[PATCH] KEYS: asym_tpm: Switch to get_random_bytes()
From: Safford, David (GE Global Research, US)
Date: Fri Oct 04 2019 - 15:56:10 EST
> From: linux-integrity-owner@xxxxxxxxxxxxxxx <linux-integrity-
> owner@xxxxxxxxxxxxxxx> On Behalf Of Jarkko Sakkinen
> Sent: Friday, October 4, 2019 2:27 PM
> Subject: EXT: Re: [PATCH] KEYS: asym_tpm: Switch to get_random_bytes()
>
> If you are able to call tpm_get_random(), the driver has already registered
> TPN as hwrng. With this solution you fail to follow the principle of defense in
> depth. If the TPM random number generator is compromissed (has a bug)
> using the entropy pool will decrease the collateral damage.
And if the entropy pool has a bug or is misconfigured, you lose everything.
That does not sound like defense in depth to me. In the real world
I am not aware of a single instance of RNG vulnerability on a TPM.
I am directly aware of several published vulnerabilities in embedded systems
due to a badly ported version of the kernel random pool. In addition,
the random generator in a TPM is hardware isolated, and less likely to be
vulnerable to side channel or memory manipulation errors. The TPM
RNG is typically FIPS certified. The use of the TPM RNG was a deliberate
design choice in trusted keys.
> > Third, as Mimi states, using a TPM is not a "regression". It would be
> > a regression to change trusted keys _not_ to use the TPM, because that
> > is what trusted keys are documented to provide to user space.
>
> For asym-tpm.c it is without a question a regression because of the evolution
> that has happened after trusted keys. For trusted keys using kernel rng
> would be improvement.
Perhaps this is a language issue, but you are not using "regression" correctly.
Changing to the kernel pool would not only be a debatable "improvement",
but also would certainly be a change to the documented trusted key
behavior, which I thought was frowned upon.
dave