From owner-freebsd-security@FreeBSD.ORG  Sun Sep 23 00:38:07 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id ABBD6106566C;
	Sun, 23 Sep 2012 00:38:07 +0000 (UTC)
	(envelope-from mariusz.gromada@gmail.com)
Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com
	[209.85.212.178])
	by mx1.freebsd.org (Postfix) with ESMTP id B0DCD8FC14;
	Sun, 23 Sep 2012 00:38:06 +0000 (UTC)
Received: by wibhr14 with SMTP id hr14so2693271wib.13
	for <multiple recipients>; Sat, 22 Sep 2012 17:37:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=message-id:date:from:user-agent:mime-version:to:cc:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	bh=ufdsKVKr955c+N8jr8llD68sQqaBiMZm1x21LYxwSrU=;
	b=o9pi9mgdZx42y4VKN0Ikq7m/luogvl2/jGHKZczEJCcCBU2RptPYW4snqy/ddqqko7
	6OT1cIiJnTGRya1rT5IJ0l3MqfYy+Z5HkasoSNPRulkBNn5DFvXUUmlPeEdt49kDtnlp
	JOLGMBeNoibgOWBGTA7Y62K0mJPiToXOsXmNssbs2WaDvDDS7n9f4HeJ28LqMJjpU+eP
	rrjUzmeZUXpBDpbMH56vO1BL0EAK7UIYrlhkTDB2zMzYJwcPFiFDcge/dEcfkae1qOSa
	Z7Gb60IuuqEBjJJYLLA9UQJQnXKg1hIV2rcpxEXhnVOIdJb8G4IHTcf027DHUrU5UFYC
	ZRng==
Received: by 10.180.94.164 with SMTP id dd4mr5587491wib.1.1348360679817;
	Sat, 22 Sep 2012 17:37:59 -0700 (PDT)
Received: from [192.168.1.100] (89-76-147-86.dynamic.chello.pl. [89.76.147.86])
	by mx.google.com with ESMTPS id cu1sm6401764wib.6.2012.09.22.17.37.58
	(version=SSLv3 cipher=OTHER); Sat, 22 Sep 2012 17:37:59 -0700 (PDT)
Message-ID: <505E59DC.7090505@gmail.com>
Date: Sun, 23 Sep 2012 02:37:48 +0200
From: Mariusz Gromada <mariusz.gromada@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
	rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: Pawel Jakub Dawidek <pjd@FreeBSD.org>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<20120919231051.4bc5335b@gumby.homeunix.com>
	<20120920102104.GA1397@garage.freebsd.pl>
	<201209200758.51924.jhb@freebsd.org>
	<20120922080323.GA1454@garage.freebsd.pl>
	<20120922195325.GH1454@garage.freebsd.pl>
In-Reply-To: <20120922195325.GH1454@garage.freebsd.pl>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Sun, 23 Sep 2012 01:56:03 +0000
Cc: Ben Laurie <benl@freebsd.org>, freebsd-security@freebsd.org,
	RW <rwmaillists@googlemail.com>,
	Jonathan Anderson <jonathan.anderson@cl.cam.ac.uk>,
	John Baldwin <jhb@freebsd.org>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Sep 2012 00:38:07 -0000

W dniu 2012-09-22 21:53, Pawel Jakub Dawidek pisze:
> Mariusz, can you confirm my findings? 

Pawel,

Your conclusions can be easily confirmed by shape analysis of the EDF. 
Usually maximum quantile difference (called D-statistic) gives you a 
kind of overview, function shape gives you a strong feeling, p-value 
gives you a formal proof.
D-statistic values (your data):

  6bit:   0.33%
  7bit:   0.29%
  8bit:   0.27%
  9bit:   0.21%
10bit:   6.34%
11bit:  19.07%
12bit:  54.80%

What I would say: increasing the number of bits from 6 to 9 does not 
affect distribution "uniformity", reaching the tenth bit results in 
sudden increase in the difference measure -  the more bits, the more 
difference is observed. Distribution shape analysis for the 10th bit 
shows non-linear function. Lack of "randomness" in the quntile 
difference curve - chart  shows completely lack of noise (pure 
functional relation).  These are very strong indicators that starting 
from 10th bit distribution was changed and is no longer uniform.

To formally confirm above conclusion for i.e. 5% significance level, 
which means that confidence level is 95%, I need some extra data 
regarding sample sizes. Please pass to me number of collected 
observations in each 6-12 bit experiment.

Regards,
Mariusz



From owner-freebsd-security@FreeBSD.ORG  Sun Sep 23 13:59:58 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 84D60106566B
	for <freebsd-security@freebsd.org>;
	Sun, 23 Sep 2012 13:59:58 +0000 (UTC)
	(envelope-from rwmaillists@googlemail.com)
Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com
	[209.85.215.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 0DC388FC0A
	for <freebsd-security@freebsd.org>;
	Sun, 23 Sep 2012 13:59:57 +0000 (UTC)
Received: by eaac10 with SMTP id c10so202297eaa.13
	for <freebsd-security@freebsd.org>;
	Sun, 23 Sep 2012 06:59:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=googlemail.com; s=20120113;
	h=date:from:to:cc:subject:message-id:in-reply-to:references:x-mailer
	:mime-version:content-type:content-transfer-encoding;
	bh=GkLguITEjqc9L3vJFZgUUoaRFdAhVbWFJh9vnBbZY+Y=;
	b=KKxIKCtUqk4Pi07oFWqC+YMVYjJ4qNQaxnZyLOJH29f/stJFQ2BrYMglPEq/u3tjXp
	wijIfeG9m/4rGbRN/nwxRb2Gv9eAziFQsh8k39SWlVBcaK/eWqV5/qMNTkXrPQr7i380
	tvpUmDYxDbWayO3o+OLfHud3mGG6PqiBbh62W5FiykaSykaMGYrEfM9Jx4UMnl8Xtfvk
	OOoywnCZFZjo9QXBm4iopX0s2mfGbrm09LRdm5vRzXyIgjqJ7mAmtOi362FN9xd1s+PL
	fDazBCasJDJlA6ii8kVH51SPHaG9XnViKm7ZDcq6LSGPUp055AvRFwEPkDvt89IQetVY
	uIEQ==
Received: by 10.14.218.134 with SMTP id k6mr11862531eep.14.1348408791671;
	Sun, 23 Sep 2012 06:59:51 -0700 (PDT)
Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk.
	[87.194.105.247])
	by mx.google.com with ESMTPS id k49sm38631226een.4.2012.09.23.06.59.49
	(version=SSLv3 cipher=OTHER); Sun, 23 Sep 2012 06:59:50 -0700 (PDT)
Date: Sun, 23 Sep 2012 14:59:45 +0100
From: RW <rwmaillists@googlemail.com>
To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= <des@des.no>
Message-ID: <20120923145945.13d148e3@gumby.homeunix.com>
In-Reply-To: <86lig3arpb.fsf@ds4.des.no>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<867grqm3pt.fsf@ds4.des.no>
	<20120919184758.28589516@gumby.homeunix.com>
	<86sjadt677.fsf@ds4.des.no>
	<20120920230133.55b63dea@gumby.homeunix.com>
	<86lig3arpb.fsf@ds4.des.no>
X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd8.3)
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@freebsd.org
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Sep 2012 13:59:58 -0000

On Sat, 22 Sep 2012 01:20:32 +0200
Dag-Erling Sm=F8rgrav wrote:

> RW <rwmaillists@googlemail.com> writes:
> > They key will therefore *accumulate* entropy across multiple
> > reseeds.
>=20
> Forgot to address this.  By definition, there can never be more
> entropy in Yarrow than the key size.  So it *does* throw away entropy
> in the sense that if it accumulated, say, 900 bits of entropy
> pre-boot (to pick one of the numbers Pawel cited), 650 of them are
> wasted.

I got fed up up of adding "up to 256 bits" and thought I could take it
as read. Since the generator can only hold 256 bits and is secure well
under that it doesn't really matter very much. Yarrow can't really be
said to waste entropy since replacing entropy in the generator in a
controlled way is what give it its ability to recover from compromise
and break state extension attacks.

If we're going to be pedantic it's only the generator that's limited
to 256 bits, yarrow as a whole can accumulate up to 3x256 bits because
the pools are not cleared on reseeds. There is some slight advantage in
this, for example it means that two consecutive keys can be completely
independent even on a fast reseed with a low value of
kern.random.yarrow.fastthresh.



From owner-freebsd-security@FreeBSD.ORG  Sun Sep 23 15:17:01 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id DD0D9106566B;
	Sun, 23 Sep 2012 15:17:01 +0000 (UTC)
	(envelope-from pawel@dawidek.net)
Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72])
	by mx1.freebsd.org (Postfix) with ESMTP id 9B94E8FC14;
	Sun, 23 Sep 2012 15:17:00 +0000 (UTC)
Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149])
	by mail.dawidek.net (Postfix) with ESMTPSA id 52645F3E;
	Sun, 23 Sep 2012 17:15:51 +0200 (CEST)
Date: Sun, 23 Sep 2012 17:17:06 +0200
From: Pawel Jakub Dawidek <pjd@FreeBSD.org>
To: Mariusz Gromada <mariusz.gromada@gmail.com>
Message-ID: <20120923151706.GN1454@garage.freebsd.pl>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<20120919231051.4bc5335b@gumby.homeunix.com>
	<20120920102104.GA1397@garage.freebsd.pl>
	<201209200758.51924.jhb@freebsd.org>
	<20120922080323.GA1454@garage.freebsd.pl>
	<20120922195325.GH1454@garage.freebsd.pl>
	<505E59DC.7090505@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="hXth9cGL35Nvpk4x"
Content-Disposition: inline
In-Reply-To: <505E59DC.7090505@gmail.com>
X-OS: FreeBSD 10.0-CURRENT amd64
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: Ben Laurie <benl@freebsd.org>, freebsd-security@freebsd.org,
	RW <rwmaillists@googlemail.com>,
	Jonathan Anderson <jonathan.anderson@cl.cam.ac.uk>,
	John Baldwin <jhb@freebsd.org>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Sep 2012 15:17:02 -0000


--hXth9cGL35Nvpk4x
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Sep 23, 2012 at 02:37:48AM +0200, Mariusz Gromada wrote:
> W dniu 2012-09-22 21:53, Pawel Jakub Dawidek pisze:
> > Mariusz, can you confirm my findings?=20
>=20
> Pawel,
>=20
> Your conclusions can be easily confirmed by shape analysis of the EDF.=20
> Usually maximum quantile difference (called D-statistic) gives you a=20
> kind of overview, function shape gives you a strong feeling, p-value=20
> gives you a formal proof.
> D-statistic values (your data):
>=20
>   6bit:   0.33%
>   7bit:   0.29%
>   8bit:   0.27%
>   9bit:   0.21%
> 10bit:   6.34%
> 11bit:  19.07%
> 12bit:  54.80%
>=20
> What I would say: increasing the number of bits from 6 to 9 does not=20
> affect distribution "uniformity", reaching the tenth bit results in=20
> sudden increase in the difference measure -  the more bits, the more=20
> difference is observed. Distribution shape analysis for the 10th bit=20
> shows non-linear function. Lack of "randomness" in the quntile=20
> difference curve - chart  shows completely lack of noise (pure=20
> functional relation).  These are very strong indicators that starting=20
> from 10th bit distribution was changed and is no longer uniform.
>=20
> To formally confirm above conclusion for i.e. 5% significance level,=20
> which means that confidence level is 95%, I need some extra data=20
> regarding sample sizes. Please pass to me number of collected=20
> observations in each 6-12 bit experiment.

Total number of observations was 162833.

--=20
Pawel Jakub Dawidek                       http://www.wheelsystems.com
FreeBSD committer                         http://www.FreeBSD.org
Am I Evil? Yes, I Am!                     http://tupytaj.pl

--hXth9cGL35Nvpk4x
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAlBfJ/IACgkQForvXbEpPzQJ+wCbBzLCJZkjhz6vQr0MuBiXXEqT
HiIAnj9DLk6BvR+JiGmlUOviNaKY5Rhk
=DrJs
-----END PGP SIGNATURE-----

--hXth9cGL35Nvpk4x--

From owner-freebsd-security@FreeBSD.ORG  Mon Sep 24 03:57:07 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@FreeBSD.org
Received: from mx2.freebsd.org (mx2.freebsd.org [69.147.83.53])
	by hub.freebsd.org (Postfix) with ESMTP id A96631065670
	for <freebsd-security@FreeBSD.org>;
	Mon, 24 Sep 2012 03:57:07 +0000 (UTC)
	(envelope-from dougb@FreeBSD.org)
Received: from opti.dougb.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36])
	by mx2.freebsd.org (Postfix) with ESMTP id AE7B214E169
	for <freebsd-security@FreeBSD.org>;
	Mon, 24 Sep 2012 03:56:51 +0000 (UTC)
Message-ID: <505FDA03.5020207@FreeBSD.org>
Date: Sun, 23 Sep 2012 20:56:51 -0700
From: Doug Barton <dougb@FreeBSD.org>
Organization: http://SupersetSolutions.com/
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
	rv:15.0) Gecko/20120911 Thunderbird/15.0.1
MIME-Version: 1.0
To: freebsd-security@FreeBSD.org
X-Enigmail-Version: 1.4.4
OpenPGP: id=1A1ABC84
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: 
Subject: rc.d/postrandom
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Sep 2012 03:57:07 -0000

If you disagree with what this script is doing, please speak up. I'm
being told that because I am the only one who has voiced an objection
that there is no reason to back out this change. I think I made my
feelings about it clear, I'm interested in what others have to say.

Doug

-- 

    I am only one, but I am one.  I cannot do everything, but I can do
    something.  And I will not let what I cannot do interfere with what
    I can do.
			-- Edward Everett Hale, (1822 - 1909)

From owner-freebsd-security@FreeBSD.ORG  Mon Sep 24 09:15:30 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 65F52106566B;
	Mon, 24 Sep 2012 09:15:30 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
	by mx1.freebsd.org (Postfix) with ESMTP id 28B8C8FC19;
	Mon, 24 Sep 2012 09:15:29 +0000 (UTC)
Received: from ds4.des.no (smtp.des.no [194.63.250.102])
	by smtp.des.no (Postfix) with ESMTP id 53D4C6CC7;
	Mon, 24 Sep 2012 11:15:23 +0200 (CEST)
Received: by ds4.des.no (Postfix, from userid 1001)
	id 13936802F; Mon, 24 Sep 2012 11:15:23 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Doug Barton <dougb@FreeBSD.org>
References: <505FDA03.5020207@FreeBSD.org>
Date: Mon, 24 Sep 2012 11:15:21 +0200
In-Reply-To: <505FDA03.5020207@FreeBSD.org> (Doug Barton's message of "Sun, 23
	Sep 2012 20:56:51 -0700")
Message-ID: <86haqnsrx2.fsf@ds4.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@FreeBSD.org
Subject: Re: rc.d/postrandom
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Sep 2012 09:15:30 -0000

Doug Barton <dougb@FreeBSD.org> writes:
> If you disagree with what this script is doing, please speak up.

Do you mean initrandom?  I dislike it only slightly less now than I did
before.  I hope Pawel's patch works out so we can nuke it.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no

From owner-freebsd-security@FreeBSD.ORG  Mon Sep 24 17:47:10 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 15745106564A;
	Mon, 24 Sep 2012 17:47:10 +0000 (UTC)
	(envelope-from benlaurie@gmail.com)
Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com
	[209.85.217.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 550DA8FC15;
	Mon, 24 Sep 2012 17:47:08 +0000 (UTC)
Received: by lbbgg13 with SMTP id gg13so8715426lbb.13
	for <multiple recipients>; Mon, 24 Sep 2012 10:47:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:sender:in-reply-to:references:date
	:x-google-sender-auth:message-id:subject:from:to:cc:content-type
	:content-transfer-encoding;
	bh=EkS4nGuelOE3VrO2wzy+zExvxrfJyyKB2BrKr4gpfUs=;
	b=iIxBKdeITUOLNrhzjZ+U1uV+wIgKBZtR3rFuSFy3YPd4ETM+28xtMovmFtkHSLW/Ic
	k9DN8tpiEKRGxrOp2+JsNOq66vMi7nK+c++FtuaPxb5/EzDQ6iBN4CkhyBp6FRXtcvpz
	SacqAo3V3t/3N1qef/b2/RBcG1+vWm6vXwPulUztzGF9tcgjj4t/d6uwlwsCXG1gcyt9
	n8OoDNFDwTjcIkDIg0sHU2eqsBGN3M8BEFwezfXBE/og9+zbxbT3s0LnLQtZ7jGQQIu4
	WqlzsVdzfXmnoHHPN7tkUkFvajKlVgQ2rXD0VwLMTM1AwvanTNMVlQ6qjm8KbgZ8vRyQ
	0UHA==
MIME-Version: 1.0
Received: by 10.152.124.180 with SMTP id mj20mr11266277lab.43.1348508827957;
	Mon, 24 Sep 2012 10:47:07 -0700 (PDT)
Sender: benlaurie@gmail.com
Received: by 10.114.58.147 with HTTP; Mon, 24 Sep 2012 10:47:07 -0700 (PDT)
In-Reply-To: <86haqnsrx2.fsf@ds4.des.no>
References: <505FDA03.5020207@FreeBSD.org>
	<86haqnsrx2.fsf@ds4.des.no>
Date: Mon, 24 Sep 2012 18:47:07 +0100
X-Google-Sender-Auth: BR4aD_du6GIgMzJfpenxVKk2CuI
Message-ID: <CAG5KPzzsHxErOho3BkqFL2M_OtimFfQB_OKG-9myQ2gm3-xgQA@mail.gmail.com>
From: Ben Laurie <benl@freebsd.org>
To: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= <des@des.no>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@freebsd.org, Doug Barton <dougb@freebsd.org>
Subject: Re: rc.d/postrandom
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Sep 2012 17:47:10 -0000

On Mon, Sep 24, 2012 at 10:15 AM, Dag-Erling Sm=F8rgrav <des@des.no> wrote:
> Doug Barton <dougb@FreeBSD.org> writes:
>> If you disagree with what this script is doing, please speak up.
>
> Do you mean initrandom?  I dislike it only slightly less now than I did
> before.  I hope Pawel's patch works out so we can nuke it.\

He means postrandom. Which deletes all saved entropy because of fear
of replay attacks.

IMO, this doesn't make much sense - if you don't have sufficient fresh
entropy to mix into the pool, then deleting your saved entropy makes
you more vulnerable, not less. And if you do, you're not vulnerable
anyway.

So, I'm with Dough on this one.

