Re: regarding the changes to kernel entropy gathering

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

> Date: Tue, 06 Apr 2021 07:55:54 -0400
> From: Greg Troxel <gdt%lexort.com@localhost>
> 
> Thor Lancelot Simon <tls%panix.com@localhost> writes:
> 
> > shuts down, again all entropy samples that have been added (which, again,
> > are accumulating in the per-cpu pools) are propagated to the global pool;
> > all the stream RNGs rekey themselves again; then the seed is extracted.
> 
> It seems obvious to me that "extracting" the seed should be done in such
> a way that the state of the internal rng is still unpredictable from the
> saved seed, even if the state of the newly-booted rng will be
> predictable.  Perhaps by pulling 256 bytes from urandom, perhaps by
> something more direct and then some sort of hash/rekey to get back
> traffic protection.
> 
> Probably this is already done in a way much better thought out than my
> 30s reaction, the man page doesn't really say this, at least that I
> could follow; rndctl -S says "save entropy pool".

`rndctl -L' follows the procedure outlined in

	Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno,
	_Cryptography Engineering_, Wiley, 2010, Sec. 9.6.2 `Update
	Seed File', p. 156

to safely update the seed file.  The procedure is roughly:

1. Load the old seed.
2. Feed the old seed into the kernel.
3. Generate and write a new seed.
4. Erase the old seed if we can.

Some details specific to NetBSD:

- The new seed file is derived by hashing the old seed file together
  with output from /dev/urandom, after consolidating entropy in the
  per-CPU pools.

- The new seed file is written and fsync'd, and then moved into place
  with rename(), and then the old seed file is zero'd and fsync'd
  in-place.

This would be a lot of detail to put in the man page.  But I did add a
note that the file doesn't disclose past secrets -- does that help?