Re: regarding the changes to kernel entropy gathering

[RVP <rvp%SDF.ORG@localhost>]

On Sun, 4 Apr 2021, Taylor R Campbell wrote:

> No, because the output of /dev/random and /dev/urandom is the output
> of a pseudorandom number generator that meets modern standards of
> security.
>
> If anyone had _ever_ published statistical tests that the PRNG failed
> in a detectable way, then (a) this would be an earthshattering
> development in the cryptography literature, which would be hotly
> discussed in much more significant forums than NetBSD mailing lists,
> and (b) we would stop using this PRNG and switch to another one.

Right. Well, it's been quite a few years since I ran this sort of test
on /dev/*random, and things, obviously, have been fixed. (Back in the
early 2000s, the tests I mentioned turned up their noses at /dev/random
data from the Linux kernel.)

Then, the issue here is one of predictability. NetBSD doesn't want, for
extremely valid reason, to incorporate any perturbation sources which
have been pooh-poohed in the technical literature. But, its /dev/random
is good enough that no statistical tests of randomness will fail it.

Hmm. I have to say, that now I find myself not disagreeing with Greg's
point of view: Maybe NetBSD's default is too strict and a knob like
kern.entropy.use_pooh_poohed_sources=1 would not be a bad thing for
some users--with all appropriate sysinst warnings of course.

Or, perhaps statistical tests of the raw in-kernel sources will demonstrate
exactly why things like timing jitter have been pooh-poohed in the
literature?

-RVP

PS: As an aside, I'm perfectly OK with the choices currently made in 9.99:
``if there's any doubt, leave it out''