From owner-freebsd-security@FreeBSD.ORG  Fri Sep 21 20:22:22 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@FreeBSD.org
Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35])
	by hub.freebsd.org (Postfix) with ESMTP id 87F88106566B;
	Fri, 21 Sep 2012 20:22:22 +0000 (UTC)
	(envelope-from dougb@FreeBSD.org)
Received: from [127.0.0.1] (hub.freebsd.org [IPv6:2001:4f8:fff6::36])
	by mx2.freebsd.org (Postfix) with ESMTP id 5BAC514DEE1;
	Fri, 21 Sep 2012 20:22:22 +0000 (UTC)
Message-ID: <505CCC7E.5080205@FreeBSD.org>
Date: Fri, 21 Sep 2012 13:22:22 -0700
From: Doug Barton <dougb@FreeBSD.org>
Organization: http://www.FreeBSD.org/
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:15.0) Gecko/20120827 Thunderbird/15.0
MIME-Version: 1.0
To: Pawel Jakub Dawidek <pjd@FreeBSD.org>
References: <20120918211422.GA1400@garage.freebsd.pl>
	<20120919223459.GC25606@dragon.NUXI.org>
	<20120921053549.GF1407@garage.freebsd.pl>
	<20120921060815.GA42778@dragon.NUXI.org>
	<20120921070956.GA1382@garage.freebsd.pl>
In-Reply-To: <20120921070956.GA1382@garage.freebsd.pl>
X-Enigmail-Version: 1.4.4
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: freebsd-security@FreeBSD.org, David O'Brien <obrien@FreeBSD.org>
Subject: Re: Collecting entropy from device_attach() times.
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Sep 2012 20:22:22 -0000

On 09/21/2012 12:09 AM, Pawel Jakub Dawidek wrote:
> On Thu, Sep 20, 2012 at 11:08:15PM -0700, David O'Brien wrote:
>> On Fri, Sep 21, 2012 at 07:35:49AM +0200, Pawel Jakub Dawidek wrote:
>>> Note that adding sysctl to turn off entropy harvesting from
>>> device_attach() is pretty useless, as sysctls can be changed once we
>>> start userland and then all device_attach() are already called (modulo
>>> drivers loaded later).

Devices can be added at any time in the life of the system via USB, and
other interfaces.

>> That is what I had in mind -- .ko drivers loaded post 'initrandom'.
>>
>> The same could be said for kern.random.sys.harvest.interrupt.
>> By the time kern.random.sys.harvest.interrupt can be turned off,
>> my test system has already processed 784 'origin interrupt' queue
>> entries and went from kern.random.sys.seeded=0->1.
> 
> Yes, this is exactly why I'd like to see corresponding tunable for all
> those sysctls.

Agreed.