[PATCH] arm64: random: implement arch_get_random_int/_long based on RNDR
Jason A. Donenfeld
Jason at zx2c4.com
Thu Jan 13 05:52:06 PST 2022
On Thu, Jan 13, 2022 at 2:49 PM Ard Biesheuvel <ardb at kernel.org> wrote:
> Sure, but I just retained the original style.
> If I was interested in rewriting this header file, I might consider
> all these options. For now, I am just trying to focus the change on
> the parts that actually matter.
Okay, no problem.
> No it does not. RNDR and RNDRRS both return the output of a DRBG, the
> only difference is the reseed interval.
>
> Specifically, this means that, even though the ARM ARM references NIST
> SP800-90B directly, the RNDRRS construction is a black box containing
> a entropy source + DRBG, and so we shouldn't pretend that RNDRRS
> itself can be treated as a source of true entropy. This is especially
> relevant when it comes to seeding a DRBG of a certain security
> strength N >= the security strength of the hidden DRBG, as
> concatenating multiple RNDRRS results does not satisfy the
> requirements for seeding a DRBG of security strength N.
Huh, interesting. I wonder why that arm.com documentation page is wrong.
Jason
More information about the linux-arm-kernel
mailing list