On Thu, 2013-07-11 at 13:47 -0700, Andy Isaacson wrote: > > Linux now also uses a closed RdRand [2] RNG if available. > > There was a bunch of churn when this code went in, so I could be wrong, > but I believe that RdRand is only used to stir the same entropy pool as > all of the other inputs which are used to generate random data for > /dev/random et al. It's hard to leverage control of one input to a > random pool into anything useful.
It's worth noting that the maintainer of record (me) for the Linux RNG quit the project about two years ago precisely because Linus decided to include a patch from Intel to allow their unauditable RdRand to bypass the entropy pool over my strenuous objections. >From a quick skim of current sources, much of that has recently been rolled back (/dev/random, notably) but kernel-internal entropy users like sequence numbers and address-space randomization appear to still be exposed to raw RdRand output. (And in the meantime, my distrust of Intel's crypto has moved from "standard professional paranoia" to "actual legitimate concern".) -- Mathematics is the supreme nostalgia of our time. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
