[Cryptography] RNG design principles
Ralf Senderek
crypto at senderek.ie
Sun Nov 27 08:00:06 EST 2016
On Sat, 26 Nov 2016, John Denker wrote:
> Thanks! That sounds like a big step in the right direction.
> This is really important, because it is one of precious few
> ways of getting randomness into the system /early enough/.
>
> In particular, is it possible for *grub* to scribble into the
> configuration table? This is important, because what we face
> is partly an interface plumbing problem.
>
> 1) There are situations where it would be a big win to have
> grub pass a seed, taken from the grub configuration file,
> updated between one boot and the next via:
> grub-editenv /boot/grub/grubenv set randomseed=0:yBwrcLYCLept2GTvVyRQmnGikarfOmZ3
Both "grub.cfg" and "grubenv" are traditionally world-readable because
they are not perceived as containing secret information.
Of course grub could be changed to limit read permission to root, but
that brings us back to the question if there is a better way to secure
the secret seed than to store it in the file system?
--ralf
More information about the cryptography
mailing list