Re: [PATCH 2/4] random: Add a pseudorandom generator based on the xtea cipher

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Feb 10, 2022 at 10:38:28PM +0800, Sandy Harris wrote:
> Add a pseudorandom generator based on the xtea cipher
> 
> This will be used only within the kernel, mainly within the driver
> to rekey chacha or dump extra random data into the input pool.
> 
> It needs a 64-bit output to match arch_get_random_long(), and
> the obvious way to get that is a 64-bit block cipher.

I'm not convinced the proposed use case is worth the complexity it
adds.  Our current use for arch_get_random_[seed_] is to add extra
hardware-generated random which is cheap (compared to using external
sources such as virtio_rng or a USB attached hardware number
generator).  If it doesn't exist, we fall back to using the CPU cycle
counter (if present) because it's cheap.  But if none of this exists,
the source of entropy used to reseed the CRNG or the timing data into
input pool is supposed to be sufficient.  So RDSEED, RDLONG, or the
TSC (using the x86 facilities for example) are a nice-to-have not a necessity.

The TEA code path is not going to be used much on 99% of the systems
out there, and even it is used, on those systems which don't have
RDSEED, RDLONG, etc., there's not going to be anything to initialize
the pseudo-random number generator, so I fear it will be considered
security theatre.  Fundamentally, it's another CRNG that is supposed
to be only used for the kernel, and is it really worth it?

      	   	    		    - Ted



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux