• T
    random: add new get_random_bytes_arch() function · c2557a30
    Theodore Ts'o 提交于
    Create a new function, get_random_bytes_arch() which will use the
    architecture-specific hardware random number generator if it is
    present.  Change get_random_bytes() to not use the HW RNG, even if it
    is avaiable.
    
    The reason for this is that the hw random number generator is fast (if
    it is present), but it requires that we trust the hardware
    manufacturer to have not put in a back door.  (For example, an
    increasing counter encrypted by an AES key known to the NSA.)
    
    It's unlikely that Intel (for example) was paid off by the US
    Government to do this, but it's impossible for them to prove otherwise
    --- especially since Bull Mountain is documented to use AES as a
    whitener.  Hence, the output of an evil, trojan-horse version of
    RDRAND is statistically indistinguishable from an RDRAND implemented
    to the specifications claimed by Intel.  Short of using a tunnelling
    electronic microscope to reverse engineer an Ivy Bridge chip and
    disassembling and analyzing the CPU microcode, there's no way for us
    to tell for sure.
    
    Since users of get_random_bytes() in the Linux kernel need to be able
    to support hardware systems where the HW RNG is not present, most
    time-sensitive users of this interface have already created their own
    cryptographic RNG interface which uses get_random_bytes() as a seed.
    So it's much better to use the HW RNG to improve the existing random
    number generator, by mixing in any entropy returned by the HW RNG into
    /dev/random's entropy pool, but to always _use_ /dev/random's entropy
    pool.
    
    This way we get almost of the benefits of the HW RNG without any
    potential liabilities.  The only benefits we forgo is the
    speed/performance enhancements --- and generic kernel code can't
    depend on depend on get_random_bytes() having the speed of a HW RNG
    anyway.
    
    For those places that really want access to the arch-specific HW RNG,
    if it is available, we provide get_random_bytes_arch().
    Signed-off-by: N"Theodore Ts'o" <tytso@mit.edu>
    Cc: stable@vger.kernel.org
    c2557a30
random.c 43.7 KB