From owner-freebsd-security@FreeBSD.ORG  Mon Sep 24 21:57:06 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id C4A271065670;
	Mon, 24 Sep 2012 21:57:06 +0000 (UTC)
	(envelope-from mariusz.gromada@gmail.com)
Received: from mail-we0-f182.google.com (mail-we0-f182.google.com
	[74.125.82.182])
	by mx1.freebsd.org (Postfix) with ESMTP id B83AC8FC0C;
	Mon, 24 Sep 2012 21:57:05 +0000 (UTC)
Received: by weyx43 with SMTP id x43so875776wey.13
	for <multiple recipients>; Mon, 24 Sep 2012 14:57:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=message-id:date:from:user-agent:mime-version:to:cc:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	bh=Rdnhgn+H0k5eVHEA/GEJ3cndRipYEgh6+Oqr3ECqct8=;
	b=a8iPoWp3zriCWRD0goAoPWEL6NewmVpv2vsu+FimeZo6ji4X4/dRXlCCkY9w8bnMby
	30BIQgLSPFQ/Fr7fhXDt2LA4c9XAhc6yNRX+a3S0aamXSnIplA0EAxUqI+4reopJQ29s
	rKP/AfWzFVyFI/FMq+c7M7K09nwZJthhpxLSIRxV9PoU9G7Bc2oa50b72uNDvvdBmG1T
	iYSrLHUo8T7Ud9tYkzkWxRykQDUcIakDaiqDI91g8+VozolArygFufnijHWfI8Aah7Qc
	SsHbIe0ct6xReoDiqeT7z/tyk649JjMBQ8TRiE4UTRHWHZa3gTWeuU5wXSokeOzBT2u9
	awDw==
Received: by 10.180.83.66 with SMTP id o2mr17006228wiy.14.1348523824685;
	Mon, 24 Sep 2012 14:57:04 -0700 (PDT)
Received: from [192.168.1.100] (89-76-147-86.dynamic.chello.pl. [89.76.147.86])
	by mx.google.com with ESMTPS id k20sm16811345wiv.11.2012.09.24.14.57.02
	(version=SSLv3 cipher=OTHER); Mon, 24 Sep 2012 14:57:03 -0700 (PDT)
Message-ID: <5060D723.6020305@gmail.com>
Date: Mon, 24 Sep 2012 23:56:51 +0200
From: Mariusz Gromada <mariusz.gromada@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
	rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: Pawel Jakub Dawidek <pjd@FreeBSD.org>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<20120919231051.4bc5335b@gumby.homeunix.com>
	<20120920102104.GA1397@garage.freebsd.pl>
	<201209200758.51924.jhb@freebsd.org>
	<20120922080323.GA1454@garage.freebsd.pl>
	<20120922195325.GH1454@garage.freebsd.pl>
	<505E59DC.7090505@gmail.com>
	<20120923151706.GN1454@garage.freebsd.pl>
In-Reply-To: <20120923151706.GN1454@garage.freebsd.pl>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
X-Mailman-Approved-At: Mon, 24 Sep 2012 22:03:16 +0000
Cc: Ben Laurie <benl@freebsd.org>, freebsd-security@freebsd.org,
	RW <rwmaillists@googlemail.com>,
	Jonathan Anderson <jonathan.anderson@cl.cam.ac.uk>,
	John Baldwin <jhb@freebsd.org>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Sep 2012 21:57:06 -0000

W dniu 2012-09-23 17:17, Pawel Jakub Dawidek pisze:
> On Sun, Sep 23, 2012 at 02:37:48AM +0200, Mariusz Gromada wrote:
>> W dniu 2012-09-22 21:53, Pawel Jakub Dawidek pisze:
>>> Mariusz, can you confirm my findings?
>>
>> Pawel,
>>
>> Your conclusions can be easily confirmed by shape analysis of the EDF.
>> Usually maximum quantile difference (called D-statistic) gives you a
>> kind of overview, function shape gives you a strong feeling, p-value
>> gives you a formal proof.
>> D-statistic values (your data):
>>
>>    6bit:   0.33%
>>    7bit:   0.29%
>>    8bit:   0.27%
>>    9bit:   0.21%
>> 10bit:   6.34%
>> 11bit:  19.07%
>> 12bit:  54.80%
>>
>> What I would say: increasing the number of bits from 6 to 9 does not
>> affect distribution "uniformity", reaching the tenth bit results in
>> sudden increase in the difference measure -  the more bits, the more
>> difference is observed. Distribution shape analysis for the 10th bit
>> shows non-linear function. Lack of "randomness" in the quntile
>> difference curve - chart  shows completely lack of noise (pure
>> functional relation).  These are very strong indicators that starting
>> from 10th bit distribution was changed and is no longer uniform.
>>
>> To formally confirm above conclusion for i.e. 5% significance level,
>> which means that confidence level is 95%, I need some extra data
>> regarding sample sizes. Please pass to me number of collected
>> observations in each 6-12 bit experiment.
>
> Total number of observations was 162833.
>

Ok, finally I have some formal results. To be completely honest I need 
to point out that, in fact, we have a discrete data (for example 
integers 0, 1, ..., 63, but not continues numbers spread across 0 and 
63). That is way  I am going to use two sample Kolmogorov-Smirnov test. 
  Methodology is simple:

- Pawel’s data will be called empirical one
- Theoretical data will be generated as a sequence of unique integer 
numbers from 0 to 2**n -1, where n is the number of bits. Assumption - 
each number appears in theoretical data only once representing ideal 
uniform distribution.

Calculations will be done in the R-cran package

Loading empirical data form files:

 > e6 = read.table("E:\\pawel\\dhr2_6bit_sorted.txt")
 > e7 = read.table("E:\\pawel\\dhr2_7bit_sorted.txt")
 > e8 = read.table("E:\\pawel\\dhr2_8bit_sorted.txt")
 > e9 = read.table("E:\\pawel\\dhr2_9bit_sorted.txt")
 > e10 = read.table("E:\\pawel\\dhr2_10bit_sorted.txt")
 > e11 = read.table("E:\\pawel\\dhr2_11bit_sorted.txt")
 > e12 = read.table("E:\\pawel\\dhr2_12bit_sorted.txt")

Generating ideal theoretical data:

 > t6 = c(0:(2**6-1))
 > t7 = c(0:(2**7-1))
 > t8 = c(0:(2**8-1))
 > t9 = c(0:(2**9-1))
 > t10 = c(0:(2**10-1))
 > t11 = c(0:(2**11-1))
 > t12 = c(0:(2**12-1))

Performing KS tests:

 > ks.test(e6, t6)
D = 0.0032, p-value = 1

 > ks.test(e7, t7)
D = 0.0029, p-value = 1

 > ks.test(e8, t8)
D = 0.0027, p-value = 1

 > ks.test(e9, t9)
D = 0.0022, p-value = 1

 > ks.test(e10, t10)
D = 0.0634, p-value = 0.0005562

 > ks.test(e11, t11)
D = 0.1907, p-value < 2.2e-16

 > ks.test(e12, t12)
D = 0.5479, p-value < 2.2e-16

As you can see D-statistics are almost the same as calculated by Pawel 
(considering roundings). P-values are very interesting due to very high 
number of observations generated by Pawel. Between 6 bits and 9 bits 
estimated p-values are equal to 1, so it means that it is impossible (at 
any significance level) to reject null hypothesis stating that compared 
distributions are equal. Final conclusion: it has to be random, and for 
sure it is random!

Additionally starting form 10 bits we can observe dramatic decrease of 
p-value (from 100% to c.a. 0,06% and much less for the 11-12 bits). So 
low p-value means that it is impossible not to reject null hypothesis 
stating that compared distributions are equal. Final conclusion: it 
cannot be random, and for sure it is not random.

I did the same comparison for the previous real device attach data (2081 
obs.). R code and the results are below:

 > e16 = read.table("E:\\pawel\\device_attach_16bit.log")
 > t16 = c(0:(2**16-1))
 > ks.test(e16, t16)
D = 0.0178, p-value = 0.5422

Again, D-statistic an p-value are almost the same as previously 
calculated "manually". P-value is very high (it is not as high as in the 
6-12 bits tests, but consider much lower number of observations: 2081 vs 
  162833), giving almost sureness that you have captured real 16-bits 
entropy!

Regards,
Mariusz


From owner-freebsd-security@FreeBSD.ORG  Mon Sep 24 22:10:28 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A13E81065670;
	Mon, 24 Sep 2012 22:10:28 +0000 (UTC)
	(envelope-from mariusz.gromada@gmail.com)
Received: from mail-we0-f182.google.com (mail-we0-f182.google.com
	[74.125.82.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 9D9378FC0C;
	Mon, 24 Sep 2012 22:10:27 +0000 (UTC)
Received: by weyx43 with SMTP id x43so882977wey.13
	for <multiple recipients>; Mon, 24 Sep 2012 15:10:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=message-id:date:from:user-agent:mime-version:to:cc:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	bh=+8RDxzoKNN5k+EgMHMcNSDu2sDmKqpg/hEwXPmlqQ5o=;
	b=yfnTaukyIqhVmg2vo2v9XdhPnLlFBoIchew/8sLWvble4U+Ka9GxVYUley34gQQHGU
	QkfsraXXs71x6Ep+taiN0SUA22UJ19E056YAfKCa0FZtEVLiKOM3xDIGc7WWcQS274fS
	KAdU7pXytUvG1xPD7WE3XiKChLSbZxVkm8vaKyGqsMde9u0xlHw9/B+p/biwl5m1aDb+
	JPASbETK0X0pI5Fv5HLjoqV9xkMP8+vK4N2hq4EyxwkPv9hKnBXnqK8QfRGJVO6bsOIo
	iSsd5w5WE7vMGKPGvPj3bLsLmDhjOTL8D4lEn9TqcezOLGZwBO4+DJ0wXrvpe0BxkGy7
	0OYg==
Received: by 10.180.100.37 with SMTP id ev5mr17090715wib.5.1348524626443;
	Mon, 24 Sep 2012 15:10:26 -0700 (PDT)
Received: from [192.168.1.100] (89-76-147-86.dynamic.chello.pl. [89.76.147.86])
	by mx.google.com with ESMTPS id l6sm16834218wiz.4.2012.09.24.15.10.24
	(version=SSLv3 cipher=OTHER); Mon, 24 Sep 2012 15:10:25 -0700 (PDT)
Message-ID: <5060DA45.30808@gmail.com>
Date: Tue, 25 Sep 2012 00:10:13 +0200
From: Mariusz Gromada <mariusz.gromada@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
	rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: Pawel Jakub Dawidek <pjd@FreeBSD.org>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<20120919231051.4bc5335b@gumby.homeunix.com>
	<20120920102104.GA1397@garage.freebsd.pl>
	<201209200758.51924.jhb@freebsd.org>
	<20120922080323.GA1454@garage.freebsd.pl>
	<20120922195325.GH1454@garage.freebsd.pl>
	<505E59DC.7090505@gmail.com>
	<20120923151706.GN1454@garage.freebsd.pl>
	<5060D723.6020305@gmail.com>
In-Reply-To: <5060D723.6020305@gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Mon, 24 Sep 2012 22:35:37 +0000
Cc: Ben Laurie <benl@freebsd.org>, freebsd-security@freebsd.org,
	RW <rwmaillists@googlemail.com>,
	Jonathan Anderson <jonathan.anderson@cl.cam.ac.uk>,
	John Baldwin <jhb@freebsd.org>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Sep 2012 22:10:28 -0000

W dniu 2012-09-24 23:56, Mariusz Gromada pisze:

> Ok, finally I have some formal results. To be completely honest I need
> to point out that, in fact, we have a discrete data (for example
> integers 0, 1, ..., 63, but not continues numbers spread across 0 and
> 63). That is way  I am going to use two sample Kolmogorov-Smirnov test.

Another clarification is needed. KS test in general (and in theory) 
should be used for continuous distributions. But in our case we can 
easily say that we observe our distribution in integers only (rounding), 
and the whole rest is easily estimated.

Regards,
Mariusz


From owner-freebsd-security@FreeBSD.ORG  Tue Sep 25 05:32:25 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 69461106564A;
	Tue, 25 Sep 2012 05:32:25 +0000 (UTC)
	(envelope-from pawel@dawidek.net)
Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72])
	by mx1.freebsd.org (Postfix) with ESMTP id 24EBF8FC08;
	Tue, 25 Sep 2012 05:32:24 +0000 (UTC)
Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149])
	by mail.dawidek.net (Postfix) with ESMTPSA id CA0A63FF;
	Tue, 25 Sep 2012 07:31:24 +0200 (CEST)
Date: Tue, 25 Sep 2012 07:32:47 +0200
From: Pawel Jakub Dawidek <pjd@FreeBSD.org>
To: Mariusz Gromada <mariusz.gromada@gmail.com>
Message-ID: <20120925053246.GI1413@garage.freebsd.pl>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<20120919231051.4bc5335b@gumby.homeunix.com>
	<20120920102104.GA1397@garage.freebsd.pl>
	<201209200758.51924.jhb@freebsd.org>
	<20120922080323.GA1454@garage.freebsd.pl>
	<20120922195325.GH1454@garage.freebsd.pl>
	<505E59DC.7090505@gmail.com>
	<20120923151706.GN1454@garage.freebsd.pl>
	<5060D723.6020305@gmail.com> <5060DA45.30808@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="k9xkV0rc9XGsukaG"
Content-Disposition: inline
In-Reply-To: <5060DA45.30808@gmail.com>
X-OS: FreeBSD 10.0-CURRENT amd64
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: Ben Laurie <benl@freebsd.org>, freebsd-security@freebsd.org,
	RW <rwmaillists@googlemail.com>,
	Jonathan Anderson <jonathan.anderson@cl.cam.ac.uk>,
	John Baldwin <jhb@freebsd.org>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2012 05:32:25 -0000


--k9xkV0rc9XGsukaG
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Sep 25, 2012 at 12:10:13AM +0200, Mariusz Gromada wrote:
> W dniu 2012-09-24 23:56, Mariusz Gromada pisze:
>=20
> > Ok, finally I have some formal results. To be completely honest I need
> > to point out that, in fact, we have a discrete data (for example
> > integers 0, 1, ..., 63, but not continues numbers spread across 0 and
> > 63). That is way  I am going to use two sample Kolmogorov-Smirnov test.
>=20
> Another clarification is needed. KS test in general (and in theory)=20
> should be used for continuous distributions. But in our case we can=20
> easily say that we observe our distribution in integers only (rounding),=
=20
> and the whole rest is easily estimated.

Thanks a lot!

To the list:

phk@ asked me privately to check if there is no correclation between
consecutive device_attach() calls during single boot.

For example each device_attach() separately can yield great entropy in
every tests, but all those calls combined might be somehow related, ie.
during one boot all calls take a bit longer and in another boot all
calls take a bit less, which could decrease total entropy we should
estimate out of it.

I created dummy driver which was registering three dummy drivers, so it
was provoking three device_attach() calls on every kldload. Mariusz
verified the observations and there was no correlation between the
times.

I believe everyone is bored at this point, so I'd like to propose a way
forward:

I'll perform one more test with CPU clock speed reduced as much as it
can be and see if rejecting 7 top bits is still fine. If it is, I'd like
to commit my patch. I was wondering if I should hide it under
#ifdef __amd64__, but the only risk in having it on all platforms is
eventually being overestimating available entropy, which is bad, but I
think better than not providing any entropy this method. On the other
hand having it on one or two platforms only would maybe motivate people
to verify it on other platforms.

--=20
Pawel Jakub Dawidek                       http://www.wheelsystems.com
FreeBSD committer                         http://www.FreeBSD.org
Am I Evil? Yes, I Am!                     http://tupytaj.pl

--k9xkV0rc9XGsukaG
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAlBhQf0ACgkQForvXbEpPzR2OQCdGcwWJYiJluJQud/xlPF7ORPB
0QYAnR0UlSg1qzTnPCVsXTXdu8Eaqw1P
=Ymdr
-----END PGP SIGNATURE-----

--k9xkV0rc9XGsukaG--

From owner-freebsd-security@FreeBSD.ORG  Tue Sep 25 08:21:10 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EC9AF106566B;
	Tue, 25 Sep 2012 08:21:09 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
	by mx1.freebsd.org (Postfix) with ESMTP id ABD158FC14;
	Tue, 25 Sep 2012 08:21:09 +0000 (UTC)
Received: from ds4.des.no (smtp.des.no [194.63.250.102])
	by smtp.des.no (Postfix) with ESMTP id 397E060AF;
	Tue, 25 Sep 2012 10:21:08 +0200 (CEST)
Received: by ds4.des.no (Postfix, from userid 1001)
	id F08A98145; Tue, 25 Sep 2012 10:21:07 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Ben Laurie <benl@freebsd.org>
References: <505FDA03.5020207@FreeBSD.org> <86haqnsrx2.fsf@ds4.des.no>
	<CAG5KPzzsHxErOho3BkqFL2M_OtimFfQB_OKG-9myQ2gm3-xgQA@mail.gmail.com>
Date: Tue, 25 Sep 2012 10:21:07 +0200
In-Reply-To: <CAG5KPzzsHxErOho3BkqFL2M_OtimFfQB_OKG-9myQ2gm3-xgQA@mail.gmail.com>
	(Ben Laurie's message of "Mon, 24 Sep 2012 18:47:07 +0100")
Message-ID: <86zk4eqzrg.fsf@ds4.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@freebsd.org, Doug Barton <dougb@freebsd.org>
Subject: Re: rc.d/postrandom
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2012 08:21:10 -0000

Ben Laurie <benl@freebsd.org> writes:
> He means postrandom. Which deletes all saved entropy because of fear
> of replay attacks.
>
> IMO, this doesn't make much sense - if you don't have sufficient fresh
> entropy to mix into the pool, then deleting your saved entropy makes
> you more vulnerable, not less. And if you do, you're not vulnerable
> anyway.

If the stored entropy is known to the attacker, you are mixing known
data into the pool, which Yarrow is designed to withstand.  You are no
worse off than before.

If both the current state of Yarrow and the stored entropy are known to
the attacker, you are no worse off than before - you are equally screwed
whether you use the stored entropy or not.

If the current state of Yarrow is known to the attacker but the stored
entropy isn't, you are better off with it than without it.

