Subject: NetBSD Security Advisory 2006-009: False detection of Intel hardware RNG
To: None <current-users@NetBSD.org>
From: NetBSD Security-Officer <security-officer@NetBSD.org>
List: current-users
Date: 04/13/2006 03:31:28
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2006-009
=================================
Topic: False detection of Intel hardware RNG
Version: NetBSD-current: source prior to February 19, 2006
NetBSD 3.0: affected
NetBSD 2.1: affected
NetBSD 2.0.*: affected
NetBSD 2.0: affected
NetBSD 1.6.*: affected
NetBSD 1.6: affected
Severity: A constant stream is feed into the entropy pool
Fixed: NetBSD-current: February 19, 2006
NetBSD-3-0 branch: February 26, 2006
(3.0.1 will include the fix)
NetBSD-3 branch: February 26, 2006
NetBSD-2-1 branch: February 26, 2006
(2.1.1 will include the fix)
NetBSD-2-0 branch: February 26, 2006
(2.0.4 will include the fix)
NetBSD-2 branch: February 26, 2006
NetBSD-1-6 branch: February 26, 2006
Abstract
========
The driver for Intel's random number generator may incorrectly detect the
presence of the device on some hardware. This can lead to the driver
feeding a constant stream into the entropy pool.
Technical Details
=================
When Intel introduced the i8xx motherboard chipsets for x86 CPUs they also
released the 82802 chip called the "firmware hub". One of the features
provided by this chip is a hardware random number generator.
The NetBSD kernel provides a driver which uses this hardware random number
generator to collect entropy for the kernel random number generator, rnd(4).
This kernel random number generator is, among other things, used to provide
random input to applications which need to create cryptographic keys, e.g.
the SSH daemon or GnuPG.
However, some later Intel chipsets incorrectly report the presence of the
hardware RNG device, and the NetBSD driver unfortunately incorrectly
detected the chip in systems which didn't really have one. When this
happened a constant stream of bytes with the value 255 was fed into the
kernel random number generator.
Users relying on a falsely-attached 82802 chip as the sole randomness source
for rnd(4) may be at significant risk of poor-quality or highly predictable
output. Such circumstances may arise on embedded-style systems without hard
disks or other common sources, or where the administrator has explicitly
disabled the other sources in the belief that the hardware RNG was superior
or sufficient. This could therefore result in the use of predictable keys
for cryptography, disabling the expected protection.
Please refer to this web page for details:
http://home.comcast.net/~andrex/hardware-RNG/doihave.html
Systems potentially affected meet the following conditions:
- Using an Intel i8xx motherboard chipset for x86 CPUs
- The kernel prints out "pchb0: random number generator enabled" during boot,
additionally the device "pchb0" should show in the output from "rndctl -l".
Solutions and Workarounds
=========================
The rndctl(8) command can be used to examine and control which sources
contribute to the rnd(4) randomness pool. Using this command is it possible
to discover if the pchb0 device is contributing to the randomness pool, and
also to disable this input in an existing kernel if you suspect the 82802
device has been falsely detected.
In general, it is desirable to mix data from a wide range of sources into
the rnd(4) pool, and several types of devices are enabled by default,
including disks and user-input devices such as keyboards and mice. On some
hardware, none of these devices may exist or be used, and thus little or no
good-quality random data may be contributed to the pool. Network devices
are disabled by default, but owners of such systems should consider enabling
them if no other sources are available.
To correct the false detection of Intel RNG hardware, for all NetBSD versions,
you need to obtain fixed kernel sources, rebuild and install the new kernel,
and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
kernel. In these instructions, replace:
ARCH with your architecture (from uname -m), and
KERNCONF with the name of your kernel configuration file.
To update from CVS, re-build, and re-install the kernel for any of
the netbsd-2, netbsd-2-0, netbsd-2-1, netbsd-3 or netbsd-3-0 branches:
# cd src
# cvs update -d -P sys/arch/i386/pci/pchb_rnd.c
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now
To update from CVS, re-build, and re-install the kernel for
the -current (a.k.a HEAD) branch:
# cd src
# cvs update -d -P sys/arch/x86/pci/pchb_rnd.c
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now
For more information on how to do this, see:
http://www.NetBSD.org/guide/en/chap-kernel.html
Thanks To
=========
Matthias Scheler for reporting the bug and implementing the fixes.
Thor Lancelot Simon for initial identification and discussion of the issue.
Revision History
================
2006-04-12 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-009.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2006, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2006-009.txt,v 1.11 2006/04/12 22:09:50 adrianp Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (NetBSD)
iQCVAwUBRD1+jD5Ru2/4N2IFAQIiZQQAunM8esJbsKmK6HngUuDS2wRhHCXiWR1t
/fnp1HZFR+oOaLAOru9YYNSM9JZCdGKs8JGn2QPkr5GE98sLOyqqquNlBJ0pxnCY
oNTi33UndMxIETapPZU7EnRsqhyDzF/0Xfy6egjhSVepIDVV8gSTnV0wnyFTAzB+
MJFjCsMcHTw=
=iCSI
-----END PGP SIGNATURE-----