From owner-freebsd-security@FreeBSD.ORG Wed Sep 19 19:47:04 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7CB221065674; Wed, 19 Sep 2012 19:47:04 +0000 (UTC) (envelope-from benlaurie@gmail.com) Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 191008FC0A; Wed, 19 Sep 2012 19:47:03 +0000 (UTC) Received: by vbmv11 with SMTP id v11so2141179vbm.13 for ; Wed, 19 Sep 2012 12:47:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=2IShFu75raJK/x5UtudWbYfiFrP0tk3/Ia/C/U+HYpk=; b=hygHQbtOtF7BCnmgvXIWBwvSfETVrvwxTJLyKv6QhSYyj/mjGA6PsqfrdE5/oNCRzp ZoTXYuQdcyD5ToWB/62Hn8B4DPTZywkMIW1QMrJvWQIRe+YfGQ5j/QEj1ph1kgHA1KVG m5/xYSGSSVp5K+G9Dso3bGa3PU33INRuVxMgFh9Hmk4PiiPkX1Z329q/7lfYU430VRQ2 lrmZwO+zPNCbuS8Cq/QFMKxfaOrvf+WnhRTkjBWnXbN8Wdp+8FCv9hUQUM5rJ/GwKOrL qLx4DxH/3BvIg99atRosfjAzDIQGGESy5nUtESSA3SEP6v5LCEGCUI7SvGNPEwO6WwF0 F6Wg== MIME-Version: 1.0 Received: by 10.58.144.232 with SMTP id sp8mr2539239veb.56.1348084023335; Wed, 19 Sep 2012 12:47:03 -0700 (PDT) Sender: benlaurie@gmail.com Received: by 10.58.79.243 with HTTP; Wed, 19 Sep 2012 12:47:03 -0700 (PDT) In-Reply-To: References: <20120918211422.GA1400@garage.freebsd.pl> Date: Wed, 19 Sep 2012 20:47:03 +0100 X-Google-Sender-Auth: OgL_thkILtyP_ubQupVh6_9K_j0 Message-ID: From: Ben Laurie To: Jonathan Anderson Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Pawel Jakub Dawidek Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2012 19:47:04 -0000 On Wed, Sep 19, 2012 at 7:30 PM, Jonathan Anderson wrote: > On Tuesday, 18 September 2012 at 22:14, Pawel Jakub Dawidek wrote: >> [=85] we have more >> than 19 bits of entropy from this one call, but I reduced if to four >> bits only, because there are devices that are much faster to attach. >> > > Another reason for doing the above characterization is that, if a particu= lar device_attach() really does provide 12 bits of uncertainty, it's a sham= e to drop eight of them on the floor. Estimating at 4 bits does not drop any entropy on the floor, it just means that if you are going to unblock the PRNG once a certain amount of entropy is present, then this input counts for 4 bits against that certain amount. The amount of entropy harvested is unchanged. The reason to work out how much entropy there is is to: a) Unblock as early as possible b) Not unblock too early Erring on the side of underestimation is wise here.