Collecting entropy from device_attach() times.
Jonathan Anderson
jonathan.anderson at cl.cam.ac.uk
Wed Sep 19 18:30:58 UTC 2012
On Tuesday, 18 September 2012 at 22:14, Pawel Jakub Dawidek wrote:
> I experimented a bit with collecting entropy from the time it takes for
> device_attach() to run (in CPU cycles). It seems that those times have
> enough variation that we can use it for entropy harvesting. It happens
> even before root is mounted, so pretty early.
>
That sounds really great.
> If all the times are more or less equally probable in this range […]
They're very unlikely to be equally probable. It would make sense to do some characterization of these times and their statistics: a highly non-uniform distribution would mean that we don't actually get many bits per attach.
> […] we have more
> than 19 bits of entropy from this one call, but I reduced if to four
> bits only, because there are devices that are much faster to attach.
>
Another reason for doing the above characterization is that, if a particular device_attach() really does provide 12 bits of uncertainty, it's a shame to drop eight of them on the floor.
> We could make the code more complex by assuming 0.01% of the time
> varies, which should still be safe and will allow to collect more
> entropy from those long calls.
>
I'm a bit leery of assuming that things "should still be safe" for the above reasons. Again, some hard numbers would really help here. Maybe we should even convince a student to do a project. :)
Jon
--
Jonathan Anderson
Research Associate
Computer Laboratory
University of Cambridge
jonathan.anderson at cl.cam.ac.uk
+44 1223 763 747
More information about the freebsd-security
mailing list