DOCSLIB.ORG

Documentation and Analysis of the Linux Random Number Generator

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Documentation and Analysis of the Linux Random Number Generator Documentation and Analysis of the Linux Random Number Generator Version: 4.4 Document history Version Date Editor Description 4.0 2020-07-15 Stephan Müller Kernel version 5.6 4.1 2020-07-15 Stephan Müller Kernel version 5.7 4.2 2020-08-03 Stephan Müller Kernel version 5.8 4.3 2020-10-12 Stephan Müller Kernel version 5.9 4.4 2021-01-05 Stephan Müller Kernel version 5.10 This analysis was prepared for BSI by atsec information security GmbH. Federal Office for Information Security Post Box 20 03 63 D-53133 Bonn Internet: https://www.bsi.bund.de © Federal Office for Information Security 2021 Table of Contents Table of Contents Document history.............................................................................................................................................................................. 2 1 Introduction......................................................................................................................................................................................... 7 1.1 Authors............................................................................................................................................................................................. 8 1.2 Copyright......................................................................................................................................................................................... 8 1.3 BSI-Reference................................................................................................................................................................................ 8 2 Architecture of Non-Deterministic Random Number Generators (NDRNGs).....................................................9 2.1 Terminology.................................................................................................................................................................................. 9 2.2 General Architecture............................................................................................................................................................... 11 3 Design of the Linux-RNG............................................................................................................................................................. 14 3.1 Historical Background............................................................................................................................................................ 14 3.2 Linux-RNG Architecture....................................................................................................................................................... 14 3.2.1 Linux-RNG Internal Design.......................................................................................................................................... 15 3.3 Deterministic Random Number Generators (DRNGs)............................................................................................17 3.3.1 Entropy Pool input_pool................................................................................................................................................ 17 3.3.2 ChaCha20 DRNG................................................................................................................................................................ 26 3.4 Interfaces to Linux-RNG....................................................................................................................................................... 31 3.4.1 Character Device Files...................................................................................................................................................... 31 3.4.2 System Call............................................................................................................................................................................ 34 3.4.3 In-Kernel Interfaces.......................................................................................................................................................... 34 3.4.4 /proc Files.............................................................................................................................................................................. 35 3.5 Entropy Sources......................................................................................................................................................................... 36 3.5.1 Timer State Maintenance for Entropy Sources....................................................................................................36 3.5.2 Entropy Collection............................................................................................................................................................ 38 3.6 Entropy Estimation.................................................................................................................................................................. 50 3.7 Generic Architecture and Linux-RNG............................................................................................................................53 3.8 Use of the Linux-RNG............................................................................................................................................................. 55 3.9 Hardware-based Random Number Generators..........................................................................................................56 3.9.1 CPU Hardware Random Number Generators......................................................................................................56 3.9.2 Hardware Random Number Generator Framework.........................................................................................57 3.10 Support Functions for Other Kernel Parts....................................................................................................................59 3.11 Time Line of Entropy Requirements...............................................................................................................................60 3.11.1 Installation Time................................................................................................................................................................ 60 3.11.2 First Reboot After Installation...................................................................................................................................... 61 3.11.3 Regular Usage....................................................................................................................................................................... 61 3.12 Security Domain Protecting the Linux-RNG...............................................................................................................61 4 Conducted Analyses of the Linux-RNG................................................................................................................................ 63 4.1 Attacks of Gutterman et al. and its Relevance.............................................................................................................63 4.1.1 Denial of Service Attacks................................................................................................................................................ 63 4.1.2 Use of Diskless Systems................................................................................................................................................... 63 4.1.3 Enhanced Backward Secrecy........................................................................................................................................ 64 4.2 Lacharme’s Analysis................................................................................................................................................................. 64 4.2.1 Linux-RNG Without Input to the Entropy Pools................................................................................................64 4.2.2 Attacks on the Input......................................................................................................................................................... 64 4.2.3 Assessment of the Entropy Estimation....................................................................................................................64 Federal Office for Information Security 3 Table of Contents 4.3 Conclusions from [LRSV12] and [GPR06]......................................................................................................................64 4.4 Considerations by Müller...................................................................................................................................................... 65 5 Coverage of BSI Requirements NTG.1 and DRG.3...........................................................................................................68 5.1 Approach to NTG.1................................................................................................................................................................... 68 5.2 input_pool: NTG.1..................................................................................................................................................................... 69 5.2.1 NTG.1.1.................................................................................................................................................................................... 69 5.2.2 NTG.1.2...................................................................................................................................................................................
Load more

Recommended publications
  • Bootstomp: on the Security of Bootloaders in Mobile Devices
    BootStomp: On the Security of Bootloaders in Mobile Devices Nilo Redini, Aravind Machiry, Dipanjan Das, Yanick Fratantonio, Antonio Bianchi, Eric Gustafson, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna, UC Santa Barbara https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/redini This paper is included in the Proceedings of the 26th USENIX Security Symposium August 16–18, 2017 • Vancouver, BC, Canada ISBN 978-1-931971-40-9 Open access to the Proceedings of the 26th USENIX Security Symposium is sponsored by USENIX BootStomp: On the Security of Bootloaders in Mobile Devices Nilo Redini, Aravind Machiry, Dipanjan Das, Yanick Fratantonio, Antonio Bianchi, Eric Gustafson, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna fnredini, machiry, dipanjan, yanick, antoniob, edg, yans, chris, [email protected] University of California, Santa Barbara Abstract by proposing simple mitigation steps that can be im- plemented by manufacturers to safeguard the bootloader Modern mobile bootloaders play an important role in and OS from all of the discovered attacks, using already- both the function and the security of the device. They deployed hardware features. help ensure the Chain of Trust (CoT), where each stage of the boot process verifies the integrity and origin of 1 Introduction the following stage before executing it. This process, in theory, should be immune even to attackers gaining With the critical importance of the integrity of today’s full control over the operating system, and should pre- mobile and embedded devices, vendors have imple- vent persistent compromise of a device’s CoT. However, mented a string of inter-dependent mechanisms aimed at not only do these bootloaders necessarily need to take removing the possibility of persistent compromise from untrusted input from an attacker in control of the OS in the device.
    [Show full text]
  • Chapter 5 Names, Bindings, and Scopes
    Chapter 5 Names, Bindings, and Scopes 5.1 Introduction 198 5.2 Names 199 5.3 Variables 200 5.4 The Concept of Binding 203 5.5 Scope 211 5.6 Scope and Lifetime 222 5.7 Referencing Environments 223 5.8 Named Constants 224 Summary • Review Questions • Problem Set • Programming Exercises 227 CMPS401 Class Notes (Chap05) Page 1 / 20 Dr. Kuo-pao Yang Chapter 5 Names, Bindings, and Scopes 5.1 Introduction 198 Imperative languages are abstractions of von Neumann architecture – Memory: stores both instructions and data – Processor: provides operations for modifying the contents of memory Variables are characterized by a collection of properties or attributes – The most important of which is type, a fundamental concept in programming languages – To design a type, must consider scope, lifetime, type checking, initialization, and type compatibility 5.2 Names 199 5.2.1 Design issues The following are the primary design issues for names: – Maximum length? – Are names case sensitive? – Are special words reserved words or keywords? 5.2.2 Name Forms A name is a string of characters used to identify some entity in a program. Length – If too short, they cannot be connotative – Language examples: . FORTRAN I: maximum 6 . COBOL: maximum 30 . C99: no limit but only the first 63 are significant; also, external names are limited to a maximum of 31 . C# and Java: no limit, and all characters are significant . C++: no limit, but implementers often impose a length limitation because they do not want the symbol table in which identifiers are stored during compilation to be too large and also to simplify the maintenance of that table.
