[Cryptography] OpenSSL CSPRNG work
Theodore Ts'o
tytso at mit.edu
Sat Jul 8 11:38:17 EDT 2017
On Fri, Jul 07, 2017 at 10:21:39PM +0200, Florian Weimer wrote:
> > Super-early in the boot process, there may not be a whole lot that we
> > can do on crappy hardware.
>
> I've seen system boot logs where the SSH prints the key generation
> message after the kernel message indicating that the pool has been
> initialized. And that was about as non-crappy as gets (x86-64 running
> under KVM, where control *everything*, probably even with RDRAND).
> Admittedly, it was three years ago:
>
> <https://mail.gnome.org/archives/ostree-list/2014-February/msg00010.html>
That was on an Intel architecture. The architectures I'm most
concerned about are ARM and MIPS, some of which don't have a
high-resolution timer, nor a cycle counter, nor RDRAND.
And cheap-sh*t rounters tend not be to be using x86. Nor do the $40
Android tablets you can pick up at Shenzhen market. I'm not sure how
many of the cheap-sh*t routers are using glibc, though. They may all
be using some other C library in which case maybe it doesn't matter to
you....
- Ted
More information about the cryptography
mailing list