Therefore, the stored entropy should only be deleted when we have
something to replace it with.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no

From owner-freebsd-security@FreeBSD.ORG  Tue Sep 25 09:03:24 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 08049106564A;
	Tue, 25 Sep 2012 09:03:24 +0000 (UTC)
	(envelope-from benlaurie@gmail.com)
Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com
	[209.85.220.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 80E158FC0C;
	Tue, 25 Sep 2012 09:03:23 +0000 (UTC)
Received: by vcbfw7 with SMTP id fw7so9408980vcb.13
	for <multiple recipients>; Tue, 25 Sep 2012 02:03:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:sender:in-reply-to:references:date
	:x-google-sender-auth:message-id:subject:from:to:cc:content-type;
	bh=bkM9MypI/0DsK/9GPKPQRSYC1pOVUHijJ8Ln46xyOh4=;
	b=U7oSbKf8TxSlS/E7n4XVO4Cn8A3Nr4DlZ9IroSRdjOGNuStSwx+4bZVEKyklusZjBH
	0jUK5bZXcWX/IE4qbWOXo3py1eaHUDpSc7QG14NyTGDMKA3k3HahTXjBLOkIU2VaYs+0
	5T/d1wtW6UtK2tn7A4LTlWY1+e84IXt6lpw4ZFYIUCTCPE4g3FK4+UA98GFuc0R7FK0y
	AKCUqLJpgiaNO3QwLZfpBeGoXrAsH67HJ1cKv7/6n77TLJUZjNXVUJTDZwOYYQTe8Wpl
	DWurULlhmxwVQVrDnThBc3uE1OHgo5p41bPwtODwJZEwLYTrHTTY4FXEiKJR2iFclTWI
	ScXg==
MIME-Version: 1.0
Received: by 10.220.157.65 with SMTP id a1mr8815203vcx.39.1348563802277; Tue,
	25 Sep 2012 02:03:22 -0700 (PDT)
Sender: benlaurie@gmail.com
Received: by 10.58.79.243 with HTTP; Tue, 25 Sep 2012 02:03:22 -0700 (PDT)
In-Reply-To: <5060D723.6020305@gmail.com>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<20120919231051.4bc5335b@gumby.homeunix.com>
	<20120920102104.GA1397@garage.freebsd.pl>
	<201209200758.51924.jhb@freebsd.org>
	<20120922080323.GA1454@garage.freebsd.pl>
	<20120922195325.GH1454@garage.freebsd.pl>
	<505E59DC.7090505@gmail.com>
	<20120923151706.GN1454@garage.freebsd.pl>
	<5060D723.6020305@gmail.com>
Date: Tue, 25 Sep 2012 10:03:22 +0100
X-Google-Sender-Auth: YV7f9e883Et0KHJku8XQ6UMbMPs
Message-ID: <CAG5KPzxf0Rfufk5K6Jt4e85xc7zXY_B3a2Sq0Uf_uVLHbV-baw@mail.gmail.com>
From: Ben Laurie <benl@freebsd.org>
To: Mariusz Gromada <mariusz.gromada@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: freebsd-security@freebsd.org, RW <rwmaillists@googlemail.com>,
	Jonathan Anderson <jonathan.anderson@cl.cam.ac.uk>,
	Pawel Jakub Dawidek <pjd@freebsd.org>, John Baldwin <jhb@freebsd.org>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2012 09:03:24 -0000

On Mon, Sep 24, 2012 at 10:56 PM, Mariusz Gromada
<mariusz.gromada@gmail.com> wrote:
> W dniu 2012-09-23 17:17, Pawel Jakub Dawidek pisze:
>
>> On Sun, Sep 23, 2012 at 02:37:48AM +0200, Mariusz Gromada wrote:
>>>
>>> W dniu 2012-09-22 21:53, Pawel Jakub Dawidek pisze:
>>>>
>>>> Mariusz, can you confirm my findings?
>>>
>>>
>>> Pawel,
>>>
>>> Your conclusions can be easily confirmed by shape analysis of the EDF.
>>> Usually maximum quantile difference (called D-statistic) gives you a
>>> kind of overview, function shape gives you a strong feeling, p-value
>>> gives you a formal proof.
>>> D-statistic values (your data):
>>>
>>>    6bit:   0.33%
>>>    7bit:   0.29%
>>>    8bit:   0.27%
>>>    9bit:   0.21%
>>> 10bit:   6.34%
>>> 11bit:  19.07%
>>> 12bit:  54.80%
>>>
>>> What I would say: increasing the number of bits from 6 to 9 does not
>>> affect distribution "uniformity", reaching the tenth bit results in
>>> sudden increase in the difference measure -  the more bits, the more
>>> difference is observed. Distribution shape analysis for the 10th bit
>>> shows non-linear function. Lack of "randomness" in the quntile
>>> difference curve - chart  shows completely lack of noise (pure
>>> functional relation).  These are very strong indicators that starting
>>> from 10th bit distribution was changed and is no longer uniform.
>>>
>>> To formally confirm above conclusion for i.e. 5% significance level,
>>> which means that confidence level is 95%, I need some extra data
>>> regarding sample sizes. Please pass to me number of collected
>>> observations in each 6-12 bit experiment.
>>
>>
>> Total number of observations was 162833.
>>
>
> Ok, finally I have some formal results. To be completely honest I need to
> point out that, in fact, we have a discrete data (for example integers 0, 1,
> ..., 63, but not continues numbers spread across 0 and 63). That is way  I
> am going to use two sample Kolmogorov-Smirnov test.  Methodology is simple:

...

> As you can see D-statistics are almost the same as calculated by Pawel
> (considering roundings). P-values are very interesting due to very high
> number of observations generated by Pawel. Between 6 bits and 9 bits
> estimated p-values are equal to 1, so it means that it is impossible (at any
> significance level) to reject null hypothesis stating that compared
> distributions are equal. Final conclusion: it has to be random, and for sure
> it is random!

You cannot conclude that - no test can tell you it, but this test
rather obviously does not, since what it tests is the equality of
probability distributions, so what you can now say is that the
distribution is square. A completely predictable sequence, say 0..63,
would satisfy that.

Empirically, it seems to me that these numbers are actually unlikely
to be correlated with each other, but that has not been tested.

Also untested is correlation between the numbers from different
devices on the same run - if they were strongly correlated, for
example, that would be bad.

Not that I dislike Pawel's approach, it seems promising, I'm just
pointing out the weakness of the analysis.

From owner-freebsd-security@FreeBSD.ORG  Tue Sep 25 09:05:03 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id DFED0106564A;
	Tue, 25 Sep 2012 09:05:02 +0000 (UTC)
	(envelope-from benlaurie@gmail.com)
Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com
	[209.85.220.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 5CFC58FC1D;
	Tue, 25 Sep 2012 09:05:02 +0000 (UTC)
Received: by vcbfw7 with SMTP id fw7so9410799vcb.13
	for <multiple recipients>; Tue, 25 Sep 2012 02:05:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:sender:in-reply-to:references:date
	:x-google-sender-auth:message-id:subject:from:to:cc:content-type;
	bh=zC0SBswMgqZgNG4yvIOOGkr0YjZR0btw8yB0wz/ftD8=;
	b=DmCQ5DdPxPbYk2I5Tg58Zlpq1ZUrdWtQehtCjwfUQY8kS7459pDxb1qt5MciWBsGwX
	HNszQW5qvSCDO8Du7qTR2K4WtXqJtCun1z3khJfC/+E4ptOdObpf1eS8RYQg9b9n4ktx
	BB6GUFp+gZ73VozsIfaIYoj0GR0ZKkYlXDCcIAauz+Q8e91UInb775TiHEqmw2DaBUNy
	SGRWEMdwsOYhNatLt2dwlALxXzu6SSvgqvCzqSNpPhlcKdZWlfAXyIepaPeiSpMyaO/a
	BYB06u+7AiqgVPG48WErVR23PGFb8YIdHg+nMoTqkMRlq6RrBFs0Hp5LAvQ/4gn23aDU
	mvvw==
MIME-Version: 1.0
Received: by 10.52.70.48 with SMTP id j16mr5461364vdu.1.1348563901798; Tue, 25
	Sep 2012 02:05:01 -0700 (PDT)
Sender: benlaurie@gmail.com
Received: by 10.58.79.243 with HTTP; Tue, 25 Sep 2012 02:05:01 -0700 (PDT)
In-Reply-To: <20120925053246.GI1413@garage.freebsd.pl>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<20120919231051.4bc5335b@gumby.homeunix.com>
	<20120920102104.GA1397@garage.freebsd.pl>
	<201209200758.51924.jhb@freebsd.org>
	<20120922080323.GA1454@garage.freebsd.pl>
	<20120922195325.GH1454@garage.freebsd.pl>
	<505E59DC.7090505@gmail.com>
	<20120923151706.GN1454@garage.freebsd.pl>
	<5060D723.6020305@gmail.com> <5060DA45.30808@gmail.com>
	<20120925053246.GI1413@garage.freebsd.pl>
Date: Tue, 25 Sep 2012 10:05:01 +0100
X-Google-Sender-Auth: CV3goILN_w3_lpidNRvq3ynes8I
Message-ID: <CAG5KPzz3ehKm+BN_0MCYfcRFkYxKzFLSTTFEpsJg3kK0BTvChQ@mail.gmail.com>
From: Ben Laurie <benl@freebsd.org>
To: Pawel Jakub Dawidek <pjd@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
Cc: freebsd-security@freebsd.org, RW <rwmaillists@googlemail.com>,
	Jonathan Anderson <jonathan.anderson@cl.cam.ac.uk>,
	Mariusz Gromada <mariusz.gromada@gmail.com>, John Baldwin <jhb@freebsd.org>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2012 09:05:03 -0000

On Tue, Sep 25, 2012 at 6:32 AM, Pawel Jakub Dawidek <pjd@freebsd.org> wrote:
> On Tue, Sep 25, 2012 at 12:10:13AM +0200, Mariusz Gromada wrote:
>> W dniu 2012-09-24 23:56, Mariusz Gromada pisze:
>>
>> > Ok, finally I have some formal results. To be completely honest I need
>> > to point out that, in fact, we have a discrete data (for example
>> > integers 0, 1, ..., 63, but not continues numbers spread across 0 and
>> > 63). That is way  I am going to use two sample Kolmogorov-Smirnov test.
>>
>> Another clarification is needed. KS test in general (and in theory)
>> should be used for continuous distributions. But in our case we can
>> easily say that we observe our distribution in integers only (rounding),
>> and the whole rest is easily estimated.
>
> Thanks a lot!
>
> To the list:
>
> phk@ asked me privately to check if there is no correclation between
> consecutive device_attach() calls during single boot.
>
> For example each device_attach() separately can yield great entropy in
> every tests, but all those calls combined might be somehow related, ie.
> during one boot all calls take a bit longer and in another boot all
> calls take a bit less, which could decrease total entropy we should
> estimate out of it.
>
> I created dummy driver which was registering three dummy drivers, so it
> was provoking three device_attach() calls on every kldload. Mariusz
> verified the observations and there was no correlation between the
> times.

Sorry to those that are bored, but ... what was the methodology?

> I believe everyone is bored at this point, so I'd like to propose a way
> forward:
>
> I'll perform one more test with CPU clock speed reduced as much as it
> can be and see if rejecting 7 top bits is still fine. If it is, I'd like
> to commit my patch. I was wondering if I should hide it under
> #ifdef __amd64__, but the only risk in having it on all platforms is
> eventually being overestimating available entropy, which is bad, but I
> think better than not providing any entropy this method. On the other
> hand having it on one or two platforms only would maybe motivate people
> to verify it on other platforms.
>
> --
> Pawel Jakub Dawidek                       http://www.wheelsystems.com
> FreeBSD committer                         http://www.FreeBSD.org
> Am I Evil? Yes, I Am!                     http://tupytaj.pl

From owner-freebsd-security@FreeBSD.ORG  Tue Sep 25 09:28:16 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 13DF8106564A;
	Tue, 25 Sep 2012 09:28:16 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
	by mx1.freebsd.org (Postfix) with ESMTP id BFE298FC1E;
	Tue, 25 Sep 2012 09:28:15 +0000 (UTC)
Received: from ds4.des.no (smtp.des.no [194.63.250.102])
	by smtp.des.no (Postfix) with ESMTP id 7F70660D1;
	Tue, 25 Sep 2012 11:28:14 +0200 (CEST)
Received: by ds4.des.no (Postfix, from userid 1001)
	id 4572D8153; Tue, 25 Sep 2012 11:28:14 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Ben Laurie <benl@freebsd.org>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<20120919231051.4bc5335b@gumby.homeunix.com>
	<20120920102104.GA1397@garage.freebsd.pl>
	<201209200758.51924.jhb@freebsd.org>
	<20120922080323.GA1454@garage.freebsd.pl>
	<20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com>
	<20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com>
	<CAG5KPzxf0Rfufk5K6Jt4e85xc7zXY_B3a2Sq0Uf_uVLHbV-baw@mail.gmail.com>
Date: Tue, 25 Sep 2012 11:28:13 +0200
In-Reply-To: <CAG5KPzxf0Rfufk5K6Jt4e85xc7zXY_B3a2Sq0Uf_uVLHbV-baw@mail.gmail.com>
	(Ben Laurie's message of "Tue, 25 Sep 2012 10:03:22 +0100")
Message-ID: <86r4pqqwnm.fsf@ds4.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: Jonathan Anderson <jonathan.anderson@cl.cam.ac.uk>,
	Pawel Jakub Dawidek <pjd@freebsd.org>,
	John Baldwin <jhb@freebsd.org>, freebsd-security@freebsd.org,
	RW <rwmaillists@googlemail.com>,
	Mariusz Gromada <mariusz.gromada@gmail.com>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2012 09:28:16 -0000

Ben Laurie <benl@freebsd.org> writes:
> Not that I dislike Pawel's approach, it seems promising, I'm just
> pointing out the weakness of the analysis.

It is also based on fake data.

If you give me a couple of days, I'll try to come up with a patch that
collects and stores attach times during boot so we can gather and
analyse real data.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no

From owner-freebsd-security@FreeBSD.ORG  Tue Sep 25 10:22:18 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 65781106566B;
	Tue, 25 Sep 2012 10:22:18 +0000 (UTC)
	(envelope-from pawel@dawidek.net)
Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72])
	by mx1.freebsd.org (Postfix) with ESMTP id 20D138FC14;
	Tue, 25 Sep 2012 10:22:17 +0000 (UTC)
Received: from localhost (58.wheelsystems.com [83.12.187.58])
	by mail.dawidek.net (Postfix) with ESMTPSA id 727094A1;
	Tue, 25 Sep 2012 12:21:17 +0200 (CEST)
Date: Tue, 25 Sep 2012 12:22:41 +0200
From: Pawel Jakub Dawidek <pjd@FreeBSD.org>
To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= <des@des.no>
Message-ID: <20120925102240.GC1571@garage.freebsd.pl>
References: <20120919231051.4bc5335b@gumby.homeunix.com>
	<20120920102104.GA1397@garage.freebsd.pl>
	<201209200758.51924.jhb@freebsd.org>
	<20120922080323.GA1454@garage.freebsd.pl>
	<20120922195325.GH1454@garage.freebsd.pl>
	<505E59DC.7090505@gmail.com>
	<20120923151706.GN1454@garage.freebsd.pl>
	<5060D723.6020305@gmail.com>
	<CAG5KPzxf0Rfufk5K6Jt4e85xc7zXY_B3a2Sq0Uf_uVLHbV-baw@mail.gmail.com>
	<86r4pqqwnm.fsf@ds4.des.no>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="wxDdMuZNg1r63Hyj"
Content-Disposition: inline
In-Reply-To: <86r4pqqwnm.fsf@ds4.des.no>
X-OS: FreeBSD 10.0-CURRENT amd64
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: Jonathan Anderson <jonathan.anderson@cl.cam.ac.uk>,
	John Baldwin <jhb@freebsd.org>, Ben Laurie <benl@freebsd.org>,
	freebsd-security@freebsd.org, RW <rwmaillists@googlemail.com>,
	Mariusz Gromada <mariusz.gromada@gmail.com>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2012 10:22:18 -0000


--wxDdMuZNg1r63Hyj
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Sep 25, 2012 at 11:28:13AM +0200, Dag-Erling Sm=F8rgrav wrote:
> Ben Laurie <benl@freebsd.org> writes:
> > Not that I dislike Pawel's approach, it seems promising, I'm just
> > pointing out the weakness of the analysis.
>=20
> It is also based on fake data.
>=20
> If you give me a couple of days, I'll try to come up with a patch that
> collects and stores attach times during boot so we can gather and
> analyse real data.

Note that this fake data is the hardest to gather entropy from, as it
doesn't interact with any external hardware. I'm all for testing it on
real hardware and I expect to be able to gather even more entropy from
it (so discarding less than top 7 bits). The problem with making
observations during boot takes much, much longer, so it will limit the
number os samples significantly, and as you know the more samples the
better.

--=20
Pawel Jakub Dawidek                       http://www.wheelsystems.com
FreeBSD committer                         http://www.FreeBSD.org
Am I Evil? Yes, I Am!                     http://tupytaj.pl

--wxDdMuZNg1r63Hyj
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAlBhhfAACgkQForvXbEpPzTp5QCg0TCtOdPOdULwouNp3PWSM3E6
sNEAn3AaLO5ldhGhz4DFe1Gay7WB7TUE
=5q0B
-----END PGP SIGNATURE-----

--wxDdMuZNg1r63Hyj--

From owner-freebsd-security@FreeBSD.ORG  Tue Sep 25 10:58:40 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CB7EE1065672;
	Tue, 25 Sep 2012 10:58:40 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
	by mx1.freebsd.org (Postfix) with ESMTP id 81CDB8FC0A;
	Tue, 25 Sep 2012 10:58:40 +0000 (UTC)
Received: from ds4.des.no (smtp.des.no [194.63.250.102])
	by smtp.des.no (Postfix) with ESMTP id A886C60FA;
	Tue, 25 Sep 2012 12:58:38 +0200 (CEST)
Received: by ds4.des.no (Postfix, from userid 1001)
	id 463678161; Tue, 25 Sep 2012 12:58:37 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Pawel Jakub Dawidek <pjd@FreeBSD.org>
References: <20120919231051.4bc5335b@gumby.homeunix.com>
	<20120920102104.GA1397@garage.freebsd.pl>
	<201209200758.51924.jhb@freebsd.org>
	<20120922080323.GA1454@garage.freebsd.pl>
	<20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com>
	<20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com>
	<CAG5KPzxf0Rfufk5K6Jt4e85xc7zXY_B3a2Sq0Uf_uVLHbV-baw@mail.gmail.com>
	<86r4pqqwnm.fsf@ds4.des.no> <20120925102240.GC1571@garage.freebsd.pl>
Date: Tue, 25 Sep 2012 12:58:37 +0200
In-Reply-To: <20120925102240.GC1571@garage.freebsd.pl> (Pawel Jakub Dawidek's
	message of "Tue, 25 Sep 2012 12:22:41 +0200")
Message-ID: <86mx0eqsgy.fsf@ds4.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: Jonathan Anderson <jonathan.anderson@cl.cam.ac.uk>,
	John Baldwin <jhb@freebsd.org>, Ben Laurie <benl@freebsd.org>,
	freebsd-security@freebsd.org, RW <rwmaillists@googlemail.com>,
	Mariusz Gromada <mariusz.gromada@gmail.com>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2012 10:58:40 -0000

Pawel Jakub Dawidek <pjd@FreeBSD.org> writes:
> Note that this fake data is the hardest to gather entropy from, as it
> doesn't interact with any external hardware. I'm all for testing it on
> real hardware and I expect to be able to gather even more entropy from
> it (so discarding less than top 7 bits). The problem with making
> observations during boot takes much, much longer, so it will limit the
> number os samples significantly, and as you know the more samples the
> better.

