[Bug 222807] PURE entropy sources are harvested but not mixed in. Also, min-entropy low per SP800-90B measurements

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Oct 6 00:45:03 UTC 2017


https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=222807

            Bug ID: 222807
           Summary: PURE entropy sources are harvested but not mixed in.
                    Also, min-entropy low per SP800-90B measurements
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: badfilemagic at gmail.com

Created attachment 186932
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=186932&action=edit
patche that enable "pure" entropy sources such as RDRND to actually be mixed

At vBSDCon, JMG and I co-presented a talk on an entropy analysis and audit on
/dev/random that we conducted out of mutual interest. In the course of our
work, we found the following:

* so-called "PURE" sources of entropy, such as RDRND on Intel chips, are
harvested however the results of the harvest are never mixed in due to the
harvest mask bit never being set, with no way to set it.

* Conducting an SP800-90B entropy analysis on the non-IID track for
non-whitened entropy (the data fed into randomdev_hash_iterate, essentially),
min-entropy is rather low because of a) the trng sources weren't being mixed,
and b) there is a lot of repeat and predictable garbage that is of no value in
the harvest_event structure, especially for events with only 4 bytes worth of
data from their source in the he_entropy field.

Attached are patches which correct these two issues. They are from work done
downstream with the HardenedBSD team and have been tested.

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the freebsd-bugs mailing list