From owner-freebsd-security@FreeBSD.ORG Tue Sep 18 21:14:10 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC6601065672 for ; Tue, 18 Sep 2012 21:14:10 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id A18C38FC08 for ; Tue, 18 Sep 2012 21:14:10 +0000 (UTC) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) by mail.dawidek.net (Postfix) with ESMTPSA id 7774A1B6 for ; Tue, 18 Sep 2012 23:13:09 +0200 (CEST) Date: Tue, 18 Sep 2012 23:14:22 +0200 From: Pawel Jakub Dawidek To: freebsd-security@FreeBSD.org Message-ID: <20120918211422.GA1400@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Q68bSM7Ycu6FN28Q" Content-Disposition: inline X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) X-Mailman-Approved-At: Tue, 18 Sep 2012 21:23:40 +0000 Cc: Subject: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Sep 2012 21:14:11 -0000 --Q68bSM7Ycu6FN28Q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi. I experimented a bit with collecting entropy from the time it takes for device_attach() to run (in CPU cycles). It seems that those times have enough variation that we can use it for entropy harvesting. It happens even before root is mounted, so pretty early. On the machine I'm testing it, which has minimal kernel plus NIC driver I see 75 device_attach() calls. I'm being very careful and advertising to yarrow that each call has only 4 bits of entropy (most of the time there is much more). This gives 300 bits of entropy on this machine before we even start init. For real hardware like sound card it takes between 34647162 and 35548675 cycles to run device_attach(), so the difference here is 901513. If all the times are more or less equally probable in this range we have more than 19 bits of entropy from this one call, but I reduced if to four bits only, because there are devices that are much faster to attach. We could make the code more complex by assuming 0.01% of the time varies, which should still be safe and will allow to collect more entropy from those long calls. The patch is here: http://people.freebsd.org/~pjd/patches/harvest_device_attach.patch Comments? --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --Q68bSM7Ycu6FN28Q Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBY5CoACgkQForvXbEpPzSxewCdGYz/LSd3nDjqKJXY/++5fBGW ucUAn2unEr8oDCXKo2m4pyKgAy7UDpNB =6LoM -----END PGP SIGNATURE----- --Q68bSM7Ycu6FN28Q--