Re: kaslr: better rng

To: matthew green <mrg%eterna.com.au@localhost>
Subject: Re: kaslr: better rng
From: Maxime Villard <max%m00nbsd.net@localhost>
Date: Sat, 11 Nov 2017 15:48:12 +0100

Following a conversation with Taylor, I ended up with the following
implementation for the prekern [1] [2]. It uses a set of seeds that are
hashed together in rounds, and it doesn't use an additional file.

It is based on the SHAKE256 hash function, which can produce a variable
sized output. We use an area of 32 bytes, and regenerate it as many times
as needed.

The first time, it is generated with:

	area = SHAKE256(entropy-file, rdseed, rdtsc)

When all of the bytes in the area have been consumed, it is regenerated
this way:

	area = SHAKE256(area, rdseed, rdtsc)

The SHAKE/Keccak code is from Taylor, I just added prng_* wrappers.

rdseed and rdtsc each give a 8byte seed, and entropy-file gives a 512byte
one. We don't checksum the latter, because we would need SHA1, which I am
not implementing here.

Feel free to tell me if there's something obviously wrong in all of this;
I won't hide that PRNGs are not things I work on every day.

[1] http://m00nbsd.net/garbage/prekern/prng.c
[2] http://m00nbsd.net/garbage/prekern/prng.diff

Follow-Ups:
- Re: kaslr: better rng
  - From: Taylor R Campbell

References:
- re: kaslr: better rng
  - From: matthew green

Prev by Date: Re: xen, x86 intr code rototil alert.
Next by Date: SHA-3
Previous by Thread: re: kaslr: better rng
Next by Thread: Re: kaslr: better rng
Indexes:

Home | Main Index | Thread Index | Old Index