I have a handful of SFF machines which support PXE.  I can easily set up
an NFS root where /etc/rc just remounts / rw, dumps the data and
reboots.  With a sub-minute cycle time, I can get a couple of hundred
thousand samples per machine over the weekend.

(I don't even need PXE - they'll probably boot faster from USB sticks or
disks)

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no

From owner-freebsd-security@FreeBSD.ORG  Tue Sep 25 09:29:40 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 9A144106568F;
	Tue, 25 Sep 2012 09:29:40 +0000 (UTC)
	(envelope-from mariusz.gromada@gmail.com)
Received: from mail-qa0-f54.google.com (mail-qa0-f54.google.com
	[209.85.216.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 04CFC8FC08;
	Tue, 25 Sep 2012 09:29:39 +0000 (UTC)
Received: by qady23 with SMTP id y23so3983033qad.13
	for <multiple recipients>; Tue, 25 Sep 2012 02:29:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type;
	bh=YV39joB62qzF9sMnNjydJ0RkoztMAhPf2atOS2eq8yI=;
	b=0Ne9LjH+SFir6P7J945bOWxL6jD/HSgu5SbBUDjAaWW54BFonv/oQYHERrmRiPtvxX
	Ig+L8qDGQufnyP2mJU4UwxhfUF5AGYXwrQIITbExYlqX/GOPPTQlfyyQjRyz/R7D4mxi
	rfo8PC9BrnzyJujQguYfn5+5dC0sLIK1lTvCP1PS0w2gTHHUh1HEvsQIJ0woDT6bm1zS
	UPaYoLCWIzUH5uLI7BdmuX34sufH1GXxHco8z98nH2lOgL6+Y9hNt5b5ymb8/Kl8nLyE
	69WwTCGrnOEmT/EeYcJAvx6FEfS/0DiTpW6gHRG2/5UG/NS34WRjAHfeAKj6ARFtYqMR
	QCaA==
MIME-Version: 1.0
Received: by 10.224.70.138 with SMTP id d10mr38558901qaj.12.1348565379415;
	Tue, 25 Sep 2012 02:29:39 -0700 (PDT)
Received: by 10.49.81.242 with HTTP; Tue, 25 Sep 2012 02:29:39 -0700 (PDT)
In-Reply-To: <CAG5KPzxf0Rfufk5K6Jt4e85xc7zXY_B3a2Sq0Uf_uVLHbV-baw@mail.gmail.com>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<20120919231051.4bc5335b@gumby.homeunix.com>
	<20120920102104.GA1397@garage.freebsd.pl>
	<201209200758.51924.jhb@freebsd.org>
	<20120922080323.GA1454@garage.freebsd.pl>
	<20120922195325.GH1454@garage.freebsd.pl>
	<505E59DC.7090505@gmail.com>
	<20120923151706.GN1454@garage.freebsd.pl>
	<5060D723.6020305@gmail.com>
	<CAG5KPzxf0Rfufk5K6Jt4e85xc7zXY_B3a2Sq0Uf_uVLHbV-baw@mail.gmail.com>
Date: Tue, 25 Sep 2012 11:29:39 +0200
Message-ID: <CANsh1da59oRAB+1OsdoHXKe-ushoy16g2=rfXg_2-MjUevGCqA@mail.gmail.com>
From: Mariusz Gromada <mariusz.gromada@gmail.com>
To: Ben Laurie <benl@freebsd.org>
X-Mailman-Approved-At: Tue, 25 Sep 2012 11:55:02 +0000
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: freebsd-security@freebsd.org, RW <rwmaillists@googlemail.com>,
	Jonathan Anderson <jonathan.anderson@cl.cam.ac.uk>,
	Pawel Jakub Dawidek <pjd@freebsd.org>, John Baldwin <jhb@freebsd.org>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2012 09:29:40 -0000

>
>
> You cannot conclude that - no test can tell you it, but this test
> rather obviously does not, since what it tests is the equality of
> probability distributions, so what you can now say is that the
> distribution is square. A completely predictable sequence, say 0..63,
> would satisfy that.
>
>
Yes, I agree. That is way I proposed to Pawel analysis from the area of
stochastic processes.


> Empirically, it seems to me that these numbers are actually unlikely
> to be correlated with each other, but that has not been tested.
>


Another yes, you are right. We need much more data to check if we have a
stochastic process consisted of independent random variables.


>
> Also untested is correlation between the numbers from different
> devices on the same run - if they were strongly correlated, for
> example, that would be bad.
>

I have proposed that also, but it requires checking different
architectures. I even offered my raspberry pi :-), but unfortunately
FreeBSD does not want to work on it :-(



>
> Not that I dislike Pawel's approach, it seems promising, I'm just
> pointing out the weakness of the analysis.
>


Again, thanks for pointing the weakness of the analysis, you are completely
right about everything. I have been thinking about all of these issues, but
unfortunately forgot to write it down as a constraints of the analysis.

Regards,
Mariusz

From owner-freebsd-security@FreeBSD.ORG  Tue Sep 25 09:36:33 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 15DDD106564A;
	Tue, 25 Sep 2012 09:36:33 +0000 (UTC)
	(envelope-from mariusz.gromada@gmail.com)
Received: from mail-qa0-f54.google.com (mail-qa0-f54.google.com
	[209.85.216.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 764398FC14;
	Tue, 25 Sep 2012 09:36:32 +0000 (UTC)
Received: by qady23 with SMTP id y23so3986442qad.13
	for <multiple recipients>; Tue, 25 Sep 2012 02:36:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type;
	bh=iKQf+LZ+EwAygXnAy3+lHYd4MI79hZkd1TdxrEYwbq4=;
	b=hU35xHBfTJjP4mPC2s6H//7ewJW4Ww+Gg4eTILq17z2kooEAqkeZ2JO9NeyWGhdAQI
	lsAbsbdmVRTbzAk9FOZiuTdV/QThOFqy2xI70ioj9sClJ4oWEmAD3N8RUwQw06kYLoet
	ygmTwNSXJUgkVO9QT7m9PFcrfzaQpqnSc+zaNSMVYqkiVXFQPYC8zFCXuZUmVNQ1PtN4
	aMDjRhsq+tM37qXbJaybx/IPFSptsqR+9EK1Xz5uOA/o1Y6U6Svy3Q+5l4q5jKftzXdj
	sjZRrNj4qM601svFmQFpYZPZqfUImCkkwIEx6J1pzxXcZfoniLpw3UsjlTAbMUIfN4MU
	PDwA==
MIME-Version: 1.0
Received: by 10.229.252.196 with SMTP id mx4mr9931489qcb.16.1348565791758;
	Tue, 25 Sep 2012 02:36:31 -0700 (PDT)
Received: by 10.49.81.242 with HTTP; Tue, 25 Sep 2012 02:36:31 -0700 (PDT)
In-Reply-To: <CANsh1da59oRAB+1OsdoHXKe-ushoy16g2=rfXg_2-MjUevGCqA@mail.gmail.com>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<20120919231051.4bc5335b@gumby.homeunix.com>
	<20120920102104.GA1397@garage.freebsd.pl>
	<201209200758.51924.jhb@freebsd.org>
	<20120922080323.GA1454@garage.freebsd.pl>
	<20120922195325.GH1454@garage.freebsd.pl>
	<505E59DC.7090505@gmail.com>
	<20120923151706.GN1454@garage.freebsd.pl>
	<5060D723.6020305@gmail.com>
	<CAG5KPzxf0Rfufk5K6Jt4e85xc7zXY_B3a2Sq0Uf_uVLHbV-baw@mail.gmail.com>
	<CANsh1da59oRAB+1OsdoHXKe-ushoy16g2=rfXg_2-MjUevGCqA@mail.gmail.com>
Date: Tue, 25 Sep 2012 11:36:31 +0200
Message-ID: <CANsh1da6ti9_97bhtOwjC4B8GW3Bn+==d67GDsJqBV4oTZgh1Q@mail.gmail.com>
From: Mariusz Gromada <mariusz.gromada@gmail.com>
To: Ben Laurie <benl@freebsd.org>
X-Mailman-Approved-At: Tue, 25 Sep 2012 11:55:15 +0000
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: freebsd-security@freebsd.org, RW <rwmaillists@googlemail.com>,
	Jonathan Anderson <jonathan.anderson@cl.cam.ac.uk>,
	Pawel Jakub Dawidek <pjd@freebsd.org>, John Baldwin <jhb@freebsd.org>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2012 09:36:33 -0000

2012/9/25 Mariusz Gromada <mariusz.gromada@gmail.com>
>
> Empirically, it seems to me that these numbers are actually unlikely
>> to be correlated with each other, but that has not been tested.
>>
>
>
> Another yes, you are right. We need much more data to check if we have a
> stochastic process consisted of independent random variables.
>
>

Here we did some initial testing, mainly based on charts, which showed
typical noise in time. But again, it requires a formal proof.

From owner-freebsd-security@FreeBSD.ORG  Tue Sep 25 12:06:59 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 839DA1065675
	for <freebsd-security@freebsd.org>;
	Tue, 25 Sep 2012 12:06:59 +0000 (UTC)
	(envelope-from andrey@zonov.org)
Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com
	[209.85.217.182])
	by mx1.freebsd.org (Postfix) with ESMTP id F02E78FC08
	for <freebsd-security@freebsd.org>;
	Tue, 25 Sep 2012 12:06:58 +0000 (UTC)
Received: by lbdb5 with SMTP id b5so1118lbd.13
	for <freebsd-security@freebsd.org>;
	Tue, 25 Sep 2012 05:06:58 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=sender:message-id:date:from:user-agent:mime-version:to:subject
	:x-enigmail-version:content-type:x-gm-message-state;
	bh=iewmxR/ynZ+qgTOGnyjMIWRHf3Cu7AOqfUtnK7Xc6Vs=;
	b=Absy0bBXaR4orxLZh/sL6GpSwAQATvU6ENwFqYOqOm6rLVH5KN7NjCHXowlpnv3Vru
	Y2SzKLDGfDnUQ/3e7Z6a6CZjlYX3TWz9aDwXtg8xtdiNSE9iKc0wVENMmYz70uqTU9Er
	xiYkMM2kqyZUMOUoqzEX0rTTu13RBjZudIpR3cVwBC09HyV55oX4Z+q6o66x4UjcRtpy
	Wakt/Z1QE/xnajD93SIOWsfYSxkuXLTPWCweaDLmbAhTNQF9YMaV0m7nSHs8UPX2bq51
	ZeAA3v4wl23FmUycpQVoi3S4NELJTG7ZHYVXxsdjaZ1719mI5yZzzF9pCUbvhpCi+VHZ
	Kmqw==
Received: by 10.112.51.174 with SMTP id l14mr5591471lbo.24.1348574817841;
	Tue, 25 Sep 2012 05:06:57 -0700 (PDT)
Received: from dhcp170-234-red.yandex.net (dhcp170-234-red.yandex.net.
	[95.108.170.234])
	by mx.google.com with ESMTPS id i3sm154675lbg.10.2012.09.25.05.06.56
	(version=SSLv3 cipher=OTHER); Tue, 25 Sep 2012 05:06:57 -0700 (PDT)
Sender: Andrey Zonov <andrey@zonov.org>
Message-ID: <50619E5D.3010503@FreeBSD.org>
Date: Tue, 25 Sep 2012 16:06:53 +0400
From: Andrey Zonov <zont@FreeBSD.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7;
	rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: freebsd-security@freebsd.org
X-Enigmail-Version: 1.4.4
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enigA7C7F6E7966B45B80AF98925"
X-Gm-Message-State: ALoCoQmowQGTjijJT/ir1HRtt7WQ1hCE54Tip4k242+HTwe7H4ExuqQURzGcJFLAce+gTteSGgFP
Subject: [patch] unprivileged mlock(2)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2012 12:07:00 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigA7C7F6E7966B45B80AF98925
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi,

Please review this patch [1] which allows unprivileged users call
mlock()/munlock() and mlockall()/munlockall().

AFAIK, these calls were not allowed for every-one because accounting for
mlockall(MCL_FUTURE) was not implemented.

[1] http://people.freebsd.org/~zont/patches/mlock3.patch

--=20
Andrey Zonov


--------------enigA7C7F6E7966B45B80AF98925
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQEcBAEBAgAGBQJQYZ5fAAoJEBWLemxX/CvTg14H/jFKAcXtOewYy79bo+ta6ELQ
ILgel1i6SqMNwi05IpUjF44ljyCNFWGdO/18B5MZt6oYZiRYKUlDlG0b6jycavrU
N6NNhMHYVnhmAZzMy+HtzpcJxOaMzCWo2wHEOQ7Jn99Rit2NsCqxc1v/+jwKnmbt
l5sjd2Y/xLX+BPL5OrL7VP7HnfE0h17G7TtcVMYVGcTkx4F6NXnydqrJJacHem9W
y1yLUwijAX90LWUtRrVt6kXBL43dkWVriuQBcMbARpFOuOUXrBG5pVSKSz7gBjWf
AduzUhL6AHWO7B0kaSa23gCGCqPrskCf/aLBKHr2G9pQqesKd2V1OQDxnRLTYFA=
=/tAq
-----END PGP SIGNATURE-----

--------------enigA7C7F6E7966B45B80AF98925--

From owner-freebsd-security@FreeBSD.ORG  Tue Sep 25 16:37:11 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id AFC80106566B;
	Tue, 25 Sep 2012 16:37:11 +0000 (UTC)
	(envelope-from pawel@dawidek.net)
Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72])
	by mx1.freebsd.org (Postfix) with ESMTP id 6C20C8FC14;
	Tue, 25 Sep 2012 16:37:10 +0000 (UTC)
Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149])
	by mail.dawidek.net (Postfix) with ESMTPSA id 14F4D592;
	Tue, 25 Sep 2012 18:36:11 +0200 (CEST)
Date: Tue, 25 Sep 2012 18:37:35 +0200
From: Pawel Jakub Dawidek <pjd@FreeBSD.org>
To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= <des@des.no>
Message-ID: <20120925163735.GC1391@garage.freebsd.pl>
References: <201209200758.51924.jhb@freebsd.org>
	<20120922080323.GA1454@garage.freebsd.pl>
	<20120922195325.GH1454@garage.freebsd.pl>
	<505E59DC.7090505@gmail.com>
	<20120923151706.GN1454@garage.freebsd.pl>
	<5060D723.6020305@gmail.com>
	<CAG5KPzxf0Rfufk5K6Jt4e85xc7zXY_B3a2Sq0Uf_uVLHbV-baw@mail.gmail.com>
	<86r4pqqwnm.fsf@ds4.des.no>
	<20120925102240.GC1571@garage.freebsd.pl>
	<86mx0eqsgy.fsf@ds4.des.no>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="dkEUBIird37B8yKS"
Content-Disposition: inline
In-Reply-To: <86mx0eqsgy.fsf@ds4.des.no>
X-OS: FreeBSD 10.0-CURRENT amd64
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: Jonathan Anderson <jonathan.anderson@cl.cam.ac.uk>,
	John Baldwin <jhb@freebsd.org>, Ben Laurie <benl@freebsd.org>,
	freebsd-security@freebsd.org, RW <rwmaillists@googlemail.com>,
	Mariusz Gromada <mariusz.gromada@gmail.com>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2012 16:37:11 -0000


--dkEUBIird37B8yKS
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Sep 25, 2012 at 12:58:37PM +0200, Dag-Erling Sm=F8rgrav wrote:
> Pawel Jakub Dawidek <pjd@FreeBSD.org> writes:
> > Note that this fake data is the hardest to gather entropy from, as it
> > doesn't interact with any external hardware. I'm all for testing it on
> > real hardware and I expect to be able to gather even more entropy from
> > it (so discarding less than top 7 bits). The problem with making
> > observations during boot takes much, much longer, so it will limit the
> > number os samples significantly, and as you know the more samples the
> > better.
>=20
> I have a handful of SFF machines which support PXE.  I can easily set up
> an NFS root where /etc/rc just remounts / rw, dumps the data and
> reboots.  With a sub-minute cycle time, I can get a couple of hundred
> thousand samples per machine over the weekend.

That would be great.

> (I don't even need PXE - they'll probably boot faster from USB sticks or
> disks)

And probably more reliable. My netbooted test machines occasionally
don't boot and you don't want to find out in the morning that the whole
process stopped at 1AM:)

--=20
Pawel Jakub Dawidek                       http://www.wheelsystems.com
FreeBSD committer                         http://www.FreeBSD.org
Am I Evil? Yes, I Am!                     http://tupytaj.pl

--dkEUBIird37B8yKS
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAlBh3c4ACgkQForvXbEpPzTVKwCdFCECxe+wfQ4ivsJYT3miQWMy
7s4An3OzP2iWNAgD8Nc29k9qjyHqsaaS
=/OCR
-----END PGP SIGNATURE-----

--dkEUBIird37B8yKS--

From owner-freebsd-security@FreeBSD.ORG  Tue Sep 25 18:46:11 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A88D7106564A;
	Tue, 25 Sep 2012 18:46:11 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
	by mx1.freebsd.org (Postfix) with ESMTP id 6131B8FC14;
	Tue, 25 Sep 2012 18:46:11 +0000 (UTC)
Received: from ds4.des.no (smtp.des.no [194.63.250.102])
	by smtp.des.no (Postfix) with ESMTP id DA23A62EA;
	Tue, 25 Sep 2012 20:46:09 +0200 (CEST)
Received: by ds4.des.no (Postfix, from userid 1001)
	id 74DF681AF; Tue, 25 Sep 2012 20:46:09 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Pawel Jakub Dawidek <pjd@FreeBSD.org>
References: <201209200758.51924.jhb@freebsd.org>
	<20120922080323.GA1454@garage.freebsd.pl>
	<20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com>
	<20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com>
	<CAG5KPzxf0Rfufk5K6Jt4e85xc7zXY_B3a2Sq0Uf_uVLHbV-baw@mail.gmail.com>
	<86r4pqqwnm.fsf@ds4.des.no> <20120925102240.GC1571@garage.freebsd.pl>
	<86mx0eqsgy.fsf@ds4.des.no> <20120925163735.GC1391@garage.freebsd.pl>
Date: Tue, 25 Sep 2012 20:46:08 +0200
In-Reply-To: <20120925163735.GC1391@garage.freebsd.pl> (Pawel Jakub Dawidek's
	message of "Tue, 25 Sep 2012 18:37:35 +0200")
Message-ID: <861uhqeya7.fsf@ds4.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: Jonathan Anderson <jonathan.anderson@cl.cam.ac.uk>,
	John Baldwin <jhb@freebsd.org>, Ben Laurie <benl@freebsd.org>,
	freebsd-security@freebsd.org, RW <rwmaillists@googlemail.com>,
	Mariusz Gromada <mariusz.gromada@gmail.com>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2012 18:46:11 -0000

Pawel Jakub Dawidek <pjd@FreeBSD.org> writes:
> "Dag-Erling Sm=C3=B8rgrav" <des@des.no> writes:
> > (I don't even need PXE - they'll probably boot faster from USB
> > sticks or disks)
> And probably more reliable. My netbooted test machines occasionally
> don't boot and you don't want to find out in the morning that the whole
> process stopped at 1AM:)

I've had machines where PXE only worked after a power cycle.  I never
managed to figure out why...

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no

From owner-freebsd-security@FreeBSD.ORG  Tue Sep 25 20:05:51 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 689F0106566C;
	Tue, 25 Sep 2012 20:05:51 +0000 (UTC)
	(envelope-from mariusz.gromada@gmail.com)
Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 6C2508FC0A;
	Tue, 25 Sep 2012 20:05:50 +0000 (UTC)
Received: by eekc50 with SMTP id c50so1043929eek.13
	for <multiple recipients>; Tue, 25 Sep 2012 13:05:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=message-id:date:from:user-agent:mime-version:to:cc:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	bh=NwNnfeCUO1SWxiZsXBg+2wIFgZN0UFUTMtMp5KQt7Yg=;
	b=EtXNvPQYVxYAm4oldlVre9hCiXb0OikhiSIDW1BsMvaW3baTaCx1akvx61rm/WWp1h
	NDuq3+YCyQqETMhbAHGhDtS5tDBIbrAhQELA1t9yAsOTLJ4WdYmWdH6lg771ehK3/P98
	PiaD4WekDWTWHJMQwCEz4r0iOyiRRt0lhD+Gbqx/M72wnovsfk9zvrHsttiw+MkQUn4D
	Is6vUvjDI578xGA+rCrWYOYzbDp96kMnJXD30yuKCNFwRr1s79UNO62wHyGe+3Bvq0c8
	t/vM6zKxamaY6lmgLRaCyZhHWV4iycWGazneNDsCZXbIs21n2W0ICLABBgt6MjLqY/jF
	prIA==
Received: by 10.14.179.136 with SMTP id h8mr22154169eem.6.1348603549296;
	Tue, 25 Sep 2012 13:05:49 -0700 (PDT)
Received: from [192.168.1.100] (89-76-147-86.dynamic.chello.pl. [89.76.147.86])
	by mx.google.com with ESMTPS id k49sm3651570een.4.2012.09.25.13.05.46
	(version=SSLv3 cipher=OTHER); Tue, 25 Sep 2012 13:05:47 -0700 (PDT)
Message-ID: <50620E8E.9020501@gmail.com>
Date: Tue, 25 Sep 2012 22:05:34 +0200
From: Mariusz Gromada <mariusz.gromada@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
	rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: Ben Laurie <benl@freebsd.org>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<20120919231051.4bc5335b@gumby.homeunix.com>
	<20120920102104.GA1397@garage.freebsd.pl>
	<201209200758.51924.jhb@freebsd.org>
	<20120922080323.GA1454@garage.freebsd.pl>
	<20120922195325.GH1454@garage.freebsd.pl>
	<505E59DC.7090505@gmail.com>
	<20120923151706.GN1454@garage.freebsd.pl>
	<5060D723.6020305@gmail.com> <5060DA45.30808@gmail.com>
	<20120925053246.GI1413@garage.freebsd.pl>
	<CAG5KPzz3ehKm+BN_0MCYfcRFkYxKzFLSTTFEpsJg3kK0BTvChQ@mail.gmail.com>
In-Reply-To: <CAG5KPzz3ehKm+BN_0MCYfcRFkYxKzFLSTTFEpsJg3kK0BTvChQ@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
X-Mailman-Approved-At: Tue, 25 Sep 2012 21:32:45 +0000
Cc: freebsd-security@freebsd.org, RW <rwmaillists@googlemail.com>,
	Jonathan Anderson <jonathan.anderson@cl.cam.ac.uk>,
	Pawel Jakub Dawidek <pjd@freebsd.org>, John Baldwin <jhb@freebsd.org>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2012 20:05:51 -0000

W dniu 2012-09-25 11:05, Ben Laurie pisze:

>> I created dummy driver which was registering three dummy drivers, so it
>> was provoking three device_attach() calls on every kldload. Mariusz
>> verified the observations and there was no correlation between the
>> times.
>
> Sorry to those that are bored, but ... what was the methodology?
>


Ok, finally I had enough time to write something more.

Try not to think about this data as a sequence of numbers a1, a2, ..., 
an, but rather as a sequence of random variables X(w,1), X(w,2), 
...,X(w,n) – in general X(w,t) where 'w' is something similar to random 
event (something unpredictable) and 't' is time. In mathematics X(w,t) 
is called a stochastic process (or random process / time series). In our 
case 'w' may be interpreted as a particular machine, 't' will simply 
identify the sequence number of each device attach, then X(w,t) will be 
entropy suspected part of the final device attach time (measured in some 
units).

Our task is to check if there are any autocorrelations in the X(w,t) 
process, which means checking if there are any dependencies between 
random variables X(w,t1) and X(w,t2) where t1 < t2.

It is possible to do this using some formal statistical test (i.e.: 
Durbin–Watson test, Autocorrelation Random Number Test).

I received form Pawel one portion of real data - 2081 observations 
coming from just one realization of the process. Checking 
autocorrelations requires data from many realizations of the process: in 
this case Nx2081, where each realization from 1 to N should start from 
the same beginning.

But for dummy data we did something (With Pawel) for X(w,1), X(w,2), 
X(w,3) - there were generated many realizations. Finally no 
autocorrelations were observed.

Summarizing:
1. We proved that data comes from uniform distribution (KS test)
2. We proved that there was no autocorrelation in the stochastic process 
consisted of 3 subsequent device attaches
3. We did graphical analysis, where typical noise was identified for 
much more than 3 device attaches.

What else could be done:
1. Proving that there is no autocorrelations between X(w,t1) and X(w,t2) 
where t1 < t2.
2. Confirming results for some other architectures and devices, which 
means confirming results for X(w1,t), X(w2, t), ...

Regards,
Mariusz


From owner-freebsd-security@FreeBSD.ORG  Tue Sep 25 21:39:12 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id E1502106566B
	for <freebsd-security@freebsd.org>;
	Tue, 25 Sep 2012 21:39:12 +0000 (UTC)
	(envelope-from rwmaillists@googlemail.com)
Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com
	[209.85.212.172])
	by mx1.freebsd.org (Postfix) with ESMTP id 61A1A8FC14
	for <freebsd-security@freebsd.org>;
	Tue, 25 Sep 2012 21:39:12 +0000 (UTC)
Received: by wibhq12 with SMTP id hq12so3148890wib.13
	for <freebsd-security@freebsd.org>;
	Tue, 25 Sep 2012 14:39:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=googlemail.com; s=20120113;
	h=date:from:to:subject:message-id:in-reply-to:references:x-mailer
	:mime-version:content-type:content-transfer-encoding;
	bh=U3fzGbaU6tQ/mc9t68zGthBU1DdItdlVnhkD4eSczx4=;
	b=IR5/BfL/AkUXItxCXbn94wlm3Cf2L5HQnM/4W42AYW3FBG3PAt2+XAsLvyUEHgNZ5G
	qa/a2oL8ALpYRMS72GuOEOrZKV924npVpMyPMq2ZlpfejlSm0+ruRH1nMAd6plAKdfrO
	EaWZF8jbabNrd+BKXqq8HA2l/L73B7GGJVN92YMIDEHhTg9hx8Fg9NdIRxJ2+765QePS
	VVHEvauOM97ihUVtQKNQpMxVGPKhncOc+qI8HW4Fbv7cilcoN40Krp0P/DmratzOdAbh
	59w/8zc4+oXl/OLugrFpTbPjXBRLgzVCGwBR1r1L9+N0gwTpdFNDV4e9yDJojysQc7ZG
	4IkQ==
Received: by 10.216.194.223 with SMTP id m73mr10382540wen.144.1348609151128;
	Tue, 25 Sep 2012 14:39:11 -0700 (PDT)
Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk.
	[87.194.105.247])
	by mx.google.com with ESMTPS id f10sm2834389wiy.9.2012.09.25.14.39.08
	(version=SSLv3 cipher=OTHER); Tue, 25 Sep 2012 14:39:10 -0700 (PDT)
Date: Tue, 25 Sep 2012 22:39:06 +0100
From: RW <rwmaillists@googlemail.com>
To: freebsd-security@freebsd.org
Message-ID: <20120925223906.32f6597b@gumby.homeunix.com>
In-Reply-To: <CANsh1da6ti9_97bhtOwjC4B8GW3Bn+==d67GDsJqBV4oTZgh1Q@mail.gmail.com>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<20120919231051.4bc5335b@gumby.homeunix.com>
	<20120920102104.GA1397@garage.freebsd.pl>
	<201209200758.51924.jhb@freebsd.org>
	<20120922080323.GA1454@garage.freebsd.pl>
	<20120922195325.GH1454@garage.freebsd.pl>
	<505E59DC.7090505@gmail.com>
	<20120923151706.GN1454@garage.freebsd.pl>
	<5060D723.6020305@gmail.com>
	<CAG5KPzxf0Rfufk5K6Jt4e85xc7zXY_B3a2Sq0Uf_uVLHbV-baw@mail.gmail.com>
	<CANsh1da59oRAB+1OsdoHXKe-ushoy16g2=rfXg_2-MjUevGCqA@mail.gmail.com>
	<CANsh1da6ti9_97bhtOwjC4B8GW3Bn+==d67GDsJqBV4oTZgh1Q@mail.gmail.com>
X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd8.3)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2012 21:39:13 -0000

On Tue, 25 Sep 2012 11:36:31 +0200
Mariusz Gromada wrote:


> Here we did some initial testing, mainly based on charts, which showed
> typical noise in time. But again, it requires a formal proof.

When you say formal proof lets be clear that you aren't actually
proving anything about entropy.

Entropy and randomness are two completely different concepts.
Good randomness is not a requirement of an entropy source, and
doesn't imply anything at all about entropy.

What's actually happening here is that that observations are being
made on randomness and then translated into entropy based on the
assumption that an attacker can never gain any advantage over treating
the timings as the product of a black box.    


From owner-freebsd-security@FreeBSD.ORG  Wed Sep 26 04:40:26 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id C5ECC106566B
	for <freebsd-security@freebsd.org>;
	Wed, 26 Sep 2012 04:40:26 +0000 (UTC)
	(envelope-from mousedz23499@workoblue.33mail.com)
Received: from sam.nabble.com (sam.nabble.com [216.139.236.26])
	by mx1.freebsd.org (Postfix) with ESMTP id A3D9F8FC0C
	for <freebsd-security@freebsd.org>;
	Wed, 26 Sep 2012 04:40:26 +0000 (UTC)
Received: from [192.168.236.26] (helo=sam.nabble.com)
	by sam.nabble.com with esmtp (Exim 4.72)
	(envelope-from <mousedz23499@workoblue.33mail.com>)
	id 1TGjQ4-00020l-0w
	for freebsd-security@freebsd.org; Tue, 25 Sep 2012 21:40:20 -0700
Date: Tue, 25 Sep 2012 21:40:20 -0700 (PDT)
From: moused86799 <mousedz23499@workoblue.33mail.com>
To: freebsd-security@freebsd.org
Message-ID: <1348634420023-5746974.post@n5.nabble.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Wed, 26 Sep 2012 11:47:45 +0000
Subject: Vulnerability - moused dependency on dbus-daemon - how to get rid
 of DBUS?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Sep 2012 04:40:26 -0000

one way of attacking the OS
1.search the lists
http://lists.freebsd.org/pipermail/freebsd-questions/2012-May/241042.html
2.)mouse intermittent works if problem with dbus-daemon
3.)analyze - dbus-daemon is a 'relatively unknown' and extra DEPENDENCY
of moused
4.)set kern.securelevel=333
5.)interrupt control of moused
root /usr/sbin/moused -F 200 -A 1.5.2.0 -a 0.7 -r high -V -p /dev/psm0 -t
auto
6.)alt to port /dev/psm0 - not completed

so, how can anything dbus be ELIMINATED from the OS?

*details using dtpstree
init-+-adjkerntz
     |-console-kit-daemon
     |-devd
     |-moused
     |-dbus-daemon
     |-polkitd
     |-swapexd
     |-7*[getty]
     |-gpg-agent
     |-2*[gam_server]
     |-login---shell--sh---xinit-+-Xorg
     |                           `-fluxbox-+-terminal
     |-***network

question: how can dbus or dbus-daemon be eliminated from the basic OS
configuration for a
developer workstation?

Thank you.



--
View this message in context: http://freebsd.1045724.n5.nabble.com/Vulnerability-moused-dependency-on-dbus-daemon-how-to-get-rid-of-DBUS-tp5746974.html
Sent from the freebsd-security mailing list archive at Nabble.com.

From owner-freebsd-security@FreeBSD.ORG  Wed Sep 26 12:16:18 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 237331065673
	for <freebsd-security@freebsd.org>;
	Wed, 26 Sep 2012 12:16:18 +0000 (UTC)
	(envelope-from david@catwhisker.org)
Received: from albert.catwhisker.org (m209-73.dsl.rawbw.com [198.144.209.73])
	by mx1.freebsd.org (Postfix) with ESMTP id E697A8FC14
	for <freebsd-security@freebsd.org>;
	Wed, 26 Sep 2012 12:16:17 +0000 (UTC)
Received: from albert.catwhisker.org (localhost [127.0.0.1])
	by albert.catwhisker.org (8.14.5/8.14.5) with ESMTP id q8QCGGPc002033; 
	Wed, 26 Sep 2012 05:16:16 -0700 (PDT)
	(envelope-from david@albert.catwhisker.org)
Received: (from david@localhost)
	by albert.catwhisker.org (8.14.5/8.14.5/Submit) id q8QCGGU7002032;
	Wed, 26 Sep 2012 05:16:16 -0700 (PDT) (envelope-from david)
Date: Wed, 26 Sep 2012 05:16:16 -0700
From: David Wolfskill <david@catwhisker.org>
To: moused86799 <mousedz23499@workoblue.33mail.com>
Message-ID: <20120926121616.GA1645@albert.catwhisker.org>
References: <1348634420023-5746974.post@n5.nabble.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="J/dobhs11T7y2rNN"
Content-Disposition: inline
In-Reply-To: <1348634420023-5746974.post@n5.nabble.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: freebsd-security@freebsd.org
Subject: Re: Vulnerability - moused dependency on dbus-daemon - how to get
 rid of DBUS?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Sep 2012 12:16:18 -0000


--J/dobhs11T7y2rNN
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Sep 25, 2012 at 09:40:20PM -0700, moused86799 wrote:
> one way of attacking the OS
> 1.search the lists
> http://lists.freebsd.org/pipermail/freebsd-questions/2012-May/241042.html
> 2.)mouse intermittent works if problem with dbus-daemon
> 3.)analyze - dbus-daemon is a 'relatively unknown' and extra DEPENDENCY
> of moused

Errr...  Perhaps in your configuration; perhaps also in (some) others'.
But moused is part of base FreeBSD, while dbus* is not.  So it is
certainly possible to run moused without dbus-daemon.

But as a somewhat more constructive demonstration:

g1-227(10.0-C)[1] ps axwwl | egrep 'moused|dbus'
   0 1461    1   0  20  0  10076  9840 select   Ss    -  0:00.10 /usr/sbin/=
moused -a 2.7 -p /dev/psm0 -t auto
1001 7579 1855   0  21  0  10148  9280 -        RL+   7  0:00.01 egrep mous=
ed|dbus
g1-227(10.0-C)[2]=20

That's from my laptop, running X.  While I have dbus-1.4.14_4 &
dbus-glib-0.94 installed (as they are listed as dependencies for
some other ports I have installed), I decline to use them.

> 4.)set kern.securelevel=3D333
> 5.)interrupt control of moused
> root /usr/sbin/moused -F 200 -A 1.5.2.0 -a 0.7 -r high -V -p /dev/psm0 -t
> auto
> 6.)alt to port /dev/psm0 - not completed

Errr... Everything you're doing there already requires eUID 0 access,
so I'm not sure what your concern really is.

> so, how can anything dbus be ELIMINATED from the OS?

g1-227(10.0-C)[8] grep dbus /etc/rc.conf*
g1-227(10.0-C)[9]=20

> ...
> question: how can dbus or dbus-daemon be eliminated from the basic OS
> configuration for a developer workstation?

Well, I believe my laptop is configured in a way that meets the
stated criteria.  (It has a local private mirror of the FreeBSD
src, ports, & doc SVN repositories, and I track stable/9 & head
on it, daily.)  About the only point that comes to mind that I
haven't already pointed out is the addition of a stanza:

Section "ServerFlags"
    Option         "AutoAddDevices" "False"
EndSection

to xorg.conf -- though there are other ways to accomplish that, as
well (IIRC).

Of course, I avoid these fancy "desktop environment" things; the
window manager I use descends rather directly from twm (and looks
like it), but it works for me (even though I know of only 2 other
folks who I have seen use it -- one of whom is my spouse).

Peace,
david
--=20
David H. Wolfskill				david@catwhisker.org
Depriving a girl or boy of an opportunity for education is evil.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.

