From owner-freebsd-security@FreeBSD.ORG Wed Oct 3 00:17:24 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E4093106566B; Wed, 3 Oct 2012 00:17:24 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) by mx1.freebsd.org (Postfix) with ESMTP id DB8DE8FC0A; Wed, 3 Oct 2012 00:17:23 +0000 (UTC) Received: by wibhr7 with SMTP id hr7so1297626wib.13 for ; Tue, 02 Oct 2012 17:17:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:cc:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; bh=E0e9RIjzYVogtSL3L+3nMFaINKpfZdIryw7xj/lhi24=; b=v5ysyOEbd3zhFVDxjJWaVVjHT/dOR+u+uRv3q2Vo7RlWXso7SMZmwCgt9UqOD/pnYM R7cYYUUaU+E7q2hff+ZMeVSzO1tMQndql0wu/Fmh2FYsFCLdxzFgxnDjCwLvPk0E6JnG MqShgkP+VA5ZuyYCBH8rxAdqK+k5QlviQErxz+eRDXUDXg5alcSL9AkrNDANrPYwKs2x RV+z/8yeIxrDqRcPRbp8YMO76XquVWEoDjJ7nYWF6tb11U6jUk1qdSWxW0S+Zu2UqPz8 EmpPfqtGP+euYHDcmelhnZXUreV7tCTOI5Z2lq/t2rk2cCZWX4cV/zuVtHOYXcvGs5Zc Rf6w== Received: by 10.180.89.7 with SMTP id bk7mr956146wib.0.1349223442667; Tue, 02 Oct 2012 17:17:22 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPS id cl8sm24064236wib.10.2012.10.02.17.17.20 (version=SSLv3 cipher=OTHER); Tue, 02 Oct 2012 17:17:21 -0700 (PDT) Date: Wed, 3 Oct 2012 01:16:07 +0100 From: RW To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= Message-ID: <20121003011607.5553fe48@gumby.homeunix.com> In-Reply-To: <86y5joiyan.fsf@ds4.des.no> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919231051.4bc5335b@gumby.homeunix.com> <20120920102104.GA1397@garage.freebsd.pl> <201209200758.51924.jhb@freebsd.org> <20120922080323.GA1454@garage.freebsd.pl> <20120922195325.GH1454@garage.freebsd.pl> <505E59DC.7090505@gmail.com> <20120923151706.GN1454@garage.freebsd.pl> <5060D723.6020305@gmail.com> <86r4pqqwnm.fsf@ds4.des.no> <86ipat6n0o.fsf@ds4.des.no> <86y5joiyan.fsf@ds4.des.no> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd8.3) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Anderson , Pawel Jakub Dawidek , John Baldwin , Ben Laurie , freebsd-security@freebsd.org, Mariusz Gromada , Jonathan Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Oct 2012 00:17:25 -0000 On Tue, 02 Oct 2012 19:22:40 +0200 Dag-Erling Sm=F8rgrav wrote: > 2) I modified the program to create a histogram of the lower bits and > looked at that in gnuplot. It was immediately obvious that the > distribution is extremely non-uniform. I suspect that this is - at > least in part - due to the weird way get_cyclecount() computes the > value it returns. =20 It doesn't compute it in a weird way for amd64 and most i386 systems. Where possible, get_cyclecount is just a wrapper for rdtsc, which I think it will be for all the systems you quoted (with the possible exception of virtualbox). I don't think one should necessarily expect the bits to get progressively more random going from high to low order. If you think in terms of simple variable analogue delays it seems reasonable, but a physical device may have its own internal timing granulation.=20 > We should either rewrite it to return something > sensible or nuke it and use binuptime() instead. As I pointed-out before if you use binuptime() you cant use entropy estimation based on bit-shifting time differences.