Date: Tue, 8 Apr 2014 00:25:32 -0400 From: Thor Lancelot Simon <t...@panix.com>
Attached are the changes from the tls-earlyentropy branch, which tries to make the output of /dev/random less predictable -- particularly for an attacker outside the box -- earlier. I intend to merge these soon. Comment would be much appreciated. I haven't found time to take a close look at these, but my first three quick reactions are: 1. Getting entropy into newly installed systems should be a priority far higher than spending effort trying to estimate newly gathered entropy, and perhaps ought to me discussed and merged separately. (See, e.g., <http://blog.cr.yp.to/20140205-entropy.html>.) 2. I'm inclined to say entropy estimation is something we ought to do *off-line* for every kind of source, and we ought to statically write down an upper bound on the amount of entropy per sample from sources, rather than trying to estimate entropy on-line, with the option of letting the system administrator control it with rndctl (e.g., to say: `I'm about to bang on the keyboard like a monkey, please take that as 1 bit per sample rather than 0 bits per sample'). 3. If you really want to use lzf as a dynamic entropy estimator, we'll need to move it into src/sys/external -- kernel sources aren't allowed to rely on anything outside src/sys and src/common (and nothing new is allowed in src/common, I believe).