Re: [PATCH] random: add a config option to trust the CPU's hwrng

From: Theodore Y. Ts'o
Date: Sat Aug 04 2018 - 20:25:26 EST


On Sat, Aug 04, 2018 at 11:52:10PM +0200, Pavel Machek wrote:
> > However, enabling config option means that the CRNG will be
> > initialized with potentially information available to the CPU
> > manufacturer and/or Nation States, and this persists *after*
> > initialization / early boot. So to say, "we're perfectly safe after
> > we leave initialization / early boot" is not true.
>
> This should really be explained in the help text.
>
> I assume that after 10 seconds of moving mouse, user is safe even when
> rdrand is backoored?

You'll hate this answer, but "it depends". Suppose someone is using
an init script which generates ssh keys upon first boot if they are
missing. If this is the case, *and* RDRAND is backdoored, then the
keys will be generated in such a way that they *might* be succeptible
to being guessed by a nation state. Moving your mouse around for 1000
or 10,000 seconds won't help if the host's ssh keys has already been
generated.

Depending on your hardware, no mouse motion might be necessary at all.
On my laptop (a Dell XPS 13 model 9370) using an dm-crypt protected
root disk, and running a Debian testing userspace, with a 4.18-rc6
based kernel, the "CRNG is initialized" message is printed *before*
the root file system is mounted.

On other systems, where the hardware does not issue as many
interrupts, the mouse motion might be extremely important in order to
get the "CRNG is initialized" message.

> (Plus, I'd say this should be kernel command line option, not config
> option...?)

Agreed, there should be a command line option as well. I just haven't
gotten around to it yet, and in the meantime, having a config option
is better than nothing. Patches gratefully accepted... :-)

- Ted