Seems inverse.
Do we?
HulaHoop:
pseudo solution
I.e. not secure solution.
Idea in above post would result in exactly the opposite of my idea. It would be similar to renaming /dev/random to /dev/random_original and then symlinking from /dev/urandom to /dev/random. Does not seem secure. (But this is based on some assumptions which are likely false anyhow as per Entropy, Randomness, /dev/random vs /dev/urandom, Entropy Sources, Entropy Gathering Daemons, RDRAND but still bad optics.)
It is secure. He does not know what we do about the difference between the random and urandom and that all that matters is early boot initialization of the RNG - they both use the same pool. The point is we are trying to eliminate the blocking for any software that insists on using random.
Patrick:
Do we?
No. This part is besides the point. We are not interested in hwrng as a source but this daemon can be repurposed to feed random from urandom without any symlinking hacks.
It is all about the initialization of the pool which jitternentropy handles well to prevent bad seeds from being used. Otherwise there is no meaningful difference. We saw in DJB’s post that the idea if entropy being exhausted is laugable when the output of a single symmetric key is more than enough.
Instead of messing around with the naming and links you are achieving the same effect of feeding random to prevent blocking without complications.
EDIT:
1 Like
I asked and Stephan Mueller @smuellerDD is the author of jitterentropy-rng who also re-worked Linux kernel entropy replied:
opened 06:20PM - 02 Feb 20 UTC
closed 03:04PM - 21 Jul 20 UTC
Hi Stephan. I was wondering if adding more entropy gathering daemons (haveged,tw… uewand and timer_entropyd) that use cpu jitter as their source too, actually increases the real system entropy? Does the unique algo used by each help?
We are considering twuewand to combat the problem of distros enabling trust of hw cpu rngs which in some cases are broken and output repeating numbers, if malicious outright. We are especially worried about the quality of the initial seed. Does jitterentropy help in this case?
cc/ @adrelanos
From from @smuellerDD from here but the whole ticket is an interesting read:
opened 04:36PM - 08 Mar 15 UTC
closed 09:39PM - 23 Mar 22 UTC
T: enhancement
C: other
P: major
crypto
ux
**Reported by joanna on 15 Nov 2012 19:03 UTC**
While this is only my feeling, I… suspect that the entropy collection daemon in our VMs needs some improvements.. This is because of the limited interaction with the physical world of each VM (e.g. mouse events go via vchan instead of via kernel module in a VM).
This can be easily noticed when one tries to generate a new GPG key in a VM -- the gpg would complain about inadequate entropy that is available and will hang until more is produced. One can produce more entropy via various disk activities (e.g. grep through the filesystem), however this:
1) Isn't very convenient
2) It's questionable whether such entropy is of "first-class freshness", or is it somehow inferior to the entropy that could be collected with the help of mouse movements, etc.?
It would probably be desirable to create some entropy producing device that would run in each of the VMs, and to feed this device from Dom0 or other domains exposed to physical hardware (netvm, usbvm?). One should be careful, however, not to distribute the same "entropy bits" to more than one domain, as this would likely compromise domain isolation.
Migrated-From: https://wiki.qubes-os.org/ticket/673
Interesting discussion generally:
opened 04:04PM - 06 Oct 21 UTC
T: bug
C: other
P: default
needs diagnosis
Originally brought up by me in https://github.com/QubesOS/qubes-issues/issues/61… 74#issuecomment-936180012
> > > [0.048xxx] random: crng done (trusting CPU's manufacturer)
> >
> >
> > This! I've just rechecked the failed log, and I don't see `trusting CPU's manufacturer` part there. And indeed that CPU does not support RDRAND. This means, the extreme issue I see, applies only to quite old systems (and hopefully does not affect majority of our users - even good old x230 already has RDRAND). So, I'm lowering the priority. But it's still worth improving the situation.
>
> Strongly discouraged to rely on RDRAND for security / entropy quality anyhow as per: https://www.whonix.org/wiki/Dev/Entropy#RDRAND
@marmarek https://github.com/QubesOS/qubes-issues/issues/6174#issuecomment-936226779:
> > Strongly discouraged to rely on RDRAND for security / entropy quality anyhow as per:
>
> In context of _this issue_, it is not a problem, because stubdomain does not use RNG for any security critical task. There is not crypto involved etc. One could argue it may make ASLR for qemu less effective, but we don't consider qemu trusted, so it is not a huge deal (and remember the RDRAND issues are still very hypothetical - see below).
