Re: early x86 unseeded randomness
From: Thomas Gleixner
Date: Tue Aug 15 2017 - 10:43:09 EST
On Tue, 15 Aug 2017, Theodore Ts'o wrote:
> On Tue, Aug 15, 2017 at 03:48:18PM +0200, Thomas Gleixner wrote:
> > > > +u64 __init tsc_early_random(void)
> > > > +{
> > > > + u64 uninitialized_var(res);
> > > > + int i;
> > > > +
> > > > + if (!boot_cpu_has(X86_FEATURE_TSC))
> > > > + return res;
> > > > +
> > > > + res ^= rdtsc();
> > > > + for (i = 0; i < BITS_PER_LONG; i++) {
> > > > + res ^= ((rdtsc() & 0x04) >> 2) << i;
> > > > + udelay(2);
> > > > + }
> > > > + return res;
> > > > +}
>
> Reasons why this is probably not the best idea:
>
> 1) Exactly how udelay is implemented varies from architecture to
> architecture and in some cases is different on a subarchitectural
> level. Some of them rely on reading the TSC; others rely on
> operations that will have a constant number of CPU cycles (e.g., they
> aren't doing much if any operations that might even have a tiny
> glimmer of hope of adding unpredictability).
That's not really true. You can add random shite instead of udelay(2). The
point of this exercise is to somewhat utilize the instruction pipeline,
which causes the TSC readouts to be not even spread over a the loop and
therefor yield random results.
> 2) Given a dozen numbers and saying, "hmm, my human brain doesn't see
> a problem, it *must* be good" is hardly the basis on which to make
> this kind of security design. If you don't understand why this is a
> bad idea, and can't come up with a counter example in under 5 seconds,
> you probably aren't qualified to be designing a RNG which is supposed
> to be cryptographically secure.
Care to read the paper?
We tried that 6 years ago on a wide range of machines from server to stupid
first generation in order ATOM chips. All of them exposed more or less the
same behaviour and passed RND validation tests.
I'm not saying it's a replacement for the run time random generator, but
it's exceptionally good and reasonably fast for the early boot
randomization.
Thanks,
tglx