Collecting entropy from device_attach() times.
Dag-Erling Smørgrav
des at des.no
Wed Sep 19 16:52:04 UTC 2012
Pawel Jakub Dawidek <pjd at FreeBSD.org> writes:
> I experimented a bit with collecting entropy from the time it takes for
> device_attach() to run (in CPU cycles). It seems that those times have
> enough variation that we can use it for entropy harvesting. It happens
> even before root is mounted, so pretty early.
Excellent idea :)
> On the machine I'm testing it, which has minimal kernel plus NIC driver
> I see 75 device_attach() calls. I'm being very careful and advertising
> to yarrow that each call has only 4 bits of entropy (most of the time
> there is much more). This gives 300 bits of entropy on this machine
> before we even start init.
Virtual machines (and even some physical hardware) can have as few as 40
devices. I have a VirtualBox instance running 9.1-RC1 that has only 36
devices (based on `sysctl dev | cut -d. -f2-3 | sort -u | wc -l`), and a
soekris net5501 that only has 43. This does not count network
interfaces, though.
> For real hardware like sound card it takes between 34647162 and 35548675
> cycles to run device_attach(), [...]
You can't rely on the existence of a TSC. I would suggest using the
fractional part of binuptime instead.
I would also suggest modifying yarrow to block reseeding as long as
possible, ideally right up until the first time something asks for a
random number, since reseeding throws away all accumulated entropy. I'd
suggest delaying reseeding until right before we start the scheduler,
but if I understand correctly, geom_geli may need randomness before
that?
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list