On 6/11/14, Joey Hess <jo...@debian.org> wrote: > I stumbled over a library which has switched to using RDRAND in a new > upsteam version (not yet packaged), instead of /dev/urandom[1].
Which library is using it? > > I don't have a stong opinion on the security of RDRAND, which is a > contentious topic in a domain I am not expert in. However, I would much > rather rely on linux developers to make the right decision on that, > rather than libraries deciding on an ad-hoc basis. Especially because > the kernel has a wider spectrum of choices than use/avoid (IIRC it > currently mixes in RDRAND with other entropy sources.) > I tend to agree for a few reasons. Genreally, I don't trust RDRAND and the doping paper doesn't help: http://arstechnica.com/security/2013/09/researchers-can-slip-an-undetectable-trojan-into-intels-ivy-bridge-cpus/ > Perhaps we should avoid libraries in Debian using RDRAND directly, > if the library has uses related to security. (Maybe some game or > simulation library would have a good reason to use it.) > Quite a few programs and libraries will have this issue if a cursory search of the internet is an indication. > Would it make sense to scan for the opcode? Yes, very much so. It is potentially a security bug. It will be interesting to track it. All the best, Jacob -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cafggdf0rcbmta0wyu5wwjefmirkrj2rnuyl9ra-3xvo5mgk...@mail.gmail.com
