Re: regarding the changes to kernel entropy gathering

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

> Date: Sun, 04 Apr 2021 12:58:09 -0700
> From: "Greg A. Woods" <woods%planix.ca@localhost>
> References: <m1lSlsj-0036x9C@more.local>
> 	<20210404094958.692F36085F%jupiter.mumble.net@localhost>
> 
> At Sun, 4 Apr 2021 09:49:58 +0000, Taylor R Campbell <riastradh%NetBSD.org@localhost> wrote:
> Subject: Re: regarding the changes to kernel entropy gathering
> >
> > Your change _creates_ the lie that every bit of data entered this way
> > is drawn from a source with independent uniform distribution.
> 
> No, my change _allows_ the administrator to decide which devices can be
> used as estimating/counting entropy sources.  For example I know that
> many of the devices on almost all of my machines (virtual or otherwise)
> are equally good sources of entropy for their uses.

If you know this (and this is something I certainly can't confidently
assert!), you can write 32 bytes to /dev/random, save a seed, and be
done with it.

But users who don't go messing around with obscure rndctl settings in
rc.conf will be proverbially shot in the foot by this change -- except
they won't notice because there is practically guaranteed to be no
feedback whatsoever for a security disaster until their systems turn
up in a paper published at Usenix like <https://factorable.net/>.

What your change does is equivalent to going around to every device
driver that previously said `this provides zero entropy, or I don't
know how much entropy it provides' and replacing that claim by `this
is a sample of an independent and perfectly uniform random string of
bits', which is a much stronger (and falser) claim than even the old
`entropy estimation' confabulation that NetBSD used to do.