    [Show full text]
  • Gotcha Again More Subtleties in the Verilog and Systemverilog Standards That Every Engineer Should Know
    Gotcha Again More Subtleties in the Verilog and SystemVerilog Standards That Every Engineer Should Know Stuart Sutherland Sutherland HDL, Inc. [email protected] Don Mills LCDM Engineering [email protected] Chris Spear Synopsys, Inc. [email protected] ABSTRACT The definition of gotcha is: “A misfeature of....a programming language...that tends to breed bugs or mistakes because it is both enticingly easy to invoke and completely unexpected and/or unreasonable in its outcome. A classic gotcha in C is the fact that ‘if (a=b) {code;}’ is syntactically valid and sometimes even correct. It puts the value of b into a and then executes code if a is non-zero. What the programmer probably meant was ‘if (a==b) {code;}’, which executes code if a and b are equal.” (http://www.hyperdictionary.com/computing/gotcha). This paper documents 38 gotchas when using the Verilog and SystemVerilog languages. Some of these gotchas are obvious, and some are very subtle. The goal of this paper is to reveal many of the mysteries of Verilog and SystemVerilog, and help engineers understand the important underlying rules of the Verilog and SystemVerilog languages. The paper is a continuation of a paper entitled “Standard Gotchas: Subtleties in the Verilog and SystemVerilog Standards That Every Engineer Should Know” that was presented at the Boston 2006 SNUG conference [1]. SNUG San Jose 2007 1 More Gotchas in Verilog and SystemVerilog Table of Contents 1.0 Introduction ............................................................................................................................3 2.0 Design modeling gotchas .......................................................................................................4 2.1 Overlapped decision statements ................................................................................... 4 2.2 Inappropriate use of unique case statements ...............................................................
    [Show full text]
  • Oracle® Linux 7 Release Notes for Oracle Linux 7.2
    Oracle® Linux 7 Release Notes for Oracle Linux 7.2 E67200-22 March 2021 Oracle Legal Notices Copyright © 2015, 2021 Oracle and/or its affiliates. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs) and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Government end users are "commercial computer software" or "commercial computer software documentation" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works, and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs), ii) Oracle computer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in the license contained in the applicable contract.
    [Show full text]
  • FAN53525 3.0A, 2.4Mhz, Digitally Programmable Tinybuck® Regulator
    FAN53525 — 3.0 A, 2.4 MHz, June 2014 FAN53525 3.0A, 2.4MHz, Digitally Programmable TinyBuck® Regulator Digitally Programmable TinyBuck Digitally Features Description . Fixed-Frequency Operation: 2.4 MHz The FAN53525 is a step-down switching voltage regulator that delivers a digitally programmable output from an input . Best-in-Class Load Transient voltage supply of 2.5 V to 5.5 V. The output voltage is 2 . Continuous Output Current Capability: 3.0 A programmed through an I C interface capable of operating up to 3.4 MHz. 2.5 V to 5.5 V Input Voltage Range Using a proprietary architecture with synchronous . Digitally Programmable Output Voltage: rectification, the FAN53525 is capable of delivering 3.0 A - 0.600 V to 1.39375 V in 6.25 mV Steps continuous at over 80% efficiency, maintaining that efficiency at load currents as low as 10 mA. The regulator operates at Programmable Slew Rate for Voltage Transitions . a nominal fixed frequency of 2.4 MHz, which reduces the . I2C-Compatible Interface Up to 3.4 Mbps value of the external components to 330 nH for the output inductor and as low as 20 µF for the output capacitor. PFM Mode for High Efficiency in Light Load . Additional output capacitance can be added to improve . Quiescent Current in PFM Mode: 50 µA (Typical) regulation during load transients without affecting stability, allowing inductance up to 1.2 µH to be used. Input Under-Voltage Lockout (UVLO) ® At moderate and light loads, Pulse Frequency Modulation Regulator Thermal Shutdown and Overload Protection . (PFM) is used to operate in Power-Save Mode with a typical .
