Re: [PATCH v43 01/15] Linux Random Number Generator

From: Marcelo Henrique Cerri
Date: Mon Jan 10 2022 - 10:08:20 EST

Next message: Michael S. Tsirkin: "Re: [PATCH v12 00/13] Introduce VDUSE - vDPA Device in Userspace"
Previous message: Mauro Carvalho Chehab: "Re: [GIT PULL for v5.17-rc1] New year's media updates"
In reply to: Jason A. Donenfeld: "Re: [PATCH v43 01/15] Linux Random Number Generator"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jan 10, 2022 at 09:29:04AM -0500, Theodore Ts'o wrote:
> On Mon, Jan 10, 2022 at 03:11:46PM +0100, Jason A. Donenfeld wrote:
> > On Mon, Jan 10, 2022 at 2:24 PM Marcelo Henrique Cerri
> > <marcelo.cerri@xxxxxxxxxxxxx> wrote:
> > > Hoping that might help with the discussion and to explain why I do
> > > consider those solutions a "hack", that's the patch we've been using
> > > so far to achieve SP 800-90B compliance:
> > >
> > > https://kernel.ubuntu.com/~mhcerri/0001-UBUNTU-SAUCE-random-Use-Crypto-API-DRBG-for-urandom-.patch
> >
> > Thanks for sending this in response to my request for it in our private thread.

No problem. And sorry for the delay.

> >
> > Just to confirm, this little patch here gives you FIPS certification?

It does because it basically replaces everything in random.c (for
urandom in this case) with the Crypto API DRBG, which is
compliant. Although it might be wiser to replace both urandom and
random in this case.

>
> There might be some FIPS certification labs that might be willing to
> be taken in by the jitterentropy story, but when I've had private
> communications from people who are familiar with the Intel
> microarchitecture saying that jitterentropy is mostly "security by
> obscurity", I'd be strongly opposed to replacing the current scheme
> with something which is purely jitteretropy.
>
> Perhaps an build-time option where one of the seeds into the CRNG is
> "jitterentropy", but we keep everything else. That way, jitterentropy
> can still be TSA-style "security theatre", but we're not utterly
> dependant on the "the CPU microarchitecture is SOOOOOOO complicated,
> it *must* be unpredictable".
>

Hi, Theodore.

I might be missing something, but the Crypto API DRBG is seeded by
jitterentropy_rng and by get_random_bytes(), their outputs are both
concatenated and used as the seed. So I don't think that should be a
concern, right?

> - Ted

--
Regards,
Marcelo

Attachment: signature.asc
Description: PGP signature

Next message: Michael S. Tsirkin: "Re: [PATCH v12 00/13] Introduce VDUSE - vDPA Device in Userspace"
Previous message: Mauro Carvalho Chehab: "Re: [GIT PULL for v5.17-rc1] New year's media updates"
In reply to: Jason A. Donenfeld: "Re: [PATCH v43 01/15] Linux Random Number Generator"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]