On Tue, 20 May 2014 05:12:07 -0700, Andi Kleen wrote: > Jörn Engel <jo...@logfs.org> writes: > > > > An alternate high-resolution timer is the register content at the time > > of an interrupt. > > So if you interrupt a cryptographic function you may hash in parts > of the key?
Yes. And if there was an efficient way to deduce random generator inputs, that would be a new side channel attack. An efficient way to deduce random generator inputs would allow many other attacks as well. I don't know of such an attack nor can I conceive it being possible under normal circumstances. There are of course two exceptions. If the attacker can read arbitrary kernel memory - and therefore could read the private key directly. And if there is so little entropy that an attacker can enumerate all possible states of the random generator and read enough random numbers to exclude most of those states. The second case also allows for many more interesting attacks and is exactly the sort of hole I want to plug with this patch. I think leaking of private keys or similar information is not a concern. But please prove me wrong. Better you now than someone else later. Jörn -- When in doubt, punt. When somebody actually complains, go back and fix it... The 90% solution is a good thing. -- Rob Landley -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
