tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Lightweight support for instruction RNGs



> On Dec 19, 2015, at 7:37 PM, Thor Lancelot Simon <tls%panix.com@localhost> wrote:
> 
> I was playing with code for a RDRAND/RDSEED entropy source and it
> just felt like -- much like opencrypto is poorly suited for crypto
> via unprivileged CPU instructions -- our rndsource interface is
> a little too heavy for CPU RNGs implemented as instructions.
> 
> I came up with the attached, which mixes in entropy from a new
> "cpu_rng" each time samples are added to the global rndpool.

That's a good thing to do.

I'm puzzled by some of  the comments.  There is never any downside, security wise, to stirring more entropy into the RNG.  If the entropy source data does not have good properties, then there is no benefit, but it can't ever hurt.  For example, stirring 1000 zero bytes in is pointless, but also harmless (ignoring the computation used to do the stirring).

In our MIPS based embedded system we made this exact change, stirring in the RNG from the Raza/Netlogic/Broadcom/whover processors (XLR and friends).  That was with the encouragement and approval of our Common Criteria evaluators.

	paul


Home | Main Index | Thread Index | Old Index