Comments on: TPM as RNG http://www.outflux.net/blog/archives/2009/10/22/tpm-as-rng/ code is freedom -- patching my itch Fri, 12 Mar 2010 03:50:35 -0800 http://wordpress.org/?v=2.8.4 hourly 1 By: Jo Shields http://www.outflux.net/blog/archives/2009/10/22/tpm-as-rng/comment-page-1/#comment-795 Jo Shields Fri, 23 Oct 2009 20:12:07 +0000 http://www.outflux.net/blog/?p=255#comment-795 <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542599" rel="nofollow">Bug #542599</a> Bug #542599

]]> By: mirabilos http://www.outflux.net/blog/archives/2009/10/22/tpm-as-rng/comment-page-1/#comment-793 mirabilos Fri, 23 Oct 2009 09:53:27 +0000 http://www.outflux.net/blog/?p=255#comment-793 I’ve written the same in shell, as a proof of concept, and will probably be combining MirBSD cprng(8) (which does truerand as dæmon), tpmrng (the shell prototype) and a *SIMPLE* (only read packets and put them into the kernel pool, until the Lua dæmon can be run) http://www.entropykey.co.uk/ client into one dæmon that can even be put on the installer. I’ve read through all the TPM specs I could find re. its RNG functions and found that: • output function is most probably SHA-1 for most of them; the standard specifies that the TPM is allowed to answer with blocks of the SHA-1 output size even if requested larger blocks • while a TPM *may* have a HW RNG on it, it *may* also be some different kind, even a PRNG, as long as the internal state can NEVER be recovered either by the user or by the manufacturer after it is sealed at the end of the production process, even with StirRandom This basically means that, while it may not be a HW RNG, it’s good enough for at least *some* bits during runtime of a system, and, when added to the kernel main entropy pool, helps but can’t hurt (due to mixing). I’ve written the same in shell, as a proof of concept, and will probably
be combining MirBSD cprng(8) (which does truerand as dæmon), tpmrng (the
shell prototype) and a *SIMPLE* (only read packets and put them into the
kernel pool, until the Lua dæmon can be run) http://www.entropykey.co.uk/
client into one dæmon that can even be put on the installer.

I’ve read through all the TPM specs I could find re. its RNG functions
and found that:

• output function is most probably SHA-1 for most of them; the standard
specifies that the TPM is allowed to answer with blocks of the SHA-1
output size even if requested larger blocks

• while a TPM *may* have a HW RNG on it, it *may* also be some different
kind, even a PRNG, as long as the internal state can NEVER be recovered
either by the user or by the manufacturer after it is sealed at the end
of the production process, even with StirRandom

This basically means that, while it may not be a HW RNG, it’s good enough
for at least *some* bits during runtime of a system, and, when added to
the kernel main entropy pool, helps but can’t hurt (due to mixing).

]]>