    [Show full text]
  • An Emerging Architecture in Smart Phones
    International Journal of Electronic Engineering and Computer Science Vol. 3, No. 2, 2018, pp. 29-38 http://www.aiscience.org/journal/ijeecs ARM Processor Architecture: An Emerging Architecture in Smart Phones Naseer Ahmad, Muhammad Waqas Boota * Department of Computer Science, Virtual University of Pakistan, Lahore, Pakistan Abstract ARM is a 32-bit RISC processor architecture. It is develop and licenses by British company ARM holdings. ARM holding does not manufacture and sell the CPU devices. ARM holding only licenses the processor architecture to interested parties. There are two main types of licences implementation licenses and architecture licenses. ARM processors have a unique combination of feature such as ARM core is very simple as compare to general purpose processors. ARM chip has several peripheral controller, a digital signal processor and ARM core. ARM processor consumes less power but provide the high performance. Now a day, ARM Cortex series is very popular in Smartphone devices. We will also see the important characteristics of cortex series. We discuss the ARM processor and system on a chip (SOC) which includes the Qualcomm, Snapdragon, nVidia Tegra, and Apple system on chips. In this paper, we discuss the features of ARM processor and Intel atom processor and see which processor is best. Finally, we will discuss the future of ARM processor in Smartphone devices. Keywords RISC, ISA, ARM Core, System on a Chip (SoC) Received: May 6, 2018 / Accepted: June 15, 2018 / Published online: July 26, 2018 @ 2018 The Authors. Published by American Institute of Science. This Open Access article is under the CC BY license.
    [Show full text]
  • Mediatek Linkit™ Development Platform for RTOS Get Started Guide
    MediaTek LinkIt™ Development Platform for RTOS Get Started Guide Version: 3.0 Release date: 30 June 2016 © 2015 - 2016 MediaTek Inc. This document contains information that is proprietary to MediaTek Inc. (“MediaTek”) and/or its licensor(s). MediaTek cannot grant you permission for any material that is owned by third parties. You may only use or reproduce this document if you have agreed to and been bound by the applicable license agreement with MediaTek (“License Agreement”) and been granted explicit permission within the License Agreement (“Permitted User”). If you are not a Permitted User, please cease any access or use of this document immediately. Any unauthorized use, reproduction or disclosure of this document in whole or in part is strictly prohibited. THIS DOCUMENT IS PROVIDED ON AN “AS-IS” BASIS ONLY. MEDIATEK EXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES OF ANY KIND AND SHALL IN NO EVENT BE LIABLE FOR ANY CLAIMS RELATING TO OR ARISING OUT OF THIS DOCUMENT OR ANY USE OR INABILITY TO USE THEREOF. Specifications contained herein are subject to change without notice. MediaTek LinkIt™ Development Platform for RTOS Get Started Guide Document Revision History Revision Date Description 1.0 24 March 2016 Initial version. 2.0 17 May 2016 Move the contents relative to flash, HDK, and build comments to corresponding documents. Add the support of Keil 3.0 30 June 2016 Add the support of IAR. Refine the architecture and provide more information on the SDK usage. © 2015 - 2016 MediaTek Inc. Page i of v This document contains information that is proprietary to MediaTek Inc.
    [Show full text]
  • Sitara™ Am57x Processor with Dual ARM® Cortex®-A15 Cores
    Sitara™ AM57x processor with dual ARM® Cortex®-A15 cores In today’s industrial automation market, (PLCs) and industrial computers consumers are seeing an evolution to human machine interface (HMI), that requires new technology featuring industrial peripherals and factory amplified performance and capabilities. communication, automation systems The factory automation floor is rapidly require cutting­edge technologies to advancing to become more user meet stringent customer requirements friendly with the incorporation of ele­ for high reliability in mission­critical ments like user interfaces that are environments. increasingly similar to those we use in our everyday lives and video compe­ Texas Instruments Incorporated (TI) has tencies that grant the ability to view a strategic commitment to the factory machines running on the opposite side automation industry, ranging from an of factories. This shift necessitates extensive, reliable solution portfolio to solutions very complex, expensive new processors that afford industrial a long product life supply as well as a and resistant to evolution even though system developers the capacity to suc­ strong local­based support. Industrial industry standards are changing. cessfully address these ever­evolving automation applications have been challenges. With applications ranging implemented using a variety of external Meeting the need for high from programmable logic controllers components making yesterday’s performance AM57x block diagram In industrial HMI and PLC systems, there is an increasing trend towards achieving x86­level performance in fanless enclosures and smaller form factors. At the same time, communica­ tions requirements are ever increasing for these systems, as is the need for intuitive user interface and high­perfor­ mance graphics in HMI systems.
