Bug#735450: kfreebsd-9: trusts the output of Intel hardware RNGs
Package: src:kfreebsd-9
Version: 9.2-1
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>
Control: fixed -1 9.1-3
Control: fixed -1 9.0-12
Control: fixed -1 9.0-10+deb70.5
The kernel of FreeBSD since 9.2 supports the Bull Mountain RNG in Intel
Ivy Bridge CPUs. Where available, it is used as the sole provider of
/dev/{,u}random without any post-processing.
Much suspicion has fallen on Intel as being a participant of, or target
of, the US NSA's BULLRUN anti-encryption program, somehow compromising
the security of hardware RNGs and thus anything relying on them. Either
way, we don't know we can trust the raw output of these RNGs any more.
Since first being uploaded to sid, kfreebsd-10 had already reworked
this (in SVN r256381) to feed hardware RNGs into Yarrow along with
other entropy sources, so they can be safely used.
Upstream disabled this RNG by default in stable/9. In jessie/sid,
kfreebsd-9 may soon be superseded by kfreebsd-10.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: kfreebsd-amd64 (x86_64)
Kernel: kFreeBSD 9.0-2-amd64-xenhvm
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply to: