On Sun, 2013-09-08 at 13:27 +0200, Eugen Leitl wrote: > ----- Forwarded message from "James A. Donald" <jam...@echeque.com> ----- > On 2013-09-08 3:48 AM, David Johnston wrote: > > Claiming the NSA colluded with intel to backdoor RdRand is also to > > accuse me personally of having colluded with the NSA in producing a > > subverted design. I did not. > > Well, since you personally did this, would you care to explain the > very strange design decision to whiten the numbers on chip, and not > provide direct access to the raw unwhitened output. > > A decision that even assuming the utmost virtue on the part of the > designers, leaves open the possibility of malfunctions going > undetected.
I may have missed this part of the thread, but I'm interested in knowing the rational for letting the hyper-visor intercept the RDRAND call and return any value it likes, bypassing the random hardware. I've had one person speculate it would be useful for keeping 2 CPUs in sync, (the TSC can also be intercepted), but it does worry me that RDRAND calls can be rendered predictable by a compromised VM. eric For those interested, Intel document 325462.pdf, "Intel® 64 and IA-32 Architectures Software Developer’s Manual Combined Volumes: 1, 2A, 2B, 2C, 3A, 3B and 3C" Page 'Vol. 3C 27-23', Table 27-12. Format of the VM-Exit Instruction-Information Field as Used for RDRAND _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography