Pitchforks for RDSEED

Posted Feb 9, 2024 14:01 UTC (Fri) by DemiMarie (subscriber, #164188)
In reply to: Pitchforks for RDSEED by spacefrogg
Parent article: Pitchforks for RDSEED

The problem is that there is usually very little software can do to handle that failure.

Many random number generation APIs are infallible: they promise to always succeed. Always. The simplest way for software to handle this is to busy-spin until success. If the RNG is working, this succeeds with probability 1, and the likelihood of more retry loops being needed decreases exponentially with time.

I’d much rather have RDAND use a CSPRNG like Fortuna that never runs out of entropy once seeded, block the boot until the RNG is seeded, and reseed with entropy from the TRNG whenever possible. Fortuna is designed to be secure even if the new entropy is malicious, so one can feed raw output from the TRNG without any further conditioning. Entropy estimation is then only needed to determine when, and if, RDRAND needs to block. There would be no error returns for software to check: if the TRNG is not working for long enough, you get a machine check exception.