[Cryptography] RNG design principles
ard.biesheuvel at gmail.com
Sat Nov 26 02:42:54 EST 2016
2016-11-25 0:23 GMT+00:00 John Denker <jsd at av8n.com>:
> Very specific constructive suggestion:
> If somebody would like to do something that would help in a
> big way, figure out how to pass a seed via the kernel command
> line at boot time ... and then keep it secret thereafter.
> Keeping it secret is harder than it might sound, because
> command line processing differs from platform to platform,
> and because the kernel copies the command line all over the
> place and munges it in various ways.
> In general, when something was built without security in
> mind, trying to go back and add security is a big hassle.
> This is however worth the trouble, because it is a systematic
> way of solving a number of problems having to do with the
> need for random numbers early in the boot process.
> -- Grub can pass a seed on the command line.
> -- A sufficiently meticulous user can roll some dice and
> pass a seed on the command line.
> -- A VM host can pass a seed on each guest's command line.
> -- et cetera.
> We can discuss this in more detail if anybody is interested.
I have recently implemented early seeding of the kernel's entropy pool
for ARM and arm64 UEFI systems, in a way that x86 should be able to
reuse. The patches are queued up for inclusion in Linux v4.10 
The seed is obtained from the firmware's implementation of
EFI_RNG_PROTOCOL, which is usually implemented on top of some on-chip
RNG peripheral (but it could be a chaoskey as well, once my buddy Leif
completes the UEFI driver for it ). The UEFI firmware for VMs (OVMF
for x86, ArmVirtQemu for ARM/arm64) also implements this protocol
based on the virtio-rng device.
The seed is passed to the kernel via a UEFI configuration table, which
is a standard mechanism for the firmware to expose information to the
OS. This data is not visible outside of the kernel, unless it is
More information about the cryptography