--J/dobhs11T7y2rNN
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAlBi8g8ACgkQmprOCmdXAD3dZQCgiMWFJVVgRDfJnPBTFJbt4NZX
B2AAn3eAbw4KSH49p9tpCTh9hu1lkqkj
=1KZu
-----END PGP SIGNATURE-----

--J/dobhs11T7y2rNN--

From owner-freebsd-security@FreeBSD.ORG  Wed Sep 26 13:53:29 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 80C621065677;
	Wed, 26 Sep 2012 13:53:29 +0000 (UTC) (envelope-from jhb@freebsd.org)
Received: from bigwig.baldwin.cx (bigknife-pt.tunnel.tserv9.chi1.ipv6.he.net
	[IPv6:2001:470:1f10:75::2])
	by mx1.freebsd.org (Postfix) with ESMTP id 534748FC25;
	Wed, 26 Sep 2012 13:53:29 +0000 (UTC)
Received: from jhbbsd.localnet (unknown [209.249.190.124])
	by bigwig.baldwin.cx (Postfix) with ESMTPSA id 9B5A0B949;
	Wed, 26 Sep 2012 09:53:28 -0400 (EDT)
From: John Baldwin <jhb@freebsd.org>
To: Mariusz Gromada <mariusz.gromada@gmail.com>
Date: Tue, 25 Sep 2012 17:13:00 -0400
User-Agent: KMail/1.13.5 (FreeBSD/8.2-CBSD-20110714-p20; KDE/4.5.5; amd64; ; )
References: <20120918211422.GA1400@garage.freebsd.pl>
	<CAG5KPzz3ehKm+BN_0MCYfcRFkYxKzFLSTTFEpsJg3kK0BTvChQ@mail.gmail.com>
	<50620E8E.9020501@gmail.com>
In-Reply-To: <50620E8E.9020501@gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="windows-1252"
Content-Transfer-Encoding: 7bit
Message-Id: <201209251713.00800.jhb@freebsd.org>
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7
	(bigwig.baldwin.cx); Wed, 26 Sep 2012 09:53:28 -0400 (EDT)
Cc: Ben Laurie <benl@freebsd.org>, freebsd-security@freebsd.org,
	RW <rwmaillists@googlemail.com>,
	Jonathan Anderson <jonathan.anderson@cl.cam.ac.uk>,
	Pawel Jakub Dawidek <pjd@freebsd.org>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Sep 2012 13:53:29 -0000

On Tuesday, September 25, 2012 4:05:34 pm Mariusz Gromada wrote:
> Our task is to check if there are any autocorrelations in the X(w,t) 
> process, which means checking if there are any dependencies between 
> random variables X(w,t1) and X(w,t2) where t1 < t2.

Just to state an obvious fact (not sure how that impacts your analysis 
though):  There are, of course, many dependencies among device attach routines 
since your total time for the attach routine for a bus is going to include all 
of the time it takes for attach to run on all of the child devices.  That is, 
pci0's attach time includes the attach time of all of it's descendant devices, 
and a given leaf node's attach time will be accounted for in the attach time 
of all of its parent nodes up to the root.  For example:

nexus0
  acpi0
    pcib0
      pci0
        ehci0
          usbus0
            uhub0
              uhub3
                uhub4
                  ukbd0

In this portion of my desktop's device tree, all of the devices listed will 
include the time of ukbd0's attach in their respective attach times.

-- 
John Baldwin

From owner-freebsd-security@FreeBSD.ORG  Wed Sep 26 16:54:16 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9D76E106564A;
	Wed, 26 Sep 2012 16:54:16 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
	by mx1.freebsd.org (Postfix) with ESMTP id 460618FC08;
	Wed, 26 Sep 2012 16:54:15 +0000 (UTC)
Received: from ds4.des.no (smtp.des.no [194.63.250.102])
	by smtp.des.no (Postfix) with ESMTP id DE242666A;
	Wed, 26 Sep 2012 18:54:07 +0200 (CEST)
Received: by ds4.des.no (Postfix, from userid 1001)
	id 8E28982B3; Wed, 26 Sep 2012 18:54:07 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Ben Laurie <benl@freebsd.org>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<20120919231051.4bc5335b@gumby.homeunix.com>
	<20120920102104.GA1397@garage.freebsd.pl>
	<201209200758.51924.jhb@freebsd.org>
	<20120922080323.GA1454@garage.freebsd.pl>
	<20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com>
	<20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com>
	<CAG5KPzxf0Rfufk5K6Jt4e85xc7zXY_B3a2Sq0Uf_uVLHbV-baw@mail.gmail.com>
	<86r4pqqwnm.fsf@ds4.des.no>
Date: Wed, 26 Sep 2012 18:54:05 +0200
In-Reply-To: <86r4pqqwnm.fsf@ds4.des.no> ("Dag-Erling =?utf-8?Q?Sm=C3=B8rg?=
	=?utf-8?Q?rav=22's?= message of "Tue, 25 Sep 2012 11:28:13 +0200")
Message-ID: <86sja4sp1u.fsf@ds4.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: Jonathan Anderson <jonathan.anderson@cl.cam.ac.uk>,
	Pawel Jakub Dawidek <pjd@freebsd.org>,
	John Baldwin <jhb@freebsd.org>, freebsd-security@freebsd.org,
	RW <rwmaillists@googlemail.com>,
	Mariusz Gromada <mariusz.gromada@gmail.com>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Sep 2012 16:54:16 -0000

Dag-Erling Sm=C3=B8rgrav <des@des.no> writes:
> If you give me a couple of days, I'll try to come up with a patch that
> collects and stores attach times during boot so we can gather and
> analyse real data.

Here's the patch, as a superset of Pawel's.  The output looks like this:

des@crashbox ~% sysctl -b hw.attachtimes| hexdump -C
00000000  72 61 6d 30 00 00 00 00  00 00 00 00 00 00 00 00  |ram0..........=
..|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 01 24 53  |..............=
$S|
00000020  63 70 75 30 00 00 00 00  00 00 00 00 00 00 00 00  |cpu0..........=
..|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 01 4d 6c cb  |.............M=
l.|
00000040  63 70 75 31 00 00 00 00  00 00 00 00 00 00 00 00  |cpu1..........=
..|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 01 4d da b6  |.............M=
..|
00000060  61 74 74 69 6d 65 72 30  00 00 00 00 00 00 00 00  |attimer0......=
..|
00000070  00 00 00 00 00 00 00 00  00 00 00 00 04 59 70 8f  |.............Y=
p.|
[...]

where the first 24 bytes of each record contain the device name
(dev->nameunit) and the last eight bytes contain d(cyclecount) for
device_attach() as a big-endian uint64_t.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no

Index: sys/dev/random/randomdev_soft.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- sys/dev/random/randomdev_soft.c	(revision 240914)
+++ sys/dev/random/randomdev_soft.c	(working copy)
@@ -303,7 +303,7 @@
 	KASSERT(origin =3D=3D RANDOM_START || origin =3D=3D RANDOM_WRITE ||
             origin =3D=3D RANDOM_KEYBOARD || origin =3D=3D RANDOM_MOUSE ||
             origin =3D=3D RANDOM_NET || origin =3D=3D RANDOM_INTERRUPT ||
-            origin =3D=3D RANDOM_PURE,
+            origin =3D=3D RANDOM_PURE || origin =3D=3D RANDOM_DEVICE,
 	    ("random_harvest_internal: origin %d invalid\n", origin));
=20
 	/* Lockless read to avoid lock operations if fifo is full. */
Index: sys/sys/random.h
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- sys/sys/random.h	(revision 240914)
+++ sys/sys/random.h	(working copy)
@@ -45,6 +45,7 @@
 	RANDOM_NET,
 	RANDOM_INTERRUPT,
 	RANDOM_PURE,
+	RANDOM_DEVICE,
 	ENTROPYSOURCE
 };
 void random_harvest(void *, u_int, u_int, u_int, enum esource);
Index: sys/kern/subr_bus.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- sys/kern/subr_bus.c	(revision 240914)
+++ sys/kern/subr_bus.c	(working copy)
@@ -31,6 +31,7 @@
=20
 #include <sys/param.h>
 #include <sys/conf.h>
+#include <sys/endian.h>
 #include <sys/filio.h>
 #include <sys/lock.h>
 #include <sys/kernel.h>
@@ -44,6 +45,7 @@
 #include <sys/condvar.h>
 #include <sys/queue.h>
 #include <machine/bus.h>
+#include <sys/random.h>
 #include <sys/rman.h>
 #include <sys/selinfo.h>
 #include <sys/signalvar.h>
@@ -53,6 +55,7 @@
 #include <sys/bus.h>
 #include <sys/interrupt.h>
=20
+#include <machine/cpu.h>
 #include <machine/stdarg.h>
=20
 #include <vm/uma.h>
@@ -60,6 +63,16 @@
 SYSCTL_NODE(_hw, OID_AUTO, bus, CTLFLAG_RW, NULL, NULL);
 SYSCTL_NODE(, OID_AUTO, dev, CTLFLAG_RW, NULL, NULL);
=20
+#define MAXNATTACHTIMES 128
+static struct attachtime {
+	char name[24];
+	uint64_t delta;
+} attachtimes[MAXNATTACHTIMES];
+static int nattachtimes;
+SYSCTL_OPAQUE(_hw, OID_AUTO, attachtimes, CTLFLAG_RD,
+    &attachtimes, sizeof(attachtimes), "S,attachtimes",
+    "time spent in device_attach()");
+
 /*
  * Used to attach drivers to devclasses.
  */
@@ -2760,8 +2773,10 @@
 int
 device_attach(device_t dev)
 {
+	uint64_t attachtime;
 	int error;
=20
+	attachtime =3D get_cyclecount();
 	device_sysctl_init(dev);
 	if (!device_is_quiet(dev))
 		device_print_child(dev->parent, dev);
@@ -2784,6 +2799,15 @@
 		dev->state =3D DS_ATTACHED;
 	dev->flags &=3D ~DF_DONENOMATCH;
 	devadded(dev);
+	attachtime =3D get_cyclecount() - attachtime;
+	if (nattachtimes < MAXNATTACHTIMES) {
+		strlcpy(attachtimes[nattachtimes].name, dev->nameunit,
+		    sizeof(attachtimes[nattachtimes]));
+		attachtimes[nattachtimes].delta =3D htobe64(attachtime);
+		++nattachtimes;
+	}
+	random_harvest(&attachtime, sizeof(attachtime), 4, 0, RANDOM_DEVICE);
+
 	return (0);
 }
=20

From owner-freebsd-security@FreeBSD.ORG  Thu Sep 27 09:49:52 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 7E255106566B
	for <freebsd-security@freebsd.org>;
	Thu, 27 Sep 2012 09:49:52 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
	by mx1.freebsd.org (Postfix) with ESMTP id 3F2758FC08
	for <freebsd-security@freebsd.org>;
	Thu, 27 Sep 2012 09:49:52 +0000 (UTC)
Received: from ds4.des.no (smtp.des.no [194.63.250.102])
	by smtp.des.no (Postfix) with ESMTP id 2843D68E1;
	Thu, 27 Sep 2012 11:49:51 +0200 (CEST)
Received: by ds4.des.no (Postfix, from userid 1001)
	id E2096837F; Thu, 27 Sep 2012 11:49:50 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: RW <rwmaillists@googlemail.com>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<20120919192836.3a60cdfd@gumby.homeunix.com>
Date: Thu, 27 Sep 2012 11:49:49 +0200
In-Reply-To: <20120919192836.3a60cdfd@gumby.homeunix.com> (RW's message of
	"Wed, 19 Sep 2012 19:28:36 +0100")
Message-ID: <863923pzgi.fsf@ds4.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@freebsd.org
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Sep 2012 09:49:52 -0000

RW <rwmaillists@googlemail.com> writes:
> "Dag-Erling Sm=C3=B8rgrav" <des@des.no> writes:
> > You can't rely on the existence of a TSC.  I would suggest using the
> > fractional part of binuptime instead.
> get_cyclecount() is supposed to be platform independent and should
> fall-back to nanotime(9) if TSC or equivalent is absent.

I just thought of another issue with get_cyclecount().

On machines with TSCs, its resolution varies with the CPU's speed
(nominal or actual, depending on the exact model).  This means that
attachtime measurements have far lower resolution and therefore less
entropy on slow machines than on fast ones.

This doesn't mean we can't use get_cyclecount(), just that we shouldn't
base our entropy estimates on data gathered on a fast system.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no

From owner-freebsd-security@FreeBSD.ORG  Thu Sep 27 09:56:30 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C69AB1065673
	for <freebsd-security@freebsd.org>;
	Thu, 27 Sep 2012 09:56:30 +0000 (UTC)
	(envelope-from benlaurie@gmail.com)
Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com
	[209.85.212.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 765658FC20
	for <freebsd-security@freebsd.org>;
	Thu, 27 Sep 2012 09:56:30 +0000 (UTC)
Received: by vbmv11 with SMTP id v11so2231614vbm.13
	for <freebsd-security@freebsd.org>;
	Thu, 27 Sep 2012 02:56:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:sender:in-reply-to:references:date
	:x-google-sender-auth:message-id:subject:from:to:cc:content-type
	:content-transfer-encoding;
	bh=JCUFyoBL2cCC89DAbU59AMWIU/4RPHDkLjxw0tUq2F0=;
	b=ZsIrwYoQPEE+WFwSoSdQMXCJ0PxCJqtQ9UQ0pPzkRar+nLuWJDkcbElL63DxzqVmg/
	a6q39LyTQ+dhwThSClet4qdVMPoZrH8QS01spPXSJlDfc0pSPR5HSferbqxyTsbmQ3Ee
	izCBwaScsowO6McaKmgzcVlULuLltY18ZphN1iW+ysFpMdYRPqHuTpGv5YdHt49PPz4R
	5JzHObQHnwtQfPmbvvBcUupH764jtoSY1+5nwWUOOKEx2ob9xzIqsbf/l6fx7Yh7yOqa
	mToH4Puh9pdN9tSflpQ9Pr9atSdTKCMDFCevRY28oLitrRYH1ZLeMl/D2f1U2ckbRB4L
	Aa3w==
MIME-Version: 1.0
Received: by 10.52.37.100 with SMTP id x4mr1578611vdj.56.1348739784576; Thu,
	27 Sep 2012 02:56:24 -0700 (PDT)
Sender: benlaurie@gmail.com
Received: by 10.58.79.243 with HTTP; Thu, 27 Sep 2012 02:56:24 -0700 (PDT)
In-Reply-To: <863923pzgi.fsf@ds4.des.no>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<20120919192836.3a60cdfd@gumby.homeunix.com>
	<863923pzgi.fsf@ds4.des.no>
Date: Thu, 27 Sep 2012 10:56:24 +0100
X-Google-Sender-Auth: 5AGXvhMgVr9_lG46xnGzgoSySFM
Message-ID: <CAG5KPzwhq4UzPxbx74vX5KKtqC4tWkTsKAHjGDsdD8MqJVVkRg@mail.gmail.com>
From: Ben Laurie <benl@freebsd.org>
To: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= <des@des.no>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@freebsd.org, RW <rwmaillists@googlemail.com>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Sep 2012 09:56:30 -0000

On Thu, Sep 27, 2012 at 10:49 AM, Dag-Erling Sm=F8rgrav <des@des.no> wrote:
> RW <rwmaillists@googlemail.com> writes:
>> "Dag-Erling Sm=F8rgrav" <des@des.no> writes:
>> > You can't rely on the existence of a TSC.  I would suggest using the
>> > fractional part of binuptime instead.
>> get_cyclecount() is supposed to be platform independent and should
>> fall-back to nanotime(9) if TSC or equivalent is absent.
>
> I just thought of another issue with get_cyclecount().
>
> On machines with TSCs, its resolution varies with the CPU's speed
> (nominal or actual, depending on the exact model).  This means that
> attachtime measurements have far lower resolution and therefore less
> entropy on slow machines than on fast ones.
>
> This doesn't mean we can't use get_cyclecount(), just that we shouldn't
> base our entropy estimates on data gathered on a fast system.

We should certainly see how things look on slow systems, but note that
if the resolution is lower, then the measurements will also be smaller
(assuming attachment takes similar time), and so we will claim less
entropy anyway :-)

From owner-freebsd-security@FreeBSD.ORG  Thu Sep 27 10:15:22 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 504E4106566C;
	Thu, 27 Sep 2012 10:15:22 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
	by mx1.freebsd.org (Postfix) with ESMTP id BF8758FC0A;
	Thu, 27 Sep 2012 10:15:21 +0000 (UTC)
Received: from ds4.des.no (smtp.des.no [194.63.250.102])
	by smtp.des.no (Postfix) with ESMTP id E303968ED;
	Thu, 27 Sep 2012 12:15:20 +0200 (CEST)
Received: by ds4.des.no (Postfix, from userid 1001)
	id 993968386; Thu, 27 Sep 2012 12:15:20 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Ben Laurie <benl@freebsd.org>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<20120919192836.3a60cdfd@gumby.homeunix.com>
	<863923pzgi.fsf@ds4.des.no>
	<CAG5KPzwhq4UzPxbx74vX5KKtqC4tWkTsKAHjGDsdD8MqJVVkRg@mail.gmail.com>
Date: Thu, 27 Sep 2012 12:15:20 +0200
In-Reply-To: <CAG5KPzwhq4UzPxbx74vX5KKtqC4tWkTsKAHjGDsdD8MqJVVkRg@mail.gmail.com>
	(Ben Laurie's message of "Thu, 27 Sep 2012 10:56:24 +0100")
Message-ID: <86y5jvojpj.fsf@ds4.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@freebsd.org, RW <rwmaillists@googlemail.com>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Sep 2012 10:15:22 -0000

Ben Laurie <benl@freebsd.org> writes:
> We should certainly see how things look on slow systems, but note that
> if the resolution is lower, then the measurements will also be smaller
> (assuming attachment takes similar time), and so we will claim less
> entropy anyway :-)

Ah, I forgot about Pawel's flsl() trick.  You're right.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no

From owner-freebsd-security@FreeBSD.ORG  Thu Sep 27 12:00:18 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id E5E541065670
	for <freebsd-security@freebsd.org>;
	Thu, 27 Sep 2012 12:00:18 +0000 (UTC)
	(envelope-from rwmaillists@googlemail.com)
Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com
	[209.85.215.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 4BDA58FC0C
	for <freebsd-security@freebsd.org>;
	Thu, 27 Sep 2012 12:00:03 +0000 (UTC)
Received: by eaac10 with SMTP id c10so667285eaa.13
	for <freebsd-security@freebsd.org>;
	Thu, 27 Sep 2012 05:00:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=googlemail.com; s=20120113;
	h=date:from:to:subject:message-id:in-reply-to:references:x-mailer
	:mime-version:content-type:content-transfer-encoding;
	bh=GM3ANhddSByjojXd1fucQPLh+WQsO/T84IUYeu/ufqw=;
	b=zA73jCnshr3Wlk2CV9HnpLWN9egupiGmjIlGshqTdAMeDZzQuwed3MoESvRDe3mmH6
	xU8xOfOsMSGvqvQz3eEVvx7cCEBlOw0ObhNJZAskT44dXVXw/iRncYwKprjwm7lAJmzY
	crugtBn+Ih4wrMxaWzvZPIK2/x+u6uL9Jj+lkn0CrAoTlSxGw50Wef4ZJ9GBB8/CwQRN
	zaZFLq+GirNEFcJ+pXhWnEP0Pes4o/ro6p1CuZbU3Y50iIQkVgRoZLqcP3sqpCe5cEFJ
	RkPAoGZvuWD+YWa9VmiK7Tp9fjxXIU+/5l+Dj+FO3n3LDpCxsVXzs+v1qfJ1MdsxQeBJ
	GNCQ==
Received: by 10.14.211.3 with SMTP id v3mr5492112eeo.43.1348747202376;
	Thu, 27 Sep 2012 05:00:02 -0700 (PDT)
Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk.
	[87.194.105.247])
	by mx.google.com with ESMTPS id u47sm17114012eeo.9.2012.09.27.04.59.59
	(version=SSLv3 cipher=OTHER); Thu, 27 Sep 2012 05:00:00 -0700 (PDT)
Date: Thu, 27 Sep 2012 12:59:56 +0100
From: RW <rwmaillists@googlemail.com>
To: freebsd-security@freebsd.org
Message-ID: <20120927125956.0594fa73@gumby.homeunix.com>
In-Reply-To: <CAG5KPzwhq4UzPxbx74vX5KKtqC4tWkTsKAHjGDsdD8MqJVVkRg@mail.gmail.com>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<20120919192836.3a60cdfd@gumby.homeunix.com>
	<863923pzgi.fsf@ds4.des.no>
	<CAG5KPzwhq4UzPxbx74vX5KKtqC4tWkTsKAHjGDsdD8MqJVVkRg@mail.gmail.com>
X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd8.3)
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Sep 2012 12:00:19 -0000

On Thu, 27 Sep 2012 10:56:24 +0100
Ben Laurie wrote:

> On Thu, Sep 27, 2012 at 10:49 AM, Dag-Erling Sm=F8rgrav <des@des.no>
> wrote:
> > RW <rwmaillists@googlemail.com> writes:
> >> "Dag-Erling Sm=F8rgrav" <des@des.no> writes:
> >> > You can't rely on the existence of a TSC.  I would suggest using
> >> > the fractional part of binuptime instead.
> >> get_cyclecount() is supposed to be platform independent and should
> >> fall-back to nanotime(9) if TSC or equivalent is absent.
> >
> > I just thought of another issue with get_cyclecount().
> >
> > On machines with TSCs, its resolution varies with the CPU's speed
> > (nominal or actual, depending on the exact model).  This means that
> > attachtime measurements have far lower resolution and therefore less
> > entropy on slow machines than on fast ones.
> >
> > This doesn't mean we can't use get_cyclecount(), just that we
> > shouldn't base our entropy estimates on data gathered on a fast
> > system.
>=20
> We should certainly see how things look on slow systems, but note that
> if the resolution is lower, then the measurements will also be smaller
> (assuming attachment takes similar time), and so we will claim less
> entropy anyway :-)

That doesn't help if the system uses binuptime(), e.g. on arm=20

static __inline uint64_t
get_cyclecount(void)
{
        struct bintime bt;

        binuptime(&bt);
        return (bt.frac ^ bt.sec);
                       =20
}

In this case it will appear to be a 18 EHz counter.

