Is RdRand in Linux-Libre?
There's a discussion going around the internet about Intel possibly backdooring Linux with RdRand.
"Two years ago Linus overrode a decision by the maintainer of /dev/random and made a decision to include a patch by Intel which would make Linux rely blindly on output from RdRand (an implementation sealed in a chip and impossible to audit)"
http://www.reddit.com/r/linux/comments/1lucdy/did_linus_torvalds_backdoor_linux_random_number/
Whether it is true or not, I was wondering if Linux-libre is using RdRand?
Also take a look at this
https://plus.google.com/117091380454742934025/posts/SDcoemc9V3J
'I am so glad I resisted pressure from Intel engineers to let /dev/random rely only on the RDRAND instruction. To quote from the article below:
"By this year, the Sigint Enabling Project had found ways inside some of the encryption chips that scramble information for businesses and governments, either by working with chipmakers to insert back doors....'
Relying solely on the hardware random number generator which is using an implementation sealed inside a chip which is impossible to audit is a BAD idea."
I believe it is but not as the sole source but added to the mix. This way apparently it doesn't matter if it isn't perfectly random.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
This is the important point here. If it's the sole source of entropy, that's when it becomes a security risk. As long as it's being mixed with something else, it's pretty safe imo.
Maybe there should be (if there isn't already) a piece of code that disables RdRand when no other source of entropy is available, to ensure that it's never used as the sole source of entropy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAlIx7EkACgkQgijxUCZnvls88wD/eC3sYIqolBA7YSIvz1WUw/we
87A6ZsaepZQ8LIEnhr4A/3KJFN5kFIhl/qv78fXV4oXiehG9CwVMXJxRRBAZ8OmB
=iL8S
-----END PGP SIGNATURE-----
>Maybe there should be (if there isn't already) a piece of code that disables RdRand when no other source of entropy is available, to ensure that it's never used as the sole source of entropy.
There already is. It's the nordrand parameter to the kernel. https://www.kernel.org/doc/Documentation/kernel-parameters.txt
Hey! Not fair! I spend a week out of here and you guys already go on conspiracy theories without me? =P
LOL
Ok, seriously now, this is the kind of thing that makes me think "free software only, free software only!". Lol. Even so, and as this is an example of, free software does not mean that there are no dangers. We should still keep our eyes open and question EVERYTHING, especially the things we want to trust the more (the more we question, the more we can trust).
Unfortunately this is more of an example that when you go big with the big guys, you have to play by their rules. Linus was never a free software activist, but what we see here could (read it COULD! just COULD!) be interpreted as political/social pressure behind the scenes on him to make linux not more safe than absolutely necessary for people to still use it. Like... let them think they are free because they use Linux, but let us still keep our power over them. That kind of thing, you know?
Anyway, I would thank WWWYZZERDD for bringing this up and Lembas and Loyd for making me rest a little bit with those infos ;)
Still, for the people who run or are involved in Linux-Libre, a question: how hard would it be to remove RdRand completely?