[PATCH v2] crypto: atmel-sha204a - drop hwrng quality reduction for ATSHA204A
Thorsten Blum
thorsten.blum at linux.dev
Tue Apr 28 05:32:52 PDT 2026
Hi Marek,
On Tue, Apr 28, 2026 at 01:18:08PM +0200, Marek Behún wrote:
> Adding Bill Cox (waywardgeek) to the conversation.
>
> In the meantime Nack from me on this patch.
>
> From the original messages by Bill, it seems to me the part he was reviewing
> was the ATSHA204A.
>
> In subsequent reply [1] Bill states
>
> While there is some evidence, there is still no convincing proof that there
> is an entropy source in this device at all. There is some evidence that
> Atmel has inserted a back-door. My advice is to avoid this line of parts
> from Atmel for cryptographic use.
>
> In another message Peter Gutmann asks about ATECC108 [2] and Bill replies [3]
>
> This part uses the same language to describe the random number generator.
> It is "high quality". I think that's pretty funny.
> I would be interested in seeing if the new part can generate random numbers
> continuously, or if it fails after it's EEPROM wears out like their other
> parts. The use of an EEPROM seed is for PWN-ing your RNG, not making it
> more secure.
>
> IMO the comments from the actual reviewer are more relevant than those of the
> engineer working for the company which was accused of creating low quality
> / backdoored TRNG, at least until the Atmel engineer provides some evaluation
> code for the device (which they suggested they might do [4], but never did as
> far as I can find).
>
> Maybe we can instead change the ATECC quality to something like 32? Does that
> even make sense?
>
> Marek
>
> [1] https://www.metzdowd.com/pipermail/cryptography/2014-December/023857.html
> [2] https://www.metzdowd.com/pipermail/cryptography/2014-December/023870.html
> [3] https://www.metzdowd.com/pipermail/cryptography/2014-December/023879.html
> [4] https://www.metzdowd.com/pipermail/cryptography/2014-December/023886.html
Bill wrote in his review:
"If I made no mistake (and I do make a lot), the "random" data from
the Atmel ATSHA204A is highly predictable when you disable the seed
update to EEPROM."
However, the atmel-sha204a driver doesn't operate the device in that
mode. It uses the Random command with seed updates enabled, which is
also what the datasheet recommends for highest security:
"Microchip recommends that the EEPROM seed always be updated."
So the reported behavior doesn't reflect how the driver uses the device.
Thanks,
Thorsten
More information about the linux-arm-kernel
mailing list