From owner-freebsd-security@FreeBSD.ORG  Thu Sep 27 14:34:24 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 888A0106566C
	for <freebsd-security@freebsd.org>;
	Thu, 27 Sep 2012 14:34:24 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
	by mx1.freebsd.org (Postfix) with ESMTP id 47C908FC15
	for <freebsd-security@freebsd.org>;
	Thu, 27 Sep 2012 14:34:24 +0000 (UTC)
Received: from ds4.des.no (smtp.des.no [194.63.250.102])
	by smtp.des.no (Postfix) with ESMTP id 81A0D6977;
	Thu, 27 Sep 2012 16:34:23 +0200 (CEST)
Received: by ds4.des.no (Postfix, from userid 1001)
	id 591F48408; Thu, 27 Sep 2012 16:34:23 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: RW <rwmaillists@googlemail.com>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<20120919192836.3a60cdfd@gumby.homeunix.com>
	<863923pzgi.fsf@ds4.des.no>
	<CAG5KPzwhq4UzPxbx74vX5KKtqC4tWkTsKAHjGDsdD8MqJVVkRg@mail.gmail.com>
	<20120927125956.0594fa73@gumby.homeunix.com>
Date: Thu, 27 Sep 2012 16:34:23 +0200
In-Reply-To: <20120927125956.0594fa73@gumby.homeunix.com> (RW's message of
	"Thu, 27 Sep 2012 12:59:56 +0100")
Message-ID: <86pq57o7ps.fsf@ds4.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@freebsd.org
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Sep 2012 14:34:24 -0000

RW <rwmaillists@googlemail.com> writes:
> static __inline uint64_t
> get_cyclecount(void)
> {
>         struct bintime bt;
>
>         binuptime(&bt);
>         return (bt.frac ^ bt.sec);
>=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
> }

Why the heck does it xor the integer and fractional parts together?
That makes no sense at all.  I would have used ((uint64_t)bt.sec << 32 |
bt.frac >> 32).  It wraps around after 136 years' uptime, but hey, you
can't win them all.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no

From owner-freebsd-security@FreeBSD.ORG  Thu Sep 27 15:25:30 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CCE94106566C
	for <freebsd-security@freebsd.org>;
	Thu, 27 Sep 2012 15:25:30 +0000 (UTC)
	(envelope-from simon@qxnitro.org)
Received: from mail-ie0-f182.google.com (mail-ie0-f182.google.com
	[209.85.223.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 8A4868FC0C
	for <freebsd-security@freebsd.org>;
	Thu, 27 Sep 2012 15:25:30 +0000 (UTC)
Received: by ieak10 with SMTP id k10so6601545iea.13
	for <freebsd-security@freebsd.org>;
	Thu, 27 Sep 2012 08:25:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qxnitro.org; s=google;
	h=mime-version:sender:x-originating-ip:in-reply-to:references:date
	:x-google-sender-auth:message-id:subject:from:to:cc:content-type;
	bh=fYZitsD1hLffzrPWMg1oGAZ/EE7rDuf/M1Hl0tPqZjI=;
	b=SNaGLBilQIonk1dkvf/GbRVWTVpwTi8AnzCpANqAxJiOKBtZqN3vtOrnd2bfGZF18V
	YHD2N2yl1cB5t21xCZovgG7GcYktzbdMgx1VWNCHm1nl9zis7bCyDwrAPScaqQuZ/12e
	PHcsl83iKpgBtXYLtP4yikE3JLU3cizr+EwB8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=mime-version:sender:x-originating-ip:in-reply-to:references:date
	:x-google-sender-auth:message-id:subject:from:to:cc:content-type
	:x-gm-message-state;
	bh=fYZitsD1hLffzrPWMg1oGAZ/EE7rDuf/M1Hl0tPqZjI=;
	b=oxT9COjJHzvYYG4ieYrg3swKJLhZJtkf2/QKClejpTSW3WUthake50CngV+HoVeBU/
	fEVpmb+We4/CGxjOBeEuWjNWJPphnSluPCCX9HJV67yhMXRqLnDUykCIl8zRVshw6jyH
	1ML/tItXfmoAjXsE8HJoUctD2YVWX/PLsijx4wH4tUADxVFUDkFWVNUc9idSxeyWqiJz
	lzhXgBaDm+F+oUEp5XIk+yHm2UjtCmSUD4yJsq6VbE6PYgvkJO6Va9L5OsLagPZOy/e2
	FcDSgVgzp4Lfet9Gg3+SgKRd2o7/zIIsb6ySCyKYRmSAEIqkhBR29IJas4W8D/pZTd2R
	Le3g==
MIME-Version: 1.0
Received: by 10.50.160.228 with SMTP id xn4mr1948148igb.1.1348759529690; Thu,
	27 Sep 2012 08:25:29 -0700 (PDT)
Sender: simon@qxnitro.org
Received: by 10.64.51.40 with HTTP; Thu, 27 Sep 2012 08:25:29 -0700 (PDT)
X-Originating-IP: [2620:0:1040:201:1990:a69e:c95:8fc7]
In-Reply-To: <50619E5D.3010503@FreeBSD.org>
References: <50619E5D.3010503@FreeBSD.org>
Date: Thu, 27 Sep 2012 16:25:29 +0100
X-Google-Sender-Auth: -kWnsa66YsL_4Zx8vR5AUYAoBVk
Message-ID: <CAC8HS2G84_t5G0KrwEhkwhfRWY+6Cck8vQYRJnv3vQOsBPPD_g@mail.gmail.com>
From: "Simon L. B. Nielsen" <simon@FreeBSD.org>
To: Andrey Zonov <zont@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-Gm-Message-State: ALoCoQll6fdoEHLfOu7CH0GRrqE0R/+aviT15txtV160e4csw1zW9GaWAy2sRoZnGu9uLkvq8USL
Cc: freebsd-security@freebsd.org
Subject: Re: [patch] unprivileged mlock(2)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Sep 2012 15:25:30 -0000

On Tue, Sep 25, 2012 at 1:06 PM, Andrey Zonov <zont@freebsd.org> wrote:
> Hi,
>
> Please review this patch [1] which allows unprivileged users call
> mlock()/munlock() and mlockall()/munlockall().
>
> AFAIK, these calls were not allowed for every-one because accounting for
> mlockall(MCL_FUTURE) was not implemented.

I can't comment on the implementation details (don't know much about
VM system), but do you have tests to show that the new code actually
works in preventing users from mlocking more than 8MB by default?

-- 
Simon L. B. Nielsen

From owner-freebsd-security@FreeBSD.ORG  Thu Sep 27 21:35:55 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id B1588106566B
	for <freebsd-security@freebsd.org>;
	Thu, 27 Sep 2012 21:35:55 +0000 (UTC)
	(envelope-from brde@optusnet.com.au)
Received: from mail28.syd.optusnet.com.au (mail28.syd.optusnet.com.au
	[211.29.133.169])
	by mx1.freebsd.org (Postfix) with ESMTP id 46AE38FC08
	for <freebsd-security@freebsd.org>;
	Thu, 27 Sep 2012 21:35:54 +0000 (UTC)
Received: from c122-106-157-84.carlnfd1.nsw.optusnet.com.au
	(c122-106-157-84.carlnfd1.nsw.optusnet.com.au [122.106.157.84])
	by mail28.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id
	q8RLZg8s029563
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Fri, 28 Sep 2012 07:35:44 +1000
Date: Fri, 28 Sep 2012 07:35:42 +1000 (EST)
From: Bruce Evans <brde@optusnet.com.au>
X-X-Sender: bde@besplex.bde.org
To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
In-Reply-To: <86pq57o7ps.fsf@ds4.des.no>
Message-ID: <20120928062245.K4426@besplex.bde.org>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<20120919192836.3a60cdfd@gumby.homeunix.com>
	<863923pzgi.fsf@ds4.des.no>
	<CAG5KPzwhq4UzPxbx74vX5KKtqC4tWkTsKAHjGDsdD8MqJVVkRg@mail.gmail.com>
	<20120927125956.0594fa73@gumby.homeunix.com>
	<86pq57o7ps.fsf@ds4.des.no>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="0-1627825555-1348781742=:4426"
Cc: freebsd-security@freebsd.org, RW <rwmaillists@googlemail.com>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Sep 2012 21:35:55 -0000

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--0-1627825555-1348781742=:4426
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN; format=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE

On Thu, 27 Sep 2012, [utf-8] Dag-Erling Sm=C3=B8rgrav wrote:

> RW <rwmaillists@googlemail.com> writes:
>> static __inline uint64_t
>> get_cyclecount(void)
>> {
>>         struct bintime bt;
>>
>>         binuptime(&bt);
>>         return (bt.frac ^ bt.sec);
>>
>> }
>
> Why the heck does it xor the integer and fractional parts together?
> That makes no sense at all.  I would have used ((uint64_t)bt.sec << 32 |
> bt.frac >> 32).  It wraps around after 136 years' uptime, but hey, you
> can't win them all.

Because most of the entropy is in the fractional part, and most of it
may be in the low 32 bits that you want to discard.  Even if the
hardware timecounter has a low frequency, ntp adjustments at a very
low rate would put more entropy in the low bits than the high bits.
Scaling of the hardware timecounter will probably also make the low
bits nonzero, but its rate probably won't be so low as to not stir
all of the available entropy into the high bits.

While booting, the seconds part will only change a few times, so the
entropy in it is especially low, but your way reserves 32 bits for it.

Low-end systems with no hardware cycle counters may be so slow to boot
that binuptime() gives as much entropy as entropy as a faster system
using a hardware cycle counter.  Calling binuptime() a lot is a good
way to keep them slow.

The above is missing the pessimizations entropy differences that i386
has.  i386 get_cyclecount() used to return rdtsc() if (tsc_present),
with all calls inline.  Otherwise, it used binuptime() and xor as above.
Now it calls the generic cpu_ticks(), which is non-inline and further
pessimized using function pointers and other methods (cpu_ticks is a
function pointer ...).  The entropy differences are that cpu_ticks is
not affected by ntp even when it is based on a timecounter.  ntp won't
be running at boot time, and later some of the entropy changes that it
makes are negative, since it is trying to sync with the predictable real
time.  bt.bt_^H^H^Hsec is also very predictable.

Bruce
--0-1627825555-1348781742=:4426--

From owner-freebsd-security@FreeBSD.ORG  Thu Sep 27 22:10:23 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1A85D1065675
	for <freebsd-security@freebsd.org>;
	Thu, 27 Sep 2012 22:10:23 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
	by mx1.freebsd.org (Postfix) with ESMTP id CCCEF8FC1F
	for <freebsd-security@freebsd.org>;
	Thu, 27 Sep 2012 22:10:22 +0000 (UTC)
Received: from ds4.des.no (smtp.des.no [194.63.250.102])
	by smtp.des.no (Postfix) with ESMTP id 7B5086AE5;
	Fri, 28 Sep 2012 00:10:16 +0200 (CEST)
Received: by ds4.des.no (Postfix, from userid 1001)
	id 4E9A98473; Fri, 28 Sep 2012 00:10:16 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Bruce Evans <brde@optusnet.com.au>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<20120919192836.3a60cdfd@gumby.homeunix.com>
	<863923pzgi.fsf@ds4.des.no>
	<CAG5KPzwhq4UzPxbx74vX5KKtqC4tWkTsKAHjGDsdD8MqJVVkRg@mail.gmail.com>
	<20120927125956.0594fa73@gumby.homeunix.com>
	<86pq57o7ps.fsf@ds4.des.no> <20120928062245.K4426@besplex.bde.org>
Date: Fri, 28 Sep 2012 00:10:15 +0200
In-Reply-To: <20120928062245.K4426@besplex.bde.org> (Bruce Evans's message of
	"Fri, 28 Sep 2012 07:35:42 +1000 (EST)")
Message-ID: <86fw63w20o.fsf@ds4.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@freebsd.org, RW <rwmaillists@googlemail.com>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Sep 2012 22:10:23 -0000

Bruce Evans <brde@optusnet.com.au> writes:
> "Dag-Erling Sm=C3=B8rgrav" <des@des.no> writes:
> > RW <rwmaillists@googlemail.com> writes:
> > > binuptime(&bt);
> > > return (bt.frac ^ bt.sec);
> > Why the heck does it xor the integer and fractional parts together?
> Because most of the entropy is in the fractional part,

This is not about entropy, it's about implementing get_cyclecount() on a
platform that doesn't have a TSC.  It's supposed to be monotonic, and
this implementation clearly isn't.  Even when bt.sec is small enough
that it doesn't affect significant digits of bt.frac (which should be
most of the time, unless the resolution of the underlying timecounter
exceeds ~2^32 Hz), get_cyclecount() will go backward every time a new
second ticks over.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no

From owner-freebsd-security@FreeBSD.ORG  Thu Sep 27 23:30:53 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 88FD5106566C;
	Thu, 27 Sep 2012 23:30:53 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
	by mx1.freebsd.org (Postfix) with ESMTP id 400B88FC0A;
	Thu, 27 Sep 2012 23:30:53 +0000 (UTC)
Received: from ds4.des.no (smtp.des.no [194.63.250.102])
	by smtp.des.no (Postfix) with ESMTP id 03CB56B14;
	Fri, 28 Sep 2012 01:30:52 +0200 (CEST)
Received: by ds4.des.no (Postfix, from userid 1001)
	id A0FA38489; Fri, 28 Sep 2012 01:30:51 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Pawel Jakub Dawidek <pjd@FreeBSD.org>
References: <20120919231051.4bc5335b@gumby.homeunix.com>
	<20120920102104.GA1397@garage.freebsd.pl>
	<201209200758.51924.jhb@freebsd.org>
	<20120922080323.GA1454@garage.freebsd.pl>
	<20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com>
	<20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com>
	<CAG5KPzxf0Rfufk5K6Jt4e85xc7zXY_B3a2Sq0Uf_uVLHbV-baw@mail.gmail.com>
	<86r4pqqwnm.fsf@ds4.des.no> <20120925102240.GC1571@garage.freebsd.pl>
	<86mx0eqsgy.fsf@ds4.des.no>
Date: Fri, 28 Sep 2012 01:30:50 +0200
In-Reply-To: <86mx0eqsgy.fsf@ds4.des.no> ("Dag-Erling =?utf-8?Q?Sm=C3=B8rg?=
	=?utf-8?Q?rav=22's?= message of "Tue, 25 Sep 2012 12:58:37 +0200")
Message-ID: <86bogrvyad.fsf@ds4.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: Jonathan Anderson <jonathan.anderson@cl.cam.ac.uk>,
	John Baldwin <jhb@freebsd.org>, Ben Laurie <benl@freebsd.org>,
	freebsd-security@freebsd.org, RW <rwmaillists@googlemail.com>,
	Mariusz Gromada <mariusz.gromada@gmail.com>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Sep 2012 23:30:53 -0000

I now have two EPIAs, a laptop and a VirtualBox VM gathering data using
this patch:

  http://people.freebsd.org/~des/software/attachtimes.diff

If you want to join in, here's how to prepare a USB stick:

  fetch http://people.freebsd.org/~des/software/attachtimes.tgz
  dd if=3D/dev/zero of=3D/dev/da0 bs=3D1m count=3D1
  gpart create -s gpt da0
  gpart bootcode -b /boot/pmbr da0
  gpart add -b 34 -s 94 -t freebsd-boot da0
  gpart bootcode -p /boot/gptboot -i 1 da0
  gpart add -t freebsd-ufs da0
  newfs -Uj /dev/da0p2
  mount -t ufs /dev/da0p2 /mnt
  tar zxf attachtimes.tgz -C /mnt
  sed -i.orig -e 's/ada0/da0/' /mnt/etc/fstab
  umount /mnt

or a VirtualBox disk image:

  fetch http://people.freebsd.org/~des/software/attachtimes.tgz
  rm -f attachtimes.img
  truncate -s 4G attachtimes.img
  mdconfig attachtimes.img
  gpart create -s gpt md0
  gpart bootcode -b /boot/pmbr md0
  gpart add -b 34 -s 94 -t freebsd-boot md0
  gpart bootcode -p /boot/gptboot -i 1 md0
  gpart add -t freebsd-ufs md0
  newfs -Uj /dev/md0p2
  mount -t ufs /dev/md0p2 /mnt
  tar zxf attachtimes.tgz -C /mnt
  vi /mnt/boot/loader.conf
  # remove the ata hint
  umount /mnt
  mdconfig -d -u 0
  VBoxManage convertfromraw attachtimes.img attachtimes.vdi

