On Mon, Oct 14, 2019 at 12:29:57PM -0700, James Bottomley wrote:
The job of the in-kernel rng is simply to produce a mixed entropy pool from which we can draw random numbers. The idea is that quite a few attackers have identified the rng as being a weak point in the security architecture of the kernel, so if we mix entropy from all the sources we have, you have to compromise most of them to gain some predictive power over the rng sequence.
The documentation says that krng is suitable for key generation. Should the documentation changed to state that it is unsuitable?
The point is not how certified the TPM RNG is, the point is that it's a single source and if we rely on it solely for some applications, like trusted keys, then it gives the attackers a single known point to go after. This may be impossible for script kiddies, but it won't be for nation states ... are you going to exclusively trust the random number you got from your chinese certified TPM?
I'd suggest approach where TPM RNG result is xored with krng result.
Remember also that the attack doesn't have to be to the TPM only, it could be the pathway by which we get the random number, which involves components outside of the TPM certification.
Yeah, I do get this.
/Jarkko