On Sat, May 30, 2026 at 05:05:19PM +0200, Aleksander Jan Bajkowski wrote: > Hi Eric, > > On 30/05/2026 00:04, Eric Biggers wrote: > > Remove crypto4xx_rng, as it is insecure and unused: > > > > - It has only a 64-bit security strength, which is highly inadequate. > > This can be seen by the fact that crypto4xx_hw_init() seeds it with > > only 64 bits of entropy, and the fact that the original commit > > mentions that it implements ANSI X9.17 Annex C. > > In addition to a seed, the PRNG also uses ring oscillators as sources of > entropy. The entropy should be higher than 64b. This is the Rambus EIP-73d > IP core. The same IP core is built into eip93 (EIP-73a), eip97 (EIP-73d), > and eip197 (EIP-73d). You can find the documentation online. The complete > "container" is actually Rambus EIP-94, and one of its parts is EIP-73d.
Just because it may have another source of entropy doesn't mean its security strength is higher than 64 bits. I cannot find any documentation other than https://datasheet.octopart.com/PPC460EX-SUB800T-AMCC-datasheet-11553412.pdf which says "ANSI X9.17 Annex C compliant using a DES algorithm". DES actually has a 56-bit key, so maybe I was over-generous. And according to https://cacr.uwaterloo.ca/hac/about/chap5.pdf ANSI X9.17 has only a 64-bit state anyway. So even if we assume the datasheet is incorrect and the algorithm is actually 3DES which has a longer key, the state is likely still 64-bit. So it isn't looking good. And since it's an undocumented proprietary design it shouldn't be given the benefit of the doubt either. > This PRNG is also used internally for Generation IV with IPSEC offload. The > IPSEC offload implementation for eip93 was recently submitted to upstream. > I am not sure whether eip94 shares some of the logic for IPSEC offload and > it will be possible to use some of the code. That's not related to this patch. - Eric
