Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and/dev/random

From: Clemens Ladisch
Date: Wed Nov 13 2013 - 06:51:58 EST

Next message: Shaohui Xie: "RE: [PATCH 2/4] phylib: Add generic 10G driver"
Previous message: Ingo Molnar: "Re: [PATCH 4/5] perf record: mmap output file - v5"
In reply to: Stephan Mueller: "Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random"
Next in thread: Stephan Mueller: "Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Stephan Mueller wrote:
> Am Sonntag, 10. November 2013, 21:28:06 schrieb Clemens Ladisch:
>> Many CPUs allow to disable branch prediction, but this is very vendor
>> specific (try to find MSR documentation). The biggest offender probably
>> is the out-of-order execution engine, which cannot be disabled.
>
> For x86, I have not found a way to disable the unit.

My AMD processor can do this in the IC_CFG/DC_CFG MSRs. (See the BKDG.)

The Intel Core family has other settings (such as data prefetching) that
are configurable in the IA32_MISC_ENABLE MSR.

(And any setting that increases accesses to main memory is likey to
introduce more entropy due to clock drift between the processor and the
memory bus. Or where do you assume the entropy comes from?)

BTW: MFENCE is not guaranteed to flush the instruction pipeline; you
need CPUID for that.

> XOR is a bijective operation.

Only XOR with a constant, which is not what you're doing.

>>> There are so many assessments on entropy I make, I am surprised that I
>>> am said to have no entropy assessment.
>>
>> Again: Shannon entropy assumes that you have a sequence of independent
>> and identically distributed random variables. And you cannot prove
>> these properties from the output; you need to know the process that
>> generates the values.
>
> I am absolutely on your side here. And as we cannot (yet?) fully conclude that
> the observations are independent, a safety margin must always be considered.

If the observations are not independent, you cannot just assume that the
estimate is off by a certain factor. It means that the estimate is not
applicable _at all_.

> The RNG has the following safety margins where it is more conservative than
> measurements indicate:

You _cannot_ measure entropy by looking at the output. How would you
differentiate between /dev/random and /dev/urandom?

Regards,
Clemens
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Shaohui Xie: "RE: [PATCH 2/4] phylib: Add generic 10G driver"
Previous message: Ingo Molnar: "Re: [PATCH 4/5] perf record: mmap output file - v5"
In reply to: Stephan Mueller: "Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random"
Next in thread: Stephan Mueller: "Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]