[coreboot] Asus Chromebox Panther: no HW RNG?

Grant Grundler grantgrundler at gmail.com
Sat Dec 22 05:27:37 CET 2018


On Wed, Nov 28, 2018 at 1:51 AM Ivan Ivanov <qmastery16 at gmail.com> wrote:
>
> Sorry but I think that relying on Intel RNG is a _Terrible_ idea
> regarding the security and not sure you should be pursuing it.

What I'm pursueing is a reasonable initialization time so
wpa_supplicant can start. 555 seconds is not reasonable:
[  555.496678] random: crng init done
[  555.496678] random: crng init done
[  555.496684] random: 7 urandom warning(s) missed due to ratelimiting
[  560.265385] wlp2s0: authenticate with xx:xx:xx:xx:xx:xx
[  560.279395] wlp2s0: send auth to xx:xx:xx:xx:xx:xx (try 1/3)
[  560.281981] wlp2s0: authenticated

intel-crng was proposed elsewhere as one solution to this problem but
it's clear to me now that this is not an option with the panther
chromebox.

I don't recall seeing this with older kernels (have been running
debian on this HW since early 4.x releases) and will look at the
driver git logs.

I was hoping someone in the Coreboot community would have some idea
why random driver isn't getting enough entropy and if coreboot isn't
advertising something that helps with the random crng initialization.

I experimented with attaching just an optical mouse and that didn't
seem to help.
Attaching a keyboard and just hitting <shift> key did seem to help
("crng init done" in about 10 seconds). I'm assuming the /dev/random
driver is not seeing enough actiivity otherwise.

cheers,
grant

> If you
> really want a hardware RNG that is also secure, why not take a look at
> some USB dongles like FST-01 or Librem key? Here is a ( sadly deleted
> recently! ) Wikipedia comparison page -
> https://web.archive.org/web/20180812092012/https://en.wikipedia.org/wiki/Comparison_of_hardware_random_number_generators
> - You can check it to find the best price/performance USB TRNG dongle
> which is also open hardware
>
> Best regards,
> Ivan Ivanov
> вт, 27 нояб. 2018 г. в 22:50, Grant Grundler <grantgrundler at gmail.com>:
> >
> > On Tue, Nov 27, 2018 at 4:10 AM Nico Huber <nico.huber at secunet.com> wrote:
> > >
> > > Hi Grant,
> > >
> > > I don't know how it is supposed to work on Haswell, but can give you
> > > some pointers anyway.
> > >
> > > tl;dr I don't think you are looking for a PCI device.
> >
> > If  intel-rng support is required, a PCI device will be advertised
> > because of how the linux kernel binds PCI devices to drivers. See
> > "alias" field of "modinfo intel-rng" as an example.
> >
> > One of the search results pointed at a response that said "load
> > intel-rng driver" as the solution to this problem... that's the only
> > reason I'm exploring this path.
> >
> > > Am 27.11.18 um 08:11 schrieb Grant Grundler:
> > > > Asus Chromebox (Panther) with Celeron 2995U processor is supposed to
> > > > have a HW Random Number Generator:
> > > >    https://ark.intel.com/products/75608/Intel-Celeron-Processor-2955U-2M-Cache-1-40-GHz-
> > > >
> > > > (Intel calls it Secure Key)
> > > >
> > > > But "modprobe intel-rng" is failing with "No such device" (Debian
> > > > 4.18.0-2-amd64 kernel).
> > >
> > > This driver is for very old Firmware Hub (FWH) hardware which would
> > > be controlled through the LPC PCI device. You have such a PCI device
> > > (00:1f.0) but there's no FWH to be expect with Haswell.
> >
> > Hrm. OK. But that would explain why intel-rng driver only binds with
> > PCI devices.
> >
> > > What you are probably looking for is the RDRAND instruction. I don't
> > > know if it can be controlled by the firmware, but would check first if
> > > your OS is prepared to make use of it.
> >
> > Linux kernel has supported RDRAND for a long time. There is even a
> > public debate about *excluding* RDRAND use since some people were
> > hypothesizing that RDRAND was "compromised" by Intel so "goverment
> > agencies" could break encrypted traffic which used RDRAND exclusively
> > to generate encryption keys. Linux kernel does NOT exclusively use
> > RDRAND and Ted Tyso made compelling arguments that RDRAND would still
> > add "entropy" to key generation.
> >
> > What I don't know is how linux figures out it can or should use
> > RDRAND. RDRAND appears to be a "CPU feature":
> >
> > arch/x86/include/asm/cpufeatures.h:#define X86_FEATURE_RDRAND
> >     ( 4*32+30) /* RDRAND instruction */
> >
> > And as notedin original email, Intel says this CPU (Celeron 2995U)
> > supports "Secure Key" which is the new marketing name for HW RNG
> > support (could be only via RDRAND now).
> >
> >
> > > > Why do I care about HW RNG?
> > > > Because of this:
> > > > ...
> > > > [    8.560270] r8169 0000:01:00.0 enp1s0: link up
> > > > [    8.560287] IPv6: ADDRCONF(NETDEV_CHANGE): enp1s0: link becomes ready
> > > > [19039.712644] random: crng init done
> > > > [19039.712649] random: 7 urandom warning(s) missed due to ratelimiting
> > > > [19044.485625] wlp2s0: authenticate with ...
> > > > ...
> > > >
> > > > Yes, several *hours* until the crng was initialized and then
> > > > wpa_supplicant could start talking on WIFI. :(
> > > >
> > > > The length of the delay varies...shortest was 7 minutes.
> > >
> > > Well, even without a hardware rng, I wouldn't expect that.
> >
> > Exactly. I didn't either. My NUC5 completes typically in 3 second from
> > the time the kernel is loaded. But this is a different CPU (Intel Core
> > i5 6260) and completely different firmware (If Coreboot was available
> > for this, I'd prefer Coreboot).
> >
> > >  With antennas
> > > available, I would say after 10s for the paranoid there should be enough
> > > entropy available. But that's probably just how I'd do OS development
> > > (and depends on what the wifi driver can do).
> >
> > I don't know if the kernel has access to any radios (or antennas)
> > until the 80211 link is brought up... which in turn won't happen until
> > wpa_supplicant is running. So something else is wrong here. My
> > suspicion is still on Coreboot not providing something that tells the
> > linux kernel a quick method to generate random numbers.
> >
> > I saw Matt DeVillier's response as well and I'll follow up once I've
> > updated the SeaBIOS firmware, installed rng-tools5, and determined
> > which CPU features are advertised by both Panther and NUC CPUs. For
> > some reason my "phone home" (SSH) is getting rejected right now. :(
> >
> > cheers,
> > grant
> >
> > > Nico
> >
> > --
> > coreboot mailing list: coreboot at coreboot.org
> > https://mail.coreboot.org/mailman/listinfo/coreboot



More information about the coreboot mailing list