|
|
|
|
|
|
by semenko
4721 days ago
|
|
|
There was a lot more follow-up later, see e.g. https://lkml.org/lkml/2012/7/5/422 The important commit here is: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.g... Excerpted: Change get_random_bytes() to not use the HW RNG, even if it
is avaiable. The reason for this is that the hw random number generator is fast (if
it is present), but it requires that we trust the hardware
manufacturer to have not put in a back door. (For example, an
increasing counter encrypted by an AES key known to the NSA.) It's unlikely that Intel (for example) was paid off by the US
Government to do this, but it's impossible for them to prove otherwise
--- especially since Bull Mountain is documented to use AES as a
whitener. Hence, the output of an evil, trojan-horse version of
RDRAND is statistically indistinguishable from an RDRAND implemented
to the specifications claimed by Intel. Short of using a tunnelling
electronic microscope to reverse engineer an Ivy Bridge chip and
disassembling and analyzing the CPU microcode, there's no way for us
to tell for sure. |
|
|