[arch-general] [arch-gen] does using tmp-rng enables tpm at all?
Hi, Seems like on i5 and i7 chips the way to get random numbers through HW is to use tpm-rng (intel-rng is no longer available for them). An by reading [1] seems like a pretty good idea. However I have no intention to use tpm at all, neither I want any possibility to get any one monitoring my machine, which is one of the possible use cases with tpm. Does one, just by using tpm to feed entropy, open any door on linux for any other tpm functionality? Or is it totally safe to use tpm-rng? Thanks, -- Javier [1] http://lwn.net/Articles/525459
On Wed, Dec 24, 2014 at 1:45 PM, Javier Vasquez <j.e.vasquez.v@gmail.com> wrote:
Hi,
Seems like on i5 and i7 chips the way to get random numbers through HW is to use tpm-rng (intel-rng is no longer available for them). An by reading [1] seems like a pretty good idea.
However I have no intention to use tpm at all, neither I want any possibility to get any one monitoring my machine, which is one of the possible use cases with tpm.
Does one, just by using tpm to feed entropy, open any door on linux for any other tpm functionality? Or is it totally safe to use tpm-rng?
Never mind, dropped it already. Seems like rng-tools can't read tpm-rng from i5/i7 any ways (even by having /dev/hwrng and /dev/tpm0), so no need to find out if I can't get it working any ways. Thanks, -- Javier
On 24/12/14 02:45 PM, Javier Vasquez wrote:
Hi,
Seems like on i5 and i7 chips the way to get random numbers through HW is to use tpm-rng (intel-rng is no longer available for them). An by reading [1] seems like a pretty good idea.
However I have no intention to use tpm at all, neither I want any possibility to get any one monitoring my machine, which is one of the possible use cases with tpm.
Does one, just by using tpm to feed entropy, open any door on linux for any other tpm functionality? Or is it totally safe to use tpm-rng?
Thanks,
Ivy Bridge and later have an RDRAND instruction exposing a hardware random number generator so there's no need for any TPM stuff. RDSEED will be provided by Broadwell and later for lower-level access to the hardware entropy rather than via a CSPRNG. It's already leveraged by the kernel and libraries like the C++ <random> implementation in libstdc++.
On Wed, Dec 24, 2014 at 3:03 PM, Daniel Micay <danielmicay@gmail.com> wrote:
Ivy Bridge and later have an RDRAND instruction exposing a hardware random number generator so there's no need for any TPM stuff. RDSEED will be provided by Broadwell and later for lower-level access to the hardware entropy rather than via a CSPRNG. It's already leveraged by the kernel and libraries like the C++ <random> implementation in libstdc++.
Great to know. Perhaps there will be no need for rng-tools neither haveged for those processors, :-) Bad thing my i5/i7 processors are still sandy bridge. So whether I use tpm-rng (rng-tools doesn't read it, so no luck), or I use haveged, or nothing, :-) Thanks for answering. -- Javier
FWIW, I don't think just by enabling On Wednesday, December 24, 2014, Javier Vasquez <j.e.vasquez.v@gmail.com> wrote:
On Wed, Dec 24, 2014 at 3:03 PM, Daniel Micay <danielmicay@gmail.com <javascript:;>> wrote:
Ivy Bridge and later have an RDRAND instruction exposing a hardware random number generator so there's no need for any TPM stuff. RDSEED will be provided by Broadwell and later for lower-level access to the hardware entropy rather than via a CSPRNG. It's already leveraged by the kernel and libraries like the C++ <random> implementation in libstdc++.
Great to know. Perhaps there will be no need for rng-tools neither haveged for those processors, :-)
Bad thing my i5/i7 processors are still sandy bridge. So whether I use tpm-rng (rng-tools doesn't read it, so no luck), or I use haveged, or nothing, :-)
Thanks for answering.
-- Javier
-- (nil)
[sorry, hit send by mistake...] On Sunday, December 28, 2014, Gustavo De Nardin (spuk) <gustavodn@gmail.com> wrote:
FWIW, I don't think just by enabling
On Wednesday, December 24, 2014, Javier Vasquez <j.e.vasquez.v@gmail.com <javascript:_e(%7B%7D,'cvml','j.e.vasquez.v@gmail.com');>> wrote:
On Wed, Dec 24, 2014 at 3:03 PM, Daniel Micay <danielmicay@gmail.com> wrote:
Ivy Bridge and later have an RDRAND instruction exposing a hardware random number generator so there's no need for any TPM stuff. RDSEED will be provided by Broadwell and later for lower-level access to the hardware entropy rather than via a CSPRNG. It's already leveraged by the kernel and libraries like the C++ <random> implementation in libstdc++.
Great to know. Perhaps there will be no need for rng-tools neither haveged for those processors, :-)
Bad thing my i5/i7 processors are still sandy bridge. So whether I use tpm-rng (rng-tools doesn't read it, so no luck), or I use haveged, or nothing, :-)
Thanks for answering.
-- Javier
FWIW, I don't think just by enabling the TPM you have any risk of "being monitored". AFAIK the TPM just provides some trust/crypto-related functions for the use of the OS and/or applications. t'
-- (nil)
-- (nil)
participants (3)
-
Daniel Micay
-
Gustavo De Nardin (spuk)
-
Javier Vasquez