Re: [PATCH v6 0/5] /dev/random - a new approach

From: Stephan Mueller
Date: Tue Aug 16 2016 - 01:45:27 EST


Am Montag, 15. August 2016, 13:42:54 CEST schrieb H. Peter Anvin:

Hi H,

> On 08/11/16 05:24, Stephan Mueller wrote:
> > * prevent fast noise sources from dominating slow noise sources
> >
> > in case of /dev/random
>
> Can someone please explain if and why this is actually desirable, and if
> this assessment has been passed to someone who has actual experience
> with cryptography at the professional level?

There are two motivations for that:

- the current /dev/random is compliant to NTG.1 from AIS 20/31 which requires
(in brief words) that entropy comes from auditible noise sources. Currently in
my LRNG only RDRAND is a fast noise source which is not auditible (and it is
designed to cause a VM exit making it even harder to assess it). To make the
LRNG to comply with NTG.1, RDRAND can provide entropy but must not become the
sole entropy provider which is the case now with that change.

- the current /dev/random implementation follows the same concept with the
exception of 3.15 and 3.16 where RDRAND was not rate-limited. In later
versions, this was changed.

Ciao
Stephan