    [Show full text]
  • OMAP 3 Family of Multimedia Applications
    OMAP™ 3 family of multimedia applications processors Revolutionizing entertainment and productivity Key features in wireless handheld commumications • Combines mobile entertainment and high-performance productivity applications. Product Bulletin • Integrates the advanced Superscalar ARM Cortex-A8 RISC core, enabling up to The OMAP™ 3 family of multimedia applications processors from Texas Instruments (TI) 3x gain in performance versus ARM11. introduces a new level of performance that enables laptop-like productivity and advanced • Designed in 45-nm (OMAP36x platform) entertainment in multimedia-enabled handsets. OMAP 3 devices support all levels of and 65-nm (OMAP34x platform) CMOS handsets, from the entry-level multimedia-enabled handsets to high-end Mobile Internet process technologies for less power Devices (MIDs). consumption and increased device performance. Entry-level Mid-level High-end • Includes integrated IVA hardware multimedia-enabled multimedia-enabled multimedia-enabled accelerators to enable multi-standard encode handsets handsets handsets decode up to HD resolution. OMAP3410 OMAP3420 OMAP3430/3440 • Available integrated image signal OMAP3610 OMAP3620 OMAP3630/3640 processor (ISP) enables faster, higher quality image capture, lower system cost TI’s OMAP 3 family of applications processors These devices can operate at a higher and lower power consumption. • Provides seamless connectivity to hard integrate the ARM Cortex-A8 superscalar frequency than previous-generation OMAP diskdrive (HDD) devices for mass storage. microprocessor
    [Show full text]
  • Advanced Practical Programming for Scientists
    Advanced practical Programming for Scientists Thorsten Koch Zuse Institute Berlin TU Berlin SS2017 The Zen of Python, by Tim Peters (part 1) ▶︎ Beautiful is better than ugly. ▶︎ Explicit is better than implicit. ▶︎ Simple is better than complex. ▶︎ Complex is better than complicated. ▶︎ Flat is better than nested. ▶︎ Sparse is better than dense. ▶︎ Readability counts. ▶︎ Special cases aren't special enough to break the rules. ▶︎ Although practicality beats purity. ▶︎ Errors should never pass silently. ▶︎ Unless explicitly silenced. ▶︎ In the face of ambiguity, refuse the temptation to guess. Advanced Programming 78 Ex1 again • Remember: store the data and compute the geometric mean on this stored data. • If it is not obvious how to compile your program, add a REAME file or a comment at the beginning • It should run as ex1 filenname • If you need to start something (python, python3, ...) provide an executable script named ex1 which calls your program, e.g. #/bin/bash python3 ex1.py $1 • Compare the number of valid values. If you have a lower number, you are missing something. If you have a higher number, send me the wrong line I am missing. File: ex1-100.dat with 100001235 lines Valid values Loc0: 50004466 with GeoMean: 36.781736 Valid values Loc1: 49994581 with GeoMean: 36.782583 Advanced Programming 79 Exercise 1: File Format (more detail) Each line should consists of • a sequence-number, • a location (1 or 2), and • a floating point value > 0. Empty lines are allowed. Comments can start a ”#”. Anything including and after “#” on a line should be ignored.
    [Show full text]
  • We Shape the Connected World Automotive Autonomy Generating Energy Effectively Wearable Technology ARM’S Technology Is Cars Are Becoming Mobile Computing Platforms
    ARM Holdings plc Annual Report 2015: Strategic Report We shape the connected world Automotive autonomy Generating energy effectively Wearable technology ARM’s technology is Cars are becoming mobile computing platforms. Wind turbines and solar panels can be made Smart watches, biometric-monitors and More sensors and cameras are being included more effective by including technology that augmented reality headsets are intelligent, to assist the driver with lane detection, reading controls and monitors the wind turbine, and connected devices that can give us extra shaping the way we roadside signage and identifying potential hazards aggregates data across the entire wind farm. information to improve our health and or people crossing the road. In time, driver wellness, or just to help us have more fun. all live our lives; in the assistance may lead to a fully automated vehicle. home, as we travel, at school or work, and as we have fun with our friends Mobile computing Smart city streets Intelligent networks Smarter homes ARM-based mobile computers, including City infrastructure from street lights to car Broadband and mobile phone network speeds Cost-efficiency in the home can be improved smartphones, tablets and some laptops are, parking meters can be made more effective by are increasing, and latency decreasing, enabling through learning thermostats that understand for many people, the primary device for their embedding intelligent chips. Street lights that new services for operators to provide to your daily routine, domestic appliances that use work, whether in an office or on the road; can dim when no one is nearby will save energy consumers and enterprises, from delivering advanced algorithms for calculating water and for researching and writing school assignments; and reduce carbon emissions, and prognostics in more movie and TV options to collating and detergent requirements, and smart meters that and for engaging with friends.
    [Show full text]
  • Tizen Based Remote Controller CAR Using Raspberry Pi2
    #ELC2016 Tizen based remote controller CAR using raspberry pi2 Pintu Kumar ([email protected], [email protected]) Samsung Research India – Bangalore : Tizen Kernel/BSP Team Embedded Linux Conference – 06th April/2016 1 CONTENT #ELC2016 • INTRODUCTION • RASPBERRY PI2 OVERVIEW • TIZEN OVERVIEW • HARDWARE & SOFTWARE REQUIREMENTS • SOFTWARE CUSTOMIZATION • SOFTWARE SETUP & INTERFACING • HARDWARE INTERFACING & CONNECTIONS • ROBOT CONTROL MECHANISM • SOME RESULTS • CONCLUSION • REFERENCES Embedded Linux Conference – 06th April/2016 2 INTRODUCTION #ELC2016 • This talk is about designing a remote controller robot (toy car) using the raspberry pi2 hardware, pi2 Linux Kernel and Tizen OS as platform. • In this presentation, first we will see how to replace and boot Tizen OS on Raspberry Pi using the pre-built Tizen images. Then we will see how to setup Bluetooth, Wi-Fi on Tizen and finally see how to control a robot remotely using Tizen smart phone application. Embedded Linux Conference – 06th April/2016 3 RASPBERRY PI2 - OVERVIEW #ELC2016 1 GB RAM Embedded Linux Conference – 06th April/2016 4 Raspberry PI2 Features #ELC2016 • Broadcom BCM2836 900MHz Quad Core ARM Cortex-A7 CPU • 1GB RAM • 4 USB ports • 40 GPIO pins • Full HDMI port • Ethernet port • Combined 3.5mm audio jack and composite video • Camera interface (CSI) • Display interface (DSI) • Micro SD card slot • Video Core IV 3D graphics core Embedded Linux Conference – 06th April/2016 5 PI2 GPIO Pins #ELC2016 Embedded Linux Conference – 06th April/2016 6 TIZEN OVERVIEW #ELC2016 Embedded Linux Conference – 06th April/2016 7 TIZEN Profiles #ELC2016 Mobile Wearable IVI TV TIZEN Camera PC/Tablet Printer Common Next?? • TIZEN is the OS of everything.
    [Show full text]