Linus Responds To RdRand Petition With Scorn

hypnosec writes "Linus Torvalds, in response to a petition on Change.org to remove RdRand from /dev/random, has lambasted the petitioner by called him ignorant for not understanding the code in the Linux Kernel. Kyle Condon from the UK raised a petition on Change.org to get Linus to remove RdRand from /dev/random in a bid 'to improve the overall security of the linux kernel.' In his response, Torvalds asked Condon and the supporters of the petition to gain an understanding of Linux drivers and cryptography, and then 'come back here and admit to the world that you were wrong.' Torvalds stressed that kernel maintainers knew what they were doing and the petitioner didn't. Torvalds, in a similar outburst just yesterday, hoped that 'ARM SoC hardware designers all die in some incredibly painful accident.' This came in response to a message from Kevin Hilman when he noted that there were quite a few conflicts in the ARM SoC pull request for Linux 3.12 which were a result of the platform changes conflicting with driver changes going in to the V4L tree."

you have the source

[AndroSyn]

You have the source code, remove rdrand from the kernel yourself.

Re:you have the source

[AndroSyn]

Then if you don't understand how to make this sort of change, then you aren't smart enough to understand why you should or should not be using RDRAND it in the first place.

Re:you have the source

It's not a "cop out" at all. The party that manages the code doesn't want to remove a feature that there's no logical reason to remove. The petition was one sentence, linked to no debate, made no points and didn't even attempt to negotiate. It could have said, "Do it, because we say so." and it would have been just as informative. I think you need to look up the definition of "cop out", because the petition creators could have actually done something useful, and didn't.

Re:you have the source

[realityimpaired]

Not true... I have no opinion either way, but it's entirely possible to have a very good understanding of how semi-random numbers affect cryptography, and also of how rdrand generates them, without having the programming background to be able to safely remove it from the kernel. Crypto is about math, not programming, and contrary to popular opinion (apparently), the two do not always go hand-in-hand.

It's not as simple as just commenting out a few lines of code. As likely as not, if you were to simply comment out a few lines you'd actually introduce another bug which could be worse for security. The Linux kernel is arcane, and even experienced/good programmers avoid making modifications they don't have to. What you're proposing is he fork it, and make a new release of the kernel *every time Linux releases one*, in order to comment out a feature that may not have enough entropy to be suitable for crypto. (I don't know one way or the other, but I'm guessing you don't either).

Re:you have the source

[AndroSyn]

It's not as simple as just commenting out a few lines of code.

No, it's easier than that. You can simply pass nordrand to the kernel. It was the first thing I saw when I opened up
arch/x86/kernel/cpu/rdrand.c
__setup("nordrand", x86_rdrand_setup);

So there...don't like rdrand, don't use it.

From Documentation/kernel-parameters.txt

                nordrand [X86] Disable the direct use of the RDRAND
                                                instruction even if it is supported by the
                                                processor. RDRAND is still available to user
                                                space applications.

Re:you have the source

No, it is not. Being unwilling to do something for yourself, and then demanding that others do it for you, to the point of trying to pressure them with a mass petition, is the most obnoxious cop out.

Re:you have the source

[pipatron]

Are you suggesting that the kernel should kill of application in userspace using this instruction? Are there any other instructions you morally object to? Using XOR with a constant is also bad cryptography, perhaps it should be prevented by the kernel.

Re:you have the source

[michelcolman]

RDRAND is an instruction, just like "add these two registers" or "jump to this address". Of course it's still available to user space applications. The point is that you can specify that the OS itself should not use it for things like /dev/random. If a user space application wants to use it, there's not much the kernel can/should do about that. Apps can use pretty much any insecure random algorithm anyway.

Re:you have the source

[wisnoskij]

There is a huge difference between the skill set to maintain your own version of Linux, the skill set to program efficient code that does not break anything, and the skillset to understand encryption.

Re:you have the source

[Chrisq]

Are you suggesting that the kernel should kill of application in userspace using this instruction? Are there any other instructions you morally object to?

Op code 666

Re:you have the source

Kyle Condon here, the reason I started the petition was not because I was too lazy to do it myself. I know C and could quite easily compile my own kernel with the functionality taken out. However, the petition was to have it removed from the MAINLINE linux kernel, this would remove it for everyone who ran the linux kernel and not just the select few who had enough knowledge to turn it off.

Re:you have the source

[TechyImmigrant]

Yes. But I'm not going to give a well researched answer because I'm about to get on a plane.

Primarily the problem is that the Linux kernel RNG exists in many contexts and trusts that its random sources are random across all those contexts. This has been found to be false. The factorable.net study showing re-used primes between certs created on low-entropy router devices is an example of what can go wrong.

