On 09/09/2013 02:11 PM, H. Peter Anvin wrote: > It recently came to my attention that there are no standards whatsoever > for random number generated by TPMs. In fact, there *are* TPMs where > random numbers are generated by an encrypted nonvolatile counter (I do > not know which ones); this is apparently considered acceptable for the > uses of random numbers that TPMs produce. > > There are two issues with this from a Linux point of view. One, we > harvest supposed entropy from the TPM for /dev/*random use via > /dev/hwrng and rngd. This was something I originally proposed because > on a lot of platforms it is the only available entropy source with any > significant bandwidth. However, in light of the above it is > questionable at best, at least with entropy being credited.
Presumably the "entropy" should be mixed in but not credited to the available entropy. > > The other issue is that we use tpm_get_random() *directly* in > security/keys/trusted.c. I don't know whether this makes sense, but all but one call seem to be related to TPM transactions -- breaking the TPM's RNG won't have any effects beyond, say, breaking the TPM's SRK. The one that looks dangerous is the one just under case Opt_new: it's using tpm_get_random to create an encryption key *that's used by the kernel for software crypto*. That's IMO bogus. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/