gcoguiec
8 hours ago
Great article!
> When a new hardware RNG is registered by the kernel, it is used right away to add entropy to the system.
If I understand correctly, the new hwrng will be used immediately if there's no current active hwnrg or if the new hwrng quality is greater than the current active one and no userspace hwrng was set [0].
Also the "it is used right away" link is pointing to [1], but I'm wondering if it should not be pointing to [2] instead?
- [0] https://elixir.bootlin.com/linux/v6.11/source/drivers/char/h...
- [1] https://elixir.bootlin.com/linux/v6.11/source/drivers/char/h...
- [2] https://elixir.bootlin.com/linux/v6.11/source/drivers/char/h...
panarky
7 hours ago
It's curious that only one HWRNG can be current at once.
Because adding more sources of randomness, even if they're lower quality, can't reduce the total randomness.
If the quality of HWRNG-A is 400 and HWRNG-B is 600, the quality of XOR(HWRNG-A, HWRNG-B) will be greater than 600.
pclmulqdq
7 hours ago
You wouldn't XOR-combine, you would hash them together. Something like:
SHA256(32B from HWRNG-A || 32B from HWRNG-B)
still guarantees you 32 bytes of entropy if either HWRNG-A or HWRNG-B is compromised, and if HWRNG-A and HWRNG-B are both partially compromised you also get 32 bytes of entropy. XOR has weird failure modes (eg if HWRNG-A and HWRNG-B are correlated).
pclmulqdq
7 hours ago
That is correct. By default, the new hardware RNG should be used. I'm surprised that this is actually a problem that trail of bits mentioned.