possible /dev/random compromise (misplaced trust in RDRAND / Padlock entropy sources)

To: debian-security@lists.debian.org
Cc: debian-kernel@lists.debian.org, "debian-bsd@lists.debian.org" <debian-bsd@lists.debian.org>
Subject: possible /dev/random compromise (misplaced trust in RDRAND / Padlock entropy sources)
From: Robert Millan <rmh@debian.org>
Date: Sat, 14 Dec 2013 01:44:16 +0100
Message-id: <[🔎] 52ABA9E0.2060003@debian.org>

According this publication [0], The New York Times, Pro Publica, and The Guardian,
reported in September that the NSA and its British counterpart are working with
chipmakers to insert backdoors, or cryptographic weaknesses, in their products.

[0] http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/

Software trusting chip-based crypto support, and in particular software which
uses specialized chips to obtain entropy might be compromising the quality of
the entropy pool as made available to /dev/random.

This has been recently discussed at security conference in EuroBSDcon 2013. The
minutes read:

"we are going to backtrack and remove RDRAND and Padlock backends and feed
them into Yarrow instead of delivering their output directly to /dev/random.
It will still be possible to access hardware random number generators, that
is, RDRAND, Padlock etc., directly by inline assembly or by using OpenSSL
from userland, if required, but we cannot trust them any more"

(from http://www.freebsd.org/news/status/report-2013-09-devsummit.html#Security)

In consequence the FreeBSD project has deemed it necessary to unlink entropy
providers in Intel RDRAND and Via Padlock technologies from the main
/dev/random source (http://svnweb.freebsd.org/base?view=revision&revision=256377).

Advice from Security Team would be appreciated in order to determine which
action needs to be taken in Debian.

-------------------------------------------------------

Here's my best attempt at determining the behaviour of kFreeBSD relative to
Intel RDRAND / Via Padlock entropy sources:

kfreebsd 8.3 and 9.0 (wheezy):
	Sets Via chipset to serve /dev/random unconditionally whenever detected,
	but only on i386 (not amd64). Does not support Intel entropy source.
	(see sys/dev/random/probe.c)

kfreebsd 9.2 (jessie / sid):
	Sets Via or Intel chipset to serve /dev/random when detected,
	unless hw.nehemiah_rng_enable or hw.ivy_rng_enable are set to zero
	to disable them.

kfreebsd 10~ (sid):
	All versions in Debian already have the fixed code, which replaces
	random_adaptor_register() with live_entropy_source_register(), thereby
	registering Via and Intel chips as "entropy sources" to be post
	processed by Yarrow, rather than directly as "random adaptors".

-- 
Robert Millan

Reply to:

Follow-Ups:
- Re: possible /dev/random compromise (misplaced trust in RDRAND / Padlock entropy sources)
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: kfreebsd-downloader-10_10.0~rc1-1_kfreebsd-amd64.changes ACCEPTED into unstable
Next by Date: Re: possible /dev/random compromise (misplaced trust in RDRAND / Padlock entropy sources)
Previous by thread: kfreebsd-downloader-10_10.0~rc1-1_kfreebsd-amd64.changes ACCEPTED into unstable
Next by thread: Re: possible /dev/random compromise (misplaced trust in RDRAND / Padlock entropy sources)
Index(es):
- Date
- Thread