Re: [PATCH] random: mix all saved registers into entropy pool

[JÃrn Engel]

On Tue, 20 May 2014 05:12:07 -0700, Andi Kleen wrote:
> JÃrn Engel <joern@xxxxxxxxx> writes:
> >
> > An alternate high-resolution timer is the register content at the time
> > of an interrupt. 
> 
> So if you interrupt a cryptographic function you may hash in parts
> of the key?

Yes.  And if there was an efficient way to deduce random generator
inputs, that would be a new side channel attack.  An efficient way to
deduce random generator inputs would allow many other attacks as well.
I don't know of such an attack nor can I conceive it being possible
under normal circumstances.

There are of course two exceptions.  If the attacker can read
arbitrary kernel memory - and therefore could read the private key
directly.  And if there is so little entropy that an attacker can
enumerate all possible states of the random generator and read enough
random numbers to exclude most of those states.

The second case also allows for many more interesting attacks and is
exactly the sort of hole I want to plug with this patch.

I think leaking of private keys or similar information is not a
concern.  But please prove me wrong.  Better you now than someone else
later.

JÃrn

--
When in doubt, punt.  When somebody actually complains, go back and fix it...
The 90% solution is a good thing.
-- Rob Landley
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/