-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2006-009 ================================= Topic: False detection of Intel hardware RNG Version: NetBSD-current: source prior to February 19, 2006 NetBSD 3.0: affected NetBSD 2.1: affected NetBSD 2.0.*: affected NetBSD 2.0: affected NetBSD 1.6.*: affected NetBSD 1.6: affected Severity: A constant stream is feed into the entropy pool Fixed: NetBSD-current: February 19, 2006 NetBSD-3-0 branch: February 26, 2006 (3.0.1 will include the fix) NetBSD-3 branch: February 26