There are other more detailed things. The pool entropy calculations are flat out wrong. They are less wrong after Peter Anvin submitted a patch to have it do a piecwise approximation to a shannon entropy sum rather than an arithmetic sum, but it's not doing anything like a normal min-entropy computation for an entropy extraction algorithm.

The kernel trusts userland programs to be honest about the entropy in the sources. E.G. RNGd. However RNGd and other entropy gather daemon's have no basis on which to know the source entropy and so they make it up. The kernel takes this number and uses it in the pool entropy calculation. And so the whole calculation is built on sand.

The behavior of the kernel results in boot time entropy starvation, right at the point where you need it most.

This is RdRand changes the picture somewhat. The entropy source is well modeled and its min entropy is know. The resulting entropy from the condition is therefore known. The entropy seeding the DRBG is therefore know. It is therefore known how to extract full entropy output from RdRand, and it is known what the cryptographic resistance to brute for attack is (which is not quite the same thing). Such a chain of reasoning is what a good RNG should have.

You are better off using RdRand because it's available from the first instruction executed. It has known properties and the resulting numbers are not subject to the timing, memory API attacks that the kernel RNG numbers are subject to on the long winding path from device to RNGd to kernel API to kernel RNG to /dev/random to userland library to userland application.
 

Re:you have the source

[tytso]

The random driver has changed significantly since July 2012, which is we were given a heads up about the paper described at http://factorable.net/ which is also when I took back maintainership of the /dev/random driver. We gather entropy at every single interrupt, and mix it into the entropy pool. This is done unconditionally, you can't disable it, like what happened with the SA_SAMPLE_RANDOM flag.

The thing about entropy pools is that when you combine entropy sources, the result gets better, not worse. So the best thing would be if we had hardware random number generators sourced from China, Russia, and the USA. Since presumably the MSS, KGB, and the NSA mutually distrust each other, if we combine the entropy from those three soruces, the result will be stronger than any one alone.

This is why I don't recommend using RDRAND directly. Sure, an honest (emphasis on honest) hardware random number geneterator will always be able to source higher quality entropy than anything we can do by sampling OS events, such as interrupts. But the problem is it's hard to guarantee that a HWRNG is really honest. Especially given the Snowden revelations which seem to indicate the NSA has successfully leaned on at least one chip manufacturer. If you must use RDRAND, I'd recommend generating a random key via some other means, and then encrypting the output of RDRAND by that random key before use the resulting randomness for session keys, etc. Or better yet, do what we do in /dev/random, which is to mix RDRAND with other sources of entropy.

Got your feelings hurt?

[Splab]

The TFA makes it look like Linus went on full rampage mode and tore a insightful request down by being mean.

Actually reading his responses, Linus is pretty level headed and just says no, you can't have this.

Guess submitter got his feelings hurt?

Re:Got your feelings hurt?

[greenfruitsalad]

that is exactly what i thought. guy creates a lame picture with NSA and LINUX in it, comes up with a fascinating heading and uses yesterday's info from slashdot discussion to create FUD. if i were Linus, i wouldn't have bothered with such a long response.

Re:Got your feelings hurt?

[Splab]

How about reading his responses?

Taken out of context, those are death threats, in context however, it's just (misguided?) ventilation. He just ventilates and says that it's a pile of poo and he really wish they would stop doing that, he then goes on, in an uncanny (for him) reasonable response on how, they should handle pull requests in the future.

Grepping our own source tree for fuck, crap, shit, die, stupid will return quite a lot of ventilation and quite often directed at the sales department. Veteran programmers are grumpy old bastards, live with it or get off our lawn.

Re:Got your feelings hurt?

[DeathToBill]

Here's what he wrote:

Where do I start a petition to raise the IQ and kernel knowledge of people? Guys, go read drivers/char/random.c. Then, learn about cryptography. Finally, come back here and admit to the world that you were wrong. Short answer: we actually know what we are doing. You don't. Long answer: we use rdrand as _one_ of many inputs into the random pool, and we use it as a way to _improve_ that random pool. So even if rdrand were to be back-doored by the NSA, our use of rdrand actually improves the quality of the random numbers you get from /dev/random. Really short answer: you're ignorant.

Linus is not usually my cup of tea, and the sprinkling of personal attacks doesn't help his case. But it's a reasonable explanation of why /dev/random works the way it does and why it won't be changed.

Re:Got your feelings hurt?

