RdRand in Linux

Gulver · 2013-12-12 00:55:41

Hi there,

I learned that FreeBSD is going to release their 10th version without default Padlock and RdRand usage. I read that OpenSuse user Mr. Torvalds had bashed off a petition campaign that asked him to remove RdRand from /dev/random, as seen below, I'm wondering if any exquisite archers feel threatened about it. If not, why the hell are BSD maintainers are pulling it hard, the decision had made just a small period before release. It's idiotique to put on a foil over your processor while almost all the servers you connect are not doing anything but there is this poem saying; " If I don’t burn, if you don’t burn, if we don’t burn, how will the light vanquish the darkness?"

"Linus Torvalds, in response to a petition on Change.org to remove RdRand from /dev/random, has lambasted the petitioner by called him ignorant for not understanding the code in the Linux Kernel. Kyle Condon from the UK raised a petition on Change.org to get Linus to remove RdRand from /dev/random in a bid 'to improve the overall security of the linux kernel.' In his response, Torvalds asked Condon and the supporters of the petition to gain an understanding of Linux drivers and cryptography, and then 'come back here and admit to the world that you were wrong.' Torvalds stressed that kernel maintainers knew what they were doing and the petitioner didn't. Torvalds, in a similar outburst just yesterday, hoped that 'ARM SoC hardware designers all die in some incredibly painful accident.' This came in response to a message from Kevin Hilman when he noted that there were quite a few conflicts in the ARM SoC pull request for Linux 3.12 which were a result of the platform changes conflicting with driver changes going in to the V4L tree."

Not the proper topic but I also wonder what an average user can do to disable RdRand, since almost all of us use Intel Ivy Birdges. Not that I'm doing something too secret or something but, as an Aspie, it feels good to be alone.

WonderWoofy · 2013-12-12 01:08:31

FreeBSD is moving to a method that has been in place in Linux for the last 18 months or so (when Ted Ts'o took over as the random maintainer). We use RDRAND, but it is then rehashed, making the HW random part of the creation randomness but not the whole thing.
https://plus.google.com/117091380454742 … uqwpbHKsP4

Edit: Ts'o has an apostrophe in it.

Last edited by WonderWoofy (2013-12-12 01:09:12)

Gulver · 2013-12-12 01:49:56

Yeah, he also said somewhere that the Intel asked the kernel developers to adopt RdRand as alone cryptograhic tool and Ts'o siad that "“Relying solely on the hardware random number generator which is using an implementation sealed inside a chip which is impossible to audit is a BAD idea,”

I guess using three different means of crypting is good. Did BSD solely relied on hardware, that sounds stupid. I have no knowledge of deep about RNGs but continuing to use RdRand in long term again seems adsurd.

dodo3773 · 2013-12-12 02:47:21

Gulver wrote:

Not the proper topic but I also wonder what an average user can do to disable RdRand, since almost all of us use Intel Ivy Birdges. Not that I'm doing something too secret or something but, as an Aspie, it feels good to be alone.

You can disable it for /dev/random by passing kernel parameter "nordrand" to the kernel:

$ grep -i nordrand /etc/default/grub                      [1]
GRUB_CMDLINE_LINUX_DEFAULT="init=/usr/lib/systemd/systemd acpi_os_name=Linux acpi_osi= elevator=bfq nordrand"

$ cat /proc/cmdline                                       [0]
BOOT_IMAGE=/vmlinuz-linux-ck root=UUID=06874255-7a5d-4968-8f09-1e53cb761f44 rw init=/usr/lib/systemd/systemd acpi_os_name=Linux acpi_osi= elevator=bfq nordrand

Userspace applications can and will still use nordrand since it is a cpu instruction but /dev/random will not. If you want to disable it completely you'll have to roll your own kernel. At least this is my understanding.

Last edited by dodo3773 (2013-12-12 02:48:15)

Unia · 2013-12-12 11:58:49

All these talks about security and whatnot have gotten me to think how much "safer" BSDs really are compared to Linux. I mean, OpenBSD for example is focused almost entirely on security and then I wonder, for the average user like myself, how much of an impact will it really have?

If anyone has some interesting links on the matter, I would love to read them!

Arch Linux

#1 2013-12-12 00:55:41

RdRand in Linux

#2 2013-12-12 01:08:31

Re: RdRand in Linux

#3 2013-12-12 01:49:56

Re: RdRand in Linux

#4 2013-12-12 02:47:21

Re: RdRand in Linux

#5 2013-12-12 11:58:49

Re: RdRand in Linux

Board footer