out of order execution engine
in the CPU without hundreds of Intel engineers knowing about it (only one
of which woud need to have the conscience and courage of Edward Snowden to
spill the beans to the public), use the HWRNG to initialize the SHA
starting value, instead of xor'ing it in afterwards.

Signed-off-by: "Theodore Ts'o" <tytso-3s7WtUTddSA at public.gmane.org>

diff --git a/drivers/char/random.c b/drivers/char/random.c index
8cc7d65..d07575c 100644 --- a/drivers/char/random.c +++
b/drivers/char/random.c @@ -1012,23 +1012,23 @@ static void
extract_buf(struct entropy_store *r, __u8 *out) __u8 extract[64]; unsigned
long flags;

- /* Generate a hash across the pool, 16 words (512 bits) at a time */-
sha_init(hash.w); - spin_lock_irqsave(&r->lock, flags); - for (i = 0; i <
r->poolinfo->poolwords; i += 16) - sha_transform(hash.w, (__u8 *)(r->pool +
i), workspace); -/* * If we have an architectural hardware random number -
* generator, mix that in, too. + * generator, use it for SHA's initial
vector */+ sha_init(hash.w); for (i = 0; i < LONGS(20); i++) { unsigned
long v; if (!arch_get_random_long(&v)) break; - hash.l[i] ^= v; + hash.l[i]
= v; }

+ /* Generate a hash across the pool, 16 words (512 bits) at a time */+
spin_lock_irqsave(&r->lock, flags); + for (i = 0; i <
r->poolinfo->poolwords; i += 16) + sha_transform(hash.w, (__u8 *)(r->pool +
i), workspace); + /* * We mix the hash back into the pool to prevent
backtracking * attacks (where the attacker knows the the state of the pool.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20140102/01f37281/attachment.html>


More information about the Legacy mailing list