[MrNemesis]

These days, almost every time a story is posted along the lines of "Linux says X" it's frequently framed in such a way as to paint Linus as a frothing madman hurling not just insults but entire furniture factories at his cringing subordinates. It's become such a regular occurence that I half expect them to be followed up with a story on how Steve Ballmer has converted to buddhism and will be using the armpit sweat from his meditations to irrigate the sahara.

Reading the article, of course, usually reveals a different picture, but that gets in the way of attention-grabbing headlines. I'm not really sure how the following post can be construed as "fury"; irritation, indignation, perhaps, but not fury.

Where do I start a petition to raise the IQ and kernel knowledge of people? Guys, go read drivers/char/random.c. Then, learn about cryptography. Finally, come back here and admit to the world that you were wrong. Short answer: we actually know what we are doing. You don't. Long answer: we use rdrand as _one_ of many inputs into the random pool, and we use it as a way to _improve_ that random pool. So even if rdrand were to be back-doored by the NSA, our use of rdrand actually improves the quality of the random numbers you get from /dev/random. Really short answer: you're ignorant.

As far as I can tell, no-one's found any evidence for rdrand being backdoored, and even if it were, there's bigger issues at foot with things like microcode. Linus explains how the kernel implementation uses random data from several different sources to guard against this kind of stuff. Plus, as other people have pointed out, you can disable rdrand with a kernel parameter. Linus is primarily a pragmatist, so it doesn't really make much sense to excise the code from the kernel - throwing out the baby with the bathwater if you will. Surely if there were any hardware to worry about, it'd be the hardware providing AES-NI? Why isn't there a petition to have that removed...?

Re:Got your feelings hurt?

[Minwee]

Indeed. We tried to warn the world about this almost twenty years ago, but nobody listened.

RDRAND will re-write your hard drive. Not only that, but it will scramble any disks that are even close to your computer. It will recalibrate your refrigerator's coolness setting so all your ice cream goes melty. It will demagnetize the strips on all your credit cards, screw up the tracking on your television and use subspace field harmonics to scratch any CD's you try to play.

It will give your ex-girlfriend your new phone number. It will mix Kool-aid into your fishtank. It will drink all your beer and leave its socks out on the coffee table when there's company coming over. It will put a dead kitten in the back pocket of your good suit pants and hide your car keys when you are late for work.

RDRAND will make you fall in love with a penguin. It will give you nightmares about circus midgets. It will pour sugar in your gas tank and shave off both your eyebrows while dating your girlfriend behind your back and billing the dinner and hotel room to your Discover card.

It will seduce your grandmother. It does not matter if she is dead, such is the power of RDRAND, it reaches out beyond the grave to sully those things we hold most dear.

It moves your car randomly around parking lots so you can't find it. It will kick your dog. It will leave libidinous messages on your boss's voice mail in your voice! It is insidious and subtle. It is dangerous and terrifying to behold. It is also a rather interesting shade of mauve.

RDRAND will give you Dutch Elm disease. It will leave the toilet seat up. It will make a batch of Methanphedime in your bathtub and then leave bacon cooking on the stove while it goes out to chase gradeschoolers with your new snowblower.

Re:At Least He Doesn't Throw Chairs

[iserlohn]

Linus is funny while Ballmer acts funny. Worlds apart if you ask me.

Hmm....

[Andy+Dodd]

There was an incident a few years ago (that led to at least one subsystem maintainer resigning) where RdRand was used as the EXCLUSIVE entropy source for some items if it were present. http://cryptome.org/2013/07/intel-bed-nsa.htm - Matt Mackall resigned over it.

This is BAD.

If it is now merely feeding the pool as one of multiple sources, then it's OK. If anything is directly exposed to raw rdrand output, something is very wrong.

Re:Marital/Money problems???

[IamTheRealMike]

I think it's more likely that the RDRAND thing has been an ongoing argument/flamewar for a long time. See this thread for an example.

BTW Linus is right. According to what we know about randomness, even if RDRAND is hacked then mixing it with other entropy can't hurt - at worst, it merely is a no-op and achieves nothing. However, even if RDRAND is backdoored, the NSA is not the worlds only adversary. Given that when mixed with other randomness it doesn't hurt, it's still better to use it against all the other adversaries out there than not.

Linus' point is, exclusive reliance on RDRAND would be bad, but the kernel doesn't/shouldn't do that.

Re:Linus an example of ...

[h4rr4r]

Its just a shame that morons like you value social graces over the ability to do real work. This is why companies fail, especially as they get better, playing well with morons is valued over the ability to get shit done.

Re:Marital/Money problems???

[h4rr4r]

Based on what?

He has always spoken this way to those who deserved it. Notice he does not go after noobs or people who do not ask for it. If you put up a petition to get something changed, you should at least know what you are talking about.

Re:Linus an example of ...

[pjk]

Someone who has no social skills but uses his persona to stay at the head of the ship.

Well, either that or his technical understanding, organisational skills and the respect of his peers for many a year.

it is just a shame such a social retard is allow to rant as he is.

Guess humour isn't your thing ?

One word: Transmeta

[gatkinso]

ARM SoC hardware designers world wide smile into their hand.

Re:Negotiation Skills

[Goaway]

There was no negotiation going on. There was a single obnoxious guy calling Linux "an approved partner of the NSA" and complaining about something he knew nothing about. He deserved what he got. In fact, Linus went pretty easy on him.

Re:At Least He Doesn't Throw Chairs

[Goaway]

No, the guy who made the petition was way out of line for calling Linux "an approved partner of the NSA", and way out of his depth because he had no idea what the hell he was talking about.

Linus was just responding to an asshat, and went pretty easy on him.

Randomness not so random

[schneidafunk]

I have to admit I didn't know much about the controversy so I went and found some articles.

Here is an article showing some weaknesses in Linux's random generation: Analysis of the Linux Random Number Generator

As reported by Bruce Schneier for this Wired article: http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115

Re:At Least He Doesn't Throw Chairs

[MrDoh!]

Yeah, it's just Finnish humour that's being taken badly. I know he's been in the US for a long time, but he's not being mean, it's just a way of expression that it appears many don't get. !Still, the AC could always email Linus and ask him to change, I'm sure he'd appreciate the input.

A petition?

[macemoneta]

If you believe there's something broken in the kernel (or other open source project), you don't create a petition, you create and submit a patch. If you don't know enough or don't have the skills to create a patch, you're probably not qualified to criticize the implementation.

"Anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge." -- Isaac Asimov

Excuses, excuses, excuses !

[Taco+Cowboy]

Maintaining your own kernel tree over time is most certainly non-trivial by most peoples standards

Some people just had to complain about every-single-thing, even if it's downright inane.

Open source is just that, you can read the source of the programs, and with the source, you have the options to do the following :

1. Determine if the program has any backdoor / malware embedded

2. Change/alter the source to your own liking

3. Learn from the code and perhaps in a latter day you might be able to apply what you have learned in your own program (and I am not talking about cut and paste)

If all the above are STILL not good enough for you, the offerings from Apple and Microsoft are always available.

Re:Excuses, excuses, excuses !

[fritsd]

Hey, you forgot an important one:

• 4. PAY ME to make a kernel package for you that has this RDRAND thingy turned off.

Re:Excuses, excuses, excuses !

[vux984]

Open source is just that, you can read the source of the programs

I believe the suspicion is the RDRAND cpu instruction itself is a black box from intel that may have been subverted by the NSA.

As such, no, it can't be audited, and it's source cannot be inspected.

Re:Marital/Money problems???

[Austerity+Empowers]

He has always spoken this way to those who deserved it.

From his perspective. I would assert he has as little business talking about ARM SoC hardware designers about their design decisions as they have of telling him how to design an OS.

Anyone who has worked between chip and software teams knows the fights here are epic and unending.

Re:Why all the whining in the first place?

[Spad]

It's getting increasingly difficult to label people tinfoil hatters given the way the NSA leaks are making even the most ardent paranoid conspiracy theorists look like they've vastly underestimated the problem.

Re:At Least He Doesn't Throw Chairs

[Sarten-X]

...where kindergarten teachers repeat the Golden Rule to him.

I've seen Linus get into an argument with someone of the same style. After a few rounds, it became obviously different that the debate was not like the typical Internet insult-hurling flame war. Rather, each side had points and counter-points and presented a persuasive case... just peppered with insults and offenses, as a separate layer of argument. It's sort of like real insult swordfighting.

Re:At Least He Doesn't Throw Chairs

[oztiks]

I'm with you on that. It seems like his sense of humour and his calling "a spade a spade" philosophy earns him a lot of criticism. I always argue that Linus is your typical purest. He's not there to please or appease. He's there to focus on getting things done right, in his own way, but as correct as he sees it.

I argue that because he's giving Linux freely to the world and with limited monetary gain that we can't chastise him too much about it either. What he's missing is something which I've learned through my own errors when dealing with people in the past. And that is, to deal with "the public" one must always do so with the softest possible touch. That's only if you're wanting to earn the minds of the masses mind you.

So I say. People who bag him with the whole "his attitude is appalling" type statements. Well, it sucks to be you because I think that you're just too much of a sook and you need to harden/lighten up a little. The people who condone the attitude I say "meh, you're probably a purest as well" because they wish to understand truth and wish to see what goes on in the Linus' mind just as I do.

As me for me. Truth be told. The day Linus actually starts acting like the rest of the PR sheep out there is the day I'd start to worry about crypto that NSA may of sneaked in to the Linux kernel. Until then. It's good to see him throwing out comments like "Deep throat Microsoft" and "You're ignorant". This kind of talk is indicative of when the internet wasn't populated by commercially driven cock suckers like Mark Zuckerberg abusing the word "hacker" and trying to pass himself off as "one of us".

So at the end of the day, who's really lost touch here?

Re:Negotiation Skills

[Lumpy]

It's not only an obnoxious guy, but an uneducated one. You can easily disable it with a compile time option already.

Re:At Least He Doesn't Throw Chairs

[oztiks]

He didn't create anything. ANYTHING. Open source existed before Torvalds. UNIX existed before Torvalds. To use the infamous battle cry of the typical Slashdork... "Where's teh innovationz?!?!?111!!?"

I've been using Linux since 1993. I can't even begin to tell you how wrong you are :) Oh the memories ... 14.4 modems, 386 DX!! (yes, none of those pussy SX processors), Hercules monitors and MFM harddisks!

When people start treating it like a valid technology instead of a religious movement it'll get more momentum in the mainstream.

You're missing the point. It's not treated as a religious movement It's kind of more like being a 60s child in the modern day if that makes sense.

When people start worrying about advancing Linux over where it stands versus Microsoft or Apple it'll finally have the chance of taking great leaps forward.

Google wrapped a business model around Linux. It's called Android and it's doing just fine.

If I wanted TMZ style sensationalist stories...

[Rinikusu]

I'd read TMZ.

Man, I can't wait until the /. submitters discover Theo de Raadt.

Here's your debate

[Okian+Warrior]

It's not a "cop out" at all. The party that manages the code doesn't want to remove a feature that there's no logical reason to remove. The petition was one sentence, linked to no debate, made no points and didn't even attempt to negotiate. It could have said, "Do it, because we say so." and it would have been just as informative. I think you need to look up the definition of "cop out", because the petition creators could have actually done something useful, and didn't.

Okay then, lets fix this.

The NSA has compromised products and devices in the design phase - both software and hardware. We don't know which products are compromised or how, but we do know that some are.

Random number generators cannot be verified - it's a computationally infeasible problem. If the NSA has subtly tampered with a product, there's no way to tell from the outside looking in. You *might* be able to tell by looking at the generator source. (Note that the linux random number generator has at least one undocumented source of entropy.)

There is no reasonable way to look at the source code/microcode of the rdrand instruction.

Additionally, there is no way to verify the underlying source of randomness of the rdrand instruction. There could be vulnerabilities on the silicon die.

The whole point of open source is that people can peek at the software and see what's going on.

Since there is no way to inspect the random number generator and no way to verify it's operation, it should not be used by default.

It's a security risk, plain and simple, and risk management should be up to the user. However small the risk is, forcing everyone to take it multiplies the chance that someone will get burned by it.

Here's your logical argument. If Linus wants to debate this, let him address these issues. Linus needs to show the premises wrong, or that the conclusion doesn't follow from the premises.

If he can't, then he should abide by the recommendation.

Re:Here's your debate

[Chemisor]

Random number generators cannot be verified - it's a computationally infeasible problem.

Then how do you know the software RNG in the kernel is random? By using randomness tests, that's how, like the diehard suite. Diehard has been run on RdRand; try it yourself if you want.

Re:That's uncalled for, really.

[I'm+New+Around+Here]

'"ARM SoC hardware designers all die in some incredibly painful accident."

I mean, maybe Linus hasn't had the experience of losing someone in an incredibly painful accident.

Well, how is he supposed to hope people die? Being batted by soft pillows while sitting in the comfy chair?

Re:Negotiation Skills

[gweihir]

And by disabling RdRand, you can only decrease security, so it would be pretty stupid to do so. But that requires actually understanding how an entropy pool works, something the petitioner does not. Basically, the only sane reason to disable it is for tests.

In fact of the sheer stupidity of the request, Linus was pretty friendly in its answer. He is also 100% right.

If you look at what Intel apparently wanted, namely drop the entropy pool and only use RdRandom (https://plus.google.com/117091380454742934025/posts/SDcoemc9V3J), _that_ would have been highly problematic. But Theodore Ts'o actually understands how these things work and refused. I thought it was a pretty good call back then (and I seem to remember that Linus called this one wrong but learned better), and now it looks like it prevented a world of trouble. On the other hand, we now have strong indication that some Intel engineers have been compromised by the NSA.