TPMs and random numbers [LWN.net]

From:		"H. Peter Anvin" <hpa-AT-zytor.com>
To:		Leonidas Da Silva Barbosa <leosilva-AT-linux.vnet.ibm.com>, Ashley Lai <ashley-AT-ashleylai.com>, Rajiv Andrade <mail-AT-srajiv.net>, Marcel Selhorst <tpmdd-AT-selhorst.net>, Sirrix AG <tpmdd-AT-sirrix.com>, Linux Kernel Mailing List <linux-kernel-AT-vger.kernel.org>, Jeff Garzik <jgarzik-AT-pobox.com>, "Ted Ts'o" <tytso-AT-mit.edu>, Kent Yoder <key-AT-linux.vnet.ibm.com>, David Safford <safford-AT-watson.ibm.com>, Mimi Zohar <zohar-AT-us.ibm.com>, "Johnston, DJ" <dj.johnston-AT-intel.com>
Subject:		TPMs and random numbers
Date:		Mon, 09 Sep 2013 14:11:51 -0700
Message-ID:		<522E3997.9030109@zytor.com>
Archive-link:		Article, Thread

It recently came to my attention that there are no standards whatsoever
for random number generated by TPMs.  In fact, there *are* TPMs where
random numbers are generated by an encrypted nonvolatile counter (I do
not know which ones); this is apparently considered acceptable for the
uses of random numbers that TPMs produce.

There are two issues with this from a Linux point of view.  One, we
harvest supposed entropy from the TPM for /dev/*random use via
/dev/hwrng and rngd.  This was something I originally proposed because
on a lot of platforms it is the only available entropy source with any
significant bandwidth.  However, in light of the above it is
questionable at best, at least with entropy being credited.

The other issue is that we use tpm_get_random() *directly* in
security/keys/trusted.c.

I don't know what the policy ought to be, but I suspect we should ask
the question.

	-hpa

(Log in to post comments)