RNDR/SS vs. SMCCC

Ard Biesheuvel ardb at kernel.org
Thu Jun 3 00:10:17 PDT 2021 

On Thu, 3 Jun 2021 at 03:41, Benjamin Herrenschmidt
<benh at kernel.crashing.org> wrote:
>
> On Thu, 2021-06-03 at 01:19 +0100, Andre Przywara wrote:
> >
> > You mean like this?
> > https://gitlab.arm.com/linux-arm/linux-ap/-/commit/87e3722f437f9c3f09397e0e9812e6509c94786a
>
> Yes. We have a similar one in Amazon Linux which I think Ali submitted
> a while back but never went upstream.
>

I think it is fine to have something like this upstream. At the time,
I asked Andre not to include it, in order to keep the discussion
focused on the SMCCC and arch hook bits. This is all sorted now, so I
think it makes sense to upstream this.

> > This is not reviewed nor widely tested, but I used it for assessing the
> > quality of the SMCCC provided numbers on the Juno board using rngtest.
> > I think one problem was that this opens the SMCCC to userland, so the
> > entropy could be depleted from there (again under the assumption that
> > this is really a problem in practice).
>
> IMHO, userland can always adjust permission to /dev/hwrng if it wishes
> to do so...
>

True. However, the way things are currently set up, the hwrng is used
both either internally (if the entropy estimate is high enough) or via
rngd in user space to read from /dev/hwrng and write it back to
/dev/random. This is kind of pointless in this case, although not
harmful per se

> > I would be interested to hear opinions on this.
>
> The issue is with things like FIPS certification (and other such
> horrors) where I believe /dev/random is much harder to deal with since
> it mixes multiple entropy sources.
>

/dev/random is not an entropy source but a random number generator. I
agree with your characterization of FIPS in the general case, but the
/dev/random kludge we have is not pretty either :-)

Note that NIST SP800-90A/B compliance has similar requirements, i.e.,
if user space wants to seed its own DRBG in user space and comply with
these specs, it needs a compliant entropy source as well. However,
health tests on the entropy source are also mandated, and it is not
clear to me how that would fit into the SMCCC + /dev/hwrng
arrangement.

More information about the linux-arm-kernel mailing list