Re: HWRNGs without quality attribute - are they used or not?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Hi Peter,

On 5 September 2017 7:24:02 PM IST, Peter Huewe <PeterHuewe@xxxxxx> wrote:
>Hi,
>
>while reading through the analysis of the Linux RNG by the BSI [1][2],
>I was suprised by the lack of reflecting on the usage of HWRNGs except
>RDRAND/RDSEED.
>
>In the paper it was mentioned that if the quality attribute of a
>regular hwrng is not set
>(or specified via the module parameter default_quality for all hwrng)
>the HWRNG is not used at all.
>Only very few set this attribute explictly, and the default is 0,
>so even if we enable these HWRNGs in the kernel config, they are not
>used?
>
>I read through the hw_random code and came to the same conclusion - but
>is this correct and desired?

If the quality of RNG source is not set or set to 0 then hwrng does not use the data to seed /dev/random.

>Specifically since you can set the 'default value' only for every hwrng
>but not overwrite the quality for a specific device.
>e.g. the quite good tpm hwrng of my ifx tpm would not be used and 
>if I set the default_quality to something other than 0, other devices
>would be used, which I would not want to.

Device with high quality will be used by default. But user space can tell hwrng to use a particular device even if it is not the best RNG source. But it won't be used for seeing /dev/random even in this case.

Every instance of hw_random structure represents a RNG device. If you can use different instance for every TPM chip then setting different quality value is possible.

I have an untested patch that allocates different hw_random structure instance for every TPM chip and registers with hwrng on tpm_chip_register. I made the change for fixing some other issue but did not get time to test it. If that patch will be helpful I can find it out and post the patch as RFC tomorrow.

>
>Is this understanding correct?
>
>
>Thanks,
>Peter
>(tpm maintainer)
>
>
>
>[1]
>https://www.bsi.bund.de/DE/Publikationen/Studien/LinuxRNG/index_htm.html
>[2]
>https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Studien/LinuxRNG/LinuxRNG_EN.pdf?__blob=publicationFile&v=5

Regards,
PrasannaKumar
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux