CRNG not ready and entropy used early at boot #1476
Description
EDIT for current state:
- This PR enables CPU HW crypto backend for both AMD and Intel and passes
random.trust_cpu=1from coreboot command line to Heads kernel boot option. - Consequently, crng is ready prior of tpm calls and shredding operations which currently read from /dev/urandom which is not locking if not enough entropy available
- qemu depends on host's /dev/urandom through cirtio, and cannot depend on AMD cpu extension since emulated cpu is too old to offer RDRAND compatible extention.
- Next step could be to reenable TPM and JITTER as expected initially, and have rng-tools and licap-ng deployed under Heads.
- As of now the current approach of this PR is better than what was in master.
- Will try to find ways to compare both with available tools
- Still needed: see how libcrypt deals with entropy before generating key material (gnupg)
Older
Heads uses entropy early at boot through while CRNG initialization is not yet complete.
This is the result of explorations done, goal being to open a debate on the proper way forward.
The problem is that the CRNG is not ready when some system services need to use random numbers at boot time, such as shredding files, calling tpm binary, generating secrets, disk unlock key, and most importantly generating in-memory key material.
These operations are crucial for the security and privacy and they should not be compromised by a lack of entropy or a weak random number generator. The reason for this problem is that the kernel needs to collect at least 4096 bits of entropy before it can initialize the CRNG, and the default entropy sources are not sufficient or fast enough to provide that amount of entropy at boot time.
To solve this problem, I have explored some possible options to increase the entropy sources and reduce the crng readiness time. These options are:
- Use the kernel option
random.trust_cpu=1and pass it as a command line parameter to skip the PRNG part of the boot process and use the CPU's hardware random number generator (e.g. RDRAND for x86 CPUs) as a source of randomness, without mixing it with other entropy sources. This will reduce crng readiness time by avoiding the entropy starvation problem. However, this may not be secure or trustworthy, as there is a possibility of a backdoor in the RDRAND implementation or the XOR instruction that could compromise the quality of randomness. Some experts recommend using RDRAND only as an additional entropy source, not as the sole one. - Use the TPM chip as another source of entropy, as it can provide high-quality randomness that is resistant to physical attacks and tampering. You can check if the TPM is recognized as a hardware random number generator (HRNG) by running
cat /proc/sys/kernel/random/entropy_avail. - Use other sources of entropy like jitter, hardware interrupts, mouse movements, keyboard presses. Linux uses a complex algorithm to combine multiple entropy sources into a single pool, and then hashes the pool to produce random output. Mixing entropy sources can improve the security and robustness of randomness, especially if some of the sources are compromised or biased.
- If we decide to trust CPU extention for crng early readiness, we could deactivate it early in Heads init script by changing the kernel parameter
random.trust_cpuafter the crng is ready. This way, we could use the CPU as the sole source of entropy for CRNG initialization, but switch to other sources afterwards.
To enable these options, we need to make some changes to the kernel configuration and command line parameters. These changes are:
- To enable RDRAND as an entropy source, we need to set
CONFIG_ARCH_RANDOM=yin the kernel configuration, and addrandom.trust_cpu=1to the kernel command line. - To enable TPM as an entropy source, we need to set
CONFIG_HW_RANDOM_TPM=yin the kernel configuration, and addrng_core.default_quality=1000to the kernel command line. - To enable jitterentropy as an entropy source, we need to set
CONFIG_CRYPTO_JITTERENTROPY=yin the kernel configuration, and addkernel.jitterentropy.ll=10,kernel.jitterentropy.ml=10,kernel.jitterentropy.bs=64, andkernel.jitterentropy.bc=16to the kernel command line. These parameters control how much jitter is generated by different methods. - To enable external devices as entropy sources, you need to set
CONFIG_HW_RANDOM=yin the kernel configuration.
I would like to hear your opinions and feedback on these options, and discuss which one is the best way forward for Heads.
As of today, crng is ready after tpm binary is called and after shredding some files. If one user is quick selecting menu options, the crng might not be ready when setting a TPM disk unlock key, while really improbable.
The goal here is to try to have crng ready as early as possible. Another option would be to wait for the entropy pool to full prior of leaving Heads init, but blocking is not pretty nor practical.
I propose:
- To not trust cpu extension first (requires coreboot config to pass explicitely
random.trust_cpu=1but impement all other changes and see how that goes. - If crng is still not ready on real hardware when tpm and shredding calls happen, revisit the precedent option and modify init script to remove trust on cpu when "inside" of Heads (so aeraly tpm unseal operations and shredding of files happen on a crng that is ready.
@JonathonHall-Purism @saper others? comments?
Some sources:
- Intel's RDRAND and RDSEED: A Cautionary Tale: https://www.cryptologie.net/article/487/intels-rdrand-and-rdseed-a-cautionary-tale/
- Intel's RDRAND: A Backdoor?: https://www.schneier.com/blog/archives/2013/10/intels_rdrand.html
- RDRAND: The Case for Trusting CPU Hardware Random Number Generators: https://www.intel.com/content/www/us/en/developer/articles/technical/rdrand-the-case-for-trusting-cpu-hardware-random-number-generators.html