LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

LCE: Don't play dice with random numbers

LCE: Don't play dice with random numbers

Posted Nov 23, 2012 1:24 UTC (Fri) by dirtyepic (subscriber, #30178)
Parent article: LCE: Don't play dice with random numbers

Where does the new Ivy Bridge HWRNG and RDRAND instruction fit into all this? Does it require applications to be updated to support the instruction or can they benefit otherwise?

I was bringing up a new laptop last weekend and noticed a message in the boot log that no hardware RNG was found which I thought was odd. I don't seem to have a /dev/hwrng either. I wonder if I configured something incorrectly.

(Log in to post comments)

LCE: Don't play dice with random numbers

Posted Nov 23, 2012 9:38 UTC (Fri) by etienne (subscriber, #25256) [Link]

It is probably possible to make a security software believe the assembly instruction to get a random value is present in the processor, but in fact it will trap and a trojan will give you a fully predictable value which only looks random.

LCE: Don't play dice with random numbers

Posted Nov 23, 2012 20:03 UTC (Fri) by nix (subscriber, #2304) [Link]

I suspect you'd need root and/or kernel mode or virtualization to set up such a trap, upon which all bets are off anyway (it could just e.g. ptrace() the process and replace the rdrand with a straight mov or call to attacker-controlled code).

LCE: Don't play dice with random numbers

Posted Nov 23, 2012 20:35 UTC (Fri) by bjencks (subscriber, #80303) [Link]

It's a non-privileged instruction, so it doesn't need any kernel mediation through /dev/hwrng. Applications can, if they want, use it directly. For example, OpenSSL has a random engine you can call with "openssl rand -engine rdrand <bits>" that just calls rdrand and returns the bits.

However, most applications get their entropy from /dev/[u]random, so for them to benefit you need to feed the kernel pools from it. Modern rngd does this by calling the instruction directly in user-mode and then pushing the entropy to the kernel. Additionally, as described in the article, if you have a 3.6+ kernel with "Architectural RNG" enabled, it xors rdrand output with all random and urandom reads.

You can check if rdrand is available with "grep rdrand /proc/cpuinfo".

LCE: Don't play dice with random numbers

Posted Nov 24, 2012 6:05 UTC (Sat) by dirtyepic (subscriber, #30178) [Link]

Thanks for the info. With 3.6 it seems to be working. 
# rngd -v
Available entropy sources:
	DRNG
	TPM

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds