From owner-freebsd-security@FreeBSD.ORG Sat Sep 22 19:53:12 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 76A74106564A; Sat, 22 Sep 2012 19:53:12 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id 359D28FC15; Sat, 22 Sep 2012 19:53:11 +0000 (UTC) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) by mail.dawidek.net (Postfix) with ESMTPSA id 5173DE02; Sat, 22 Sep 2012 21:52:10 +0200 (CEST) Date: Sat, 22 Sep 2012 21:53:26 +0200 From: Pawel Jakub Dawidek To: John Baldwin Message-ID: <20120922195325.GH1454@garage.freebsd.pl> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="boAH8PqvUi1v1f55" Content-Disposition: inline In-Reply-To: <20120922080323.GA1454@garage.freebsd.pl> X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Ben Laurie , freebsd-security@freebsd.org, RW , Jonathan Anderson , Mariusz Gromada Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Sep 2012 19:53:12 -0000 --boAH8PqvUi1v1f55 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 22, 2012 at 10:03:23AM +0200, Pawel Jakub Dawidek wrote: > If discarding top ten bit in case of such dummy driver is enough, we > could probably discard less from drivers that interact with real > hardware, but even with 43 device_attach() calls during boot on similar > hardware and assuming that we can get only 6 bits of entropy from each > call, it gives us more than 256 bits of entropy. In other words I don't > think we should further complicate this and that we should stick to > entropy estimations from my current patch. I made additional calculations to see where is the line we shall not cross. I checked how distribution would look like for 6, 7, 8, 9, 10, 11 and 12 bit values (so we discard from top 10 to top 4 bits): http://people.freebsd.org/~pjd/misc/device_attach_6bit.jpg http://people.freebsd.org/~pjd/misc/device_attach_7bit.jpg http://people.freebsd.org/~pjd/misc/device_attach_8bit.jpg http://people.freebsd.org/~pjd/misc/device_attach_9bit.jpg http://people.freebsd.org/~pjd/misc/device_attach_10bit.jpg http://people.freebsd.org/~pjd/misc/device_attach_11bit.jpg http://people.freebsd.org/~pjd/misc/device_attach_12bit.jpg And source in libreoffice: http://people.freebsd.org/~pjd/misc/device_attach_6-12_bits.ods It looks like we can safely discard even only 7 bits (leaving 9 bits of entropy). With 10bit value the maximum difference between theoretical and empirical distribution goes to 6.34% which I don't think is acceptable. On the other hand the differences for 6, 7, 8 and 9 are very small: 6bit: 0.33% 7bit: 0.29% 8bit: 0.27% 9bit: 0.21% For completness all the rest: 10bit: 6.34% 11bit: 19.07% 12bit: 54.80% Mariusz, can you confirm my findings? --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --boAH8PqvUi1v1f55 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBeFzUACgkQForvXbEpPzS0vgCeL1Mx6YqJkZEtHMM1D12yN4TL /1AAoME2hgUeoWnrEKDHnaqoBXv0ZGCW =c5U0 -----END PGP SIGNATURE----- --boAH8PqvUi1v1f55--