The kernel and binaries in the tarball are 32-bit.  The updated patch is
at http://people.freebsd.org/~des/software/attachtimes.diff.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no

From owner-freebsd-security@FreeBSD.ORG  Thu Sep 27 23:43:23 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 77B9A106564A
	for <freebsd-security@FreeBSD.org>;
	Thu, 27 Sep 2012 23:43:23 +0000 (UTC)
	(envelope-from brde@optusnet.com.au)
Received: from mail27.syd.optusnet.com.au (mail27.syd.optusnet.com.au
	[211.29.133.168])
	by mx1.freebsd.org (Postfix) with ESMTP id 0B7B48FC0C
	for <freebsd-security@FreeBSD.org>;
	Thu, 27 Sep 2012 23:43:22 +0000 (UTC)
Received: from c122-106-157-84.carlnfd1.nsw.optusnet.com.au
	(c122-106-157-84.carlnfd1.nsw.optusnet.com.au [122.106.157.84])
	by mail27.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id
	q8RNh9Pj017466
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Fri, 28 Sep 2012 09:43:11 +1000
Date: Fri, 28 Sep 2012 09:43:09 +1000 (EST)
From: Bruce Evans <brde@optusnet.com.au>
X-X-Sender: bde@besplex.bde.org
To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
In-Reply-To: <86fw63w20o.fsf@ds4.des.no>
Message-ID: <20120928084927.R5001@besplex.bde.org>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<20120919192836.3a60cdfd@gumby.homeunix.com>
	<863923pzgi.fsf@ds4.des.no>
	<CAG5KPzwhq4UzPxbx74vX5KKtqC4tWkTsKAHjGDsdD8MqJVVkRg@mail.gmail.com>
	<20120927125956.0594fa73@gumby.homeunix.com>
	<86pq57o7ps.fsf@ds4.des.no>
	<20120928062245.K4426@besplex.bde.org> <86fw63w20o.fsf@ds4.des.no>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="0-1241331444-1348789389=:5001"
Cc: freebsd-security@FreeBSD.org, RW <rwmaillists@googlemail.com>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Sep 2012 23:43:23 -0000

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--0-1241331444-1348789389=:5001
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN; format=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE

On Fri, 28 Sep 2012, [utf-8] Dag-Erling Sm=C3=B8rgrav wrote:

> Bruce Evans <brde@optusnet.com.au> writes:
>> "Dag-Erling Sm=C3=B8rgrav" <des@des.no> writes:
>>> RW <rwmaillists@googlemail.com> writes:
>>>> binuptime(&bt);
>>>> return (bt.frac ^ bt.sec);
>>> Why the heck does it xor the integer and fractional parts together?
>> Because most of the entropy is in the fractional part,
>
> This is not about entropy, it's about implementing get_cyclecount() on a
> platform that doesn't have a TSC.  It's supposed to be monotonic, and
> this implementation clearly isn't.  Even when bt.sec is small enough

Its monotonicity and documentation of same is a bug.

> that it doesn't affect significant digits of bt.frac (which should be
> most of the time, unless the resolution of the underlying timecounter
> exceeds ~2^32 Hz), get_cyclecount() will go backward every time a new
> second ticks over.

Its implementation demonstrates that it was never actually monotonic.
Even rdtsc() isn't necessarily monotonic.

Its comment in at least the i386 version still says that it "Return[s]
contents of an in-cpu fast counter as a sort of "bogo-time" for random-
harvesting purposes".  This has rotted in various ways:
- on i386 without tsc_present, it never used an in-cpu fast counter
   (since there is none)
- on i386, without tsc_present, it now uses the generic cpu_ticks()
   and gets whatever that gives, which happens to be a more monotonic
   less bogus time that before, and which doesn't have the xor hack.
- on i386, with tsc_present, it now uses the generic cpu_ticks()
   and gets whatever that gives, which happens to be the same in-cpu
   fast counter as before.
It shouldn't be commenting about what cpu_ticks() [doesn't] do.
- its man page says that it uses a "register available in most modern
   CPUs to return a value that is monotonically increasing inside each
   CPU", and explicitly documents that each CPU gives a separate monotonic
   sequence.  A strict reading of this says that it doesn't exist on
   non-modern CPUs or on some modern CPUS.  Bugs in this include:
   - over-specification of implementation details.  Lots of bugs in the
     details:
     - at least in i386, the value isn't necessarily increasing even with
       in each CPU, since rdtsc() isn't serialized and maybe something
       resets the register.  The implementation just uses rdtsc() without
       worrying about these points.
     - on more modern CPUs, the values are synced, so the sequences aren't
       separate.
   - guaranteeing monotonicity.
- it is now abused for non-random-harvesting purposes, and some of these
   require it to be monotonic.  These places mostly just want a timestamp
   for debugging and should be using microtime().  See one of my old mails
   for full details of this and more details of the bogusness of
   get_cyclecount().

I should have objected more strongly when it was implemented.  Just using
binuptime() was adequate iff the timecounter hardware is the same as
the cycle counter (TSC on x86).  A TSC usable for timecounter hardware is
normal now.  I don't like cpu_tick() either, but it solves the efficiency
problem with the timecounter hardware not being the cycle counter.  It
solves them for use mainly in thread runtime accounting, but is usable
for get_cyclecount() too, and is in fact used for get_cyclecount() on i386
(get_cyclecount() just wraps it and no one except bde cares about the
inefficiency of this).  cpu_tick() is undocumented, so there are no bugs
in its man page to fix.

Bruce
--0-1241331444-1348789389=:5001--

From owner-freebsd-security@FreeBSD.ORG  Fri Sep 28 07:44:14 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id AB4891065673
	for <freebsd-security@FreeBSD.org>;
	Fri, 28 Sep 2012 07:44:14 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
	by mx1.freebsd.org (Postfix) with ESMTP id 67D3C8FC08
	for <freebsd-security@FreeBSD.org>;
	Fri, 28 Sep 2012 07:44:14 +0000 (UTC)
Received: from ds4.des.no (smtp.des.no [194.63.250.102])
	by smtp.des.no (Postfix) with ESMTP id E4C5A6BCB;
	Fri, 28 Sep 2012 09:44:12 +0200 (CEST)
Received: by ds4.des.no (Postfix, from userid 1001)
	id B397084F0; Fri, 28 Sep 2012 09:44:12 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Bruce Evans <brde@optusnet.com.au>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<20120919192836.3a60cdfd@gumby.homeunix.com>
	<863923pzgi.fsf@ds4.des.no>
	<CAG5KPzwhq4UzPxbx74vX5KKtqC4tWkTsKAHjGDsdD8MqJVVkRg@mail.gmail.com>
	<20120927125956.0594fa73@gumby.homeunix.com>
	<86pq57o7ps.fsf@ds4.des.no> <20120928062245.K4426@besplex.bde.org>
	<86fw63w20o.fsf@ds4.des.no> <20120928084927.R5001@besplex.bde.org>
Date: Fri, 28 Sep 2012 09:44:11 +0200
In-Reply-To: <20120928084927.R5001@besplex.bde.org> (Bruce Evans's message of
	"Fri, 28 Sep 2012 09:43:09 +1000 (EST)")
Message-ID: <86ipayr3qs.fsf@ds4.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@FreeBSD.org, RW <rwmaillists@googlemail.com>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Sep 2012 07:44:14 -0000

Bruce Evans <brde@optusnet.com.au> writes:
> I should have objected more strongly when it was implemented.

So let's kill it :)

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no

From owner-freebsd-security@FreeBSD.ORG  Fri Sep 28 08:33:33 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 23FAD106564A;
	Fri, 28 Sep 2012 08:33:33 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
	by mx1.freebsd.org (Postfix) with ESMTP id CF1918FC08;
	Fri, 28 Sep 2012 08:33:32 +0000 (UTC)
Received: from ds4.des.no (smtp.des.no [194.63.250.102])
	by smtp.des.no (Postfix) with ESMTP id C9CA56BE0;
	Fri, 28 Sep 2012 10:33:31 +0200 (CEST)
Received: by ds4.des.no (Postfix, from userid 1001)
	id 8B4DE84FC; Fri, 28 Sep 2012 10:33:31 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Pawel Jakub Dawidek <pjd@FreeBSD.org>
References: <20120919231051.4bc5335b@gumby.homeunix.com>
	<20120920102104.GA1397@garage.freebsd.pl>
	<201209200758.51924.jhb@freebsd.org>
	<20120922080323.GA1454@garage.freebsd.pl>
	<20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com>
	<20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com>
	<CAG5KPzxf0Rfufk5K6Jt4e85xc7zXY_B3a2Sq0Uf_uVLHbV-baw@mail.gmail.com>
	<86r4pqqwnm.fsf@ds4.des.no> <20120925102240.GC1571@garage.freebsd.pl>
	<86mx0eqsgy.fsf@ds4.des.no>
Date: Fri, 28 Sep 2012 10:33:31 +0200
In-Reply-To: <86mx0eqsgy.fsf@ds4.des.no> ("Dag-Erling =?utf-8?Q?Sm=C3=B8rg?=
	=?utf-8?Q?rav=22's?= message of "Tue, 25 Sep 2012 12:58:37 +0200")
Message-ID: <867grer1gk.fsf@ds4.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: Jonathan Anderson <jonathan.anderson@cl.cam.ac.uk>,
	John Baldwin <jhb@freebsd.org>, Ben Laurie <benl@freebsd.org>,
	freebsd-security@freebsd.org, RW <rwmaillists@googlemail.com>,
	Mariusz Gromada <mariusz.gromada@gmail.com>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Sep 2012 08:33:33 -0000

Dag-Erling Sm=C3=B8rgrav <des@des.no> writes:
> With a sub-minute cycle time, I can get a couple of hundred thousand
> samples per machine over the weekend.

Uh, not even close.  My sleep-deprived brain substituted 86400 for 1440.
I should still get 10 - 20 thousand samples, though.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no

From owner-freebsd-security@FreeBSD.ORG  Fri Sep 28 13:24:50 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7A1441065670
	for <freebsd-security@freebsd.org>;
	Fri, 28 Sep 2012 13:24:50 +0000 (UTC)
	(envelope-from andrey@zonov.org)
Received: from mail-la0-f54.google.com (mail-la0-f54.google.com
	[209.85.215.54])
	by mx1.freebsd.org (Postfix) with ESMTP id DBAF58FC12
	for <freebsd-security@freebsd.org>;
	Fri, 28 Sep 2012 13:24:49 +0000 (UTC)
Received: by lage12 with SMTP id e12so1294747lag.13
	for <freebsd-security@freebsd.org>;
	Fri, 28 Sep 2012 06:24:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject
	:references:in-reply-to:x-enigmail-version:content-type
	:x-gm-message-state;
	bh=5ATV68ok1bsBYH22JsGQHR20TNP+Zj5GRKiSyJBCc4o=;
	b=HkpNsNbng3hWM5eCoyXX3iGc8mCO4q1ws/xQMRkHHaZzJG8Y4SThKFYloBR2BsGUrK
	xHOT9PMDxrXaymXVkpJqZMJIeJ23uQzoewir+xlqyFgTvnQW85T8umaJcQvhRnh/8rcO
	xhBkZmFyKTjaLwsIWkYl2CVMf58j6bhiI+ci+W7lQT3f52RCduplJNvXmBT6GNd502EU
	tvhQ68AfUJ/LlLoUF2d30LD3RXK1FGcUJQeAhOR75cxB62D6IvKQ1NY+s7r1/moQdHxB
	vWF7ngH2jr7m4FpXwbNCbveVcQDdQE40lataugwd0XV4idKbqGgHx036dX7uMrYiG/p3
	+wOQ==
Received: by 10.152.111.71 with SMTP id ig7mr5998756lab.28.1348838688425;
	Fri, 28 Sep 2012 06:24:48 -0700 (PDT)
Received: from dhcp170-82-red.yandex.net (dhcp170-82-red.yandex.net.
	[95.108.170.82])
	by mx.google.com with ESMTPS id tb8sm2511962lab.4.2012.09.28.06.24.47
	(version=SSLv3 cipher=OTHER); Fri, 28 Sep 2012 06:24:47 -0700 (PDT)
Sender: Andrey Zonov <andrey@zonov.org>
Message-ID: <5065A51B.6010905@FreeBSD.org>
Date: Fri, 28 Sep 2012 17:24:43 +0400
From: Andrey Zonov <zont@FreeBSD.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7;
	rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: "Simon L. B. Nielsen" <simon@FreeBSD.org>
References: <50619E5D.3010503@FreeBSD.org>
	<CAC8HS2G84_t5G0KrwEhkwhfRWY+6Cck8vQYRJnv3vQOsBPPD_g@mail.gmail.com>
In-Reply-To: <CAC8HS2G84_t5G0KrwEhkwhfRWY+6Cck8vQYRJnv3vQOsBPPD_g@mail.gmail.com>
X-Enigmail-Version: 1.4.4
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enig113F7C254FA28DBDFF7833B6"
X-Gm-Message-State: ALoCoQl9BBP+jrsCf0pw1Y+yMXiA2jEmbUf+DkwdbWwv/y/doUOAishuG7KSwvD89w5PWTDfsIlV
Cc: freebsd-security@freebsd.org
Subject: Re: [patch] unprivileged mlock(2)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Sep 2012 13:24:50 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig113F7C254FA28DBDFF7833B6
Content-Type: multipart/mixed; boundary="------------090508050401040600020903"

This is a multi-part message in MIME format.
--------------090508050401040600020903
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 9/27/12 7:25 PM, Simon L. B. Nielsen wrote:
> On Tue, Sep 25, 2012 at 1:06 PM, Andrey Zonov <zont@freebsd.org> wrote:=

>> Hi,
>>
>> Please review this patch [1] which allows unprivileged users call
>> mlock()/munlock() and mlockall()/munlockall().
>>
>> AFAIK, these calls were not allowed for every-one because accounting f=
or
>> mlockall(MCL_FUTURE) was not implemented.
>=20
> I can't comment on the implementation details (don't know much about
> VM system), but do you have tests to show that the new code actually
> works in preventing users from mlocking more than 8MB by default?
>=20

Sure, test is attached.

So, lock only current memory:
[zont@vm020 ~/mlock]$ limits -l 50m ./mlock 1 100
mlock: rss: 138Mb; allocated: 100Mb

Lock only future memory:
[zont@vm020 ~/mlock]$ limits -l 50m ./mlock 2 100
mlock: calloc(): Cannot allocate memory
mlock: rss: 46Mb; allocated: 33Mb

and fail at about 50Mb.

Now lock current and future memory:
[zont@vm020 ~/mlock]$ limits -l 50m ./mlock 3 100
mlock: calloc(): Cannot allocate memory
mlock: rss: 49Mb; allocated: 33Mb

and fail again.

The numbers are rough because I use calloc() in test.  To get more
precise numbers test should be rewritten to use mmap() and/or sbrk().

--=20
Andrey Zonov

--------------090508050401040600020903
Content-Type: text/plain; charset=UTF-8; x-mac-type="0"; x-mac-creator="0";
	name="mlock.c"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="mlock.c"

LyoKICogQ29weXJpZ2h0IChjKSAyMDEyIEFuZHJleSBab25vdgogKi8KCiNpbmNsdWRlIDxz
eXMvdHlwZXMuaD4KI2luY2x1ZGUgPHN5cy90aW1lLmg+CiNpbmNsdWRlIDxzeXMvcmVzb3Vy
Y2UuaD4KI2luY2x1ZGUgPHN5cy9tbWFuLmg+CiNpbmNsdWRlIDxlcnIuaD4KI2luY2x1ZGUg
PHN0ZGxpYi5oPgojaW5jbHVkZSA8dW5pc3RkLmg+CgppbnQKbWFpbihpbnQgYXJnYywgY2hh
ciAqKmFyZ3YpCnsKCXN0cnVjdCBydXNhZ2UgcnU7CglpbnQgZmxhZ3MsIGksIG51bTsKCglp
ZiAoYXJnYyAhPSAzKQoJCWVycngoMSwKCQkgICAgInVzYWdlOiBtbG9jayA8ZmxhZ3M+IDxu
dW0+XG4iCgkJICAgICJmbGFnczpcbiIKCQkgICAgIgkxID0gTUNMX0NVUlJFTlRcbiIKCQkg
ICAgIgkyID0gTUNMX0ZVVFVSRVxuIgoJCSAgICAiCTMgPSBNQ0xfQ1VSUkVOVHxNQ0xfRlVU
VVJFIik7CgoJZmxhZ3MgPQlhdG9pKGFyZ3ZbMV0pOwoJbnVtID0gYXRvaShhcmd2WzJdKTsK
CglpZiAobWxvY2thbGwoZmxhZ3MpID09IC0xKQoJCWVycigxLCAibWxvY2thbGwoKSIpOwoJ
Zm9yIChpID0gMDsgaSA8IG51bTsgaSsrKSB7CgkJaWYgKGNhbGxvYygxLCAxMDI0ICogMTAy
NCkgPT0gTlVMTCkgewoJCQl3YXJuKCJjYWxsb2MoKSIpOwoJCQlnb3RvIG91dDsKCQl9Cgl9
CglpZiAobXVubG9ja2FsbCgpID09IC0xKSB7CgkJd2FybigibXVubG9ja2FsbCgpIik7CgkJ
Z290byBvdXQ7Cgl9CgpvdXQ6CglnZXRydXNhZ2UoUlVTQUdFX1NFTEYsICZydSk7Cgl3YXJu
eCgicnNzOiAlbGRNYjsgYWxsb2NhdGVkOiAlZE1iIiwgcnUucnVfbWF4cnNzLygxPDwxMCks
IGkpOwoKCWV4aXQoMCk7Cn0K
--------------090508050401040600020903--

--------------enig113F7C254FA28DBDFF7833B6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQEcBAEBAgAGBQJQZaUdAAoJEBWLemxX/CvTLyUH/3Vpg5KgRzTwPHPEw9EGSAMG
ju3TiZLWPM7P+ogJtL4CaFP8iTCiFzLpYX37vuv46pgYwn5hRV+8sEJWjksKBfhS
FUgKKeQfBwZT1XSppuc2QPCxsvL/ToN/EIRe09TVVJao334ZQMqiBi4HbffE2iaI
ZY/NVEdZInOui/FJhOi3mxpxm4nZSvut2E8KMiwusLJXakgTMTrsIt07EZiMCQxN
WmT1fvJxgcRH3YS+oeEhxmJlu6r38lX5WV7UiP2nrNWvjYJuYTNT+Fz3BJP1tTZN
jgmnQiICQT8fqQZIETluyHws+h6UX5Wr6DgfYC2eSUpzIRITWS1BESGmDST9Xlc=
=qkma
-----END PGP SIGNATURE-----

--------------enig113F7C254FA28DBDFF7833B6--