From owner-freebsd-security@FreeBSD.ORG Wed Sep 19 20:46:29 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CA94E1065670 for ; Wed, 19 Sep 2012 20:46:29 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 4F88E8FC17 for ; Wed, 19 Sep 2012 20:46:28 +0000 (UTC) Received: by eeke52 with SMTP id e52so673805eek.13 for ; Wed, 19 Sep 2012 13:46:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; bh=L6My0KMBtrRCfoY3IIGO3QGglPjePThd1fKRi+3iU4E=; b=t1tLcdutiOhIT4KKCxuVUhUKY5gthMf2Tt565oa5VG9axVg6kh6czUwp8AM1TsmsW7 Zn6acukaUa1YYoWgTAB0F3/ZsZxsGmphK3L18YWZUk1NjuaGrOExU22iAi1L/kiRmoS4 A5whmcgMSL8V6HHNpXv9ifp4ehpzl69SYfB+b7apqGgwVOO+O0BId2umZmKKIKAC7tdM X9VxV3+Xy64VX5DDWp5he6aKIwQ8oGOOGwjGDDbA/V9Q9/5KEYEDetMOlonvEOI33upU NfgY4KyOdCHy+AV6bsWxTVCyi6aZ63SDCBZf5AM3uHmZYy+SiEWMyxjd6aIQ/Zg5HnhO PuHw== Received: by 10.14.198.133 with SMTP id v5mr5041820een.7.1348087588065; Wed, 19 Sep 2012 13:46:28 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPS id m42sm7635656eep.16.2012.09.19.13.46.26 (version=SSLv3 cipher=OTHER); Wed, 19 Sep 2012 13:46:26 -0700 (PDT) Date: Wed, 19 Sep 2012 21:46:24 +0100 From: RW To: freebsd-security@freebsd.org Message-ID: <20120919214624.2f6682a2@gumby.homeunix.com> In-Reply-To: References: <20120918211422.GA1400@garage.freebsd.pl> <20120919192923.GA1416@garage.freebsd.pl> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd8.3) Mime-Version: 1.0 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2012 20:46:29 -0000 On Wed, 19 Sep 2012 20:59:15 +0100 Ben Laurie wrote: > On Wed, Sep 19, 2012 at 8:29 PM, Pawel Jakub Dawidek > wrote: > > On Wed, Sep 19, 2012 at 07:30:52PM +0100, Jonathan Anderson wrote: > >> > If all the times are more or less equally probable in this range > >> > […] > >> > >> They're very unlikely to be equally probable. It would make sense > >> to do some characterization of these times and their statistics: a > >> highly non-uniform distribution would mean that we don't actually > >> get many bits per attach. > > > > I have times for ~2000 device_attach() calls when loading sound card > > driver on totally idle system. If someone could take those and > > analyse the distribution that would be great. > > > >> > […] we have more > >> > than 19 bits of entropy from this one call, but I reduced if to > >> > four bits only, because there are devices that are much faster > >> > to attach. > >> > > >> > >> Another reason for doing the above characterization is that, if a > >> particular device_attach() really does provide 12 bits of > >> uncertainty, it's a shame to drop eight of them on the floor. > > > > Rights. That's why I've prepared another patch: > > > > http://people.freebsd.org/~pjd/patches/harvest_device_attach.2.patch > > > > which effectively discards top ten bits, which means we expect 0.1% > > of the attach time to be unpredictable (the attach time in most > > cases vary by few percent, not sure yet how much of this variation > > is really unpredictable). > > This is the wrong thing to do! There's no reason to discard bits on > input (modulo the device throwing away inputs, that is) - just reduce > your entropy estimate. "Extra" bits do no harm. Not only that but the actual full entropy will get used because initrandom forces a reseed irrespective of the current accounting. The extra bits may make the difference between secure and insecure The entropy estimations before that are of no significance unless you have a local attacker that early in the boot.