Re: kaslr: better rng

[Maxime Villard <max%m00nbsd.net@localhost>]

Le 06/11/2017 à 18:35, Taylor R Campbell a écrit :
> > Date: Mon, 6 Nov 2017 07:30:35 +0100
> > From: Maxime Villard <max%m00nbsd.net@localhost>
> >
> > I would like to use a system similar to the /var/db/entropy-file
> > implementation.  That is to say, when running the system generates
> > /var/db/random-file, which would contain at least 256bytes of random
> > data. When booting the bootloader reads this file, can use some of
> > its bytes to get random values. It then gives the file to the
> > prekern which will use some other parts of it. The prekern finally
> > gives the file to the kernel which can use the rest.
>
> Seems to me we should just use one file, and the bootloader should use
> it as a seed for a PRNG from which it draws
>
> (a) kaslr bits, and
> (b) a seed for the entropy pool (which is currently just /var/db/entropy)
>
> The bootloader already reads a file.  Teaching it to have a small
> cryptographic PRNG shouldn't be too hard.  I'm still sitting on a
> draft Keccak-based entropy pool, whose Keccak implementation
> (https://mumble.net/~campbell/hg/sha3/keccak.c) likely fits in the
> constraints of a bootloader.

Well, we could indeed extend /var/db/entropy-file. However, I would really
prefer the random area to be generated from a previous run of the system, and
not from the bootloader taking a seed in the file. Unless there is a
combination of both?

Note that such a PRNG would also have to be implemented in the prekern and
in the kernel, and we would need three independent seeds.