>
> In a broader context of RDRAND, I don't think we should worry about _backdoors_ there. Or rather: if you consider intentional backdoors in your CPU a valid threat, throw away that CPU. There is no really a difference how such hypothetical backdoor could work - whether that would be predictable RDRAND, [reacting to some magic values to any other instruction](http://blog.cr4.sh/2015/07/building-reliable-smm-backdoor-for-uefi.html), or anything else. We could worry about its effectiveness - not intentional bugs, which indeed is hard to reason about, since its being opaque.
Seems like I need to make a better argument.
Quote https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
> random.trust_cpu={on,off}
>
> [KNL] Enable or disable trusting the use of the CPU's random number generator (if available) to fully seed the kernel's CRNG. Default is controlled by CONFIG_RANDOM_TRUST_CPU.
The name of the kernel parameter `random.trust_cpu` is a bit non-ideal. There is no need to invoke big words such as "trust" or "backdoor" for the sake of this argument. Not even trust or a backdoor is required for this being an issue. Even a bug that happened in past would justify this change.
Ars Technica reported, [AMD shipped Ryzen 3000 with a serious microcode bug in its random number generator.](https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/) Lennart Poettering (@poettering) [summarized](https://twitter.com/pid_eins/status/1149649806056280069) the issue nicely.
> Finally, AMD admits it's their fault, and they are preparing a BIOS update to fix RDRAND. You probably should avoid running a CONFIG_RANDOM_TRUST_CPU=y Linux kernel (Fedora) on a Ryzen system without that BIOS update, or all crypto keys generated are not as random as you hope.
That bug that gladly was discovered and publicized by a white hat. Due to the large amount of different CPU models, different batches it's not a good idea to rely on white hats to swiftly report it.
Or this other bug [Kernel bug report from 2014, rdrand instruction fails after resume on AMD family 22 CPU](https://bugzilla.kernel.org/show_bug.cgi?id=85911).
"[D. J. Bernstein isn't a fan of RDRAND either.](https://groups.google.com/g/randomness-generation/c/z3Uid45DV34)" In the same mailing list thread someone else posted:
> On https://spideroak.com/browse/share/UTwente/RNG/Tests/NIST-STS/ you can find the results of randomness tests of several random generators including RDRAND.
>
> In the document No_of_failures_calculation.txt you can find the used testing method and the test results.
>
> The actual number of failed tests of RDRAND deviates more then 4 sigma from the expected number of failed tests.
>
> The used software can also be downloaded from the same link so these tests can be reproduced.
>
> As you also can see the XOR_SHIFT PRNG and the Picoquant PQRNG150 TRNG pass the tests with a number of failed tets within the 3 sigma deviation so the tests seem to work fine.
I didn't verify the latter but for my part I've seen enough.
`random.trust_cpu=on` means that [`RDRAND`](https://en.wikipedia.org/wiki/RDRAND) has a privileged position within Linux entropy gathering process.
`random.trust_cpu=off` makes it only a "normal" ("unprivileged") source of entropy among other sources (such as keyboard, mouse, CPU jitter, and the usual).
----
Current kernel entropy sources in Qubes are:
* "privileged": RDRAND
* "unprivileged": keyboard, etc.
Suggested kernel entropy sources:
* "privileged": none
* "unprivileged": RDRAND, keyboard, etc.
----
`random.trust_cpu=on` advantages:
* Perhaps negligibly faster boot of dom0?
`random.trust_cpu=off` advantages:
* Being used as 1 entropy source normally, equal rights with other entropy sources. It doesn't disable RDRAND entirely.
----
[security-misc](https://github.com/Whonix/security-misc/) does it. (#1885)
Perhaps we can ask for his opinion on vanheusden’s other entropy utilities discussed here .
These have since been removed from the live site but they live on archive.org
Ask him about Turbid listed on /Dev/entropy . It looks very interesting too.
1 Like
Patrick
October 11, 2021, 5:02pm
26
We should contact author first. I don’t think we ever did that yet?
Never looked more closely, because…
https://www.av8n.com/turbid/paper/turbid.htm
4 Configuration and CalibrationNote: You can skip this section if you’ve been given a suitable turbid.tbd configuration file and mixer configuration (.ctl) file.
Configuration is important. It is remarkably easy to mis-configure a soundcard in such a way that it produces much less randomness than it otherwise would. This section outlines the general procedure; see appendix B for details on specific soundcards.
…doesn’t seem like a drop-in solution. Maybe since lots of assumptions from the paper if I got that right (such as lots of entropy required and reseeding required) aren’t state of the art anymore… Could ask the author if turbid even uncalibrated could gather 256-bits of entropy in a reasonable timeframe? Even less might be OK since it would only be an additional mix-in.
No we only contacted randomsound’s author and he gave is discouraging feedback. Not sure if this applies to all sound entropy as a concept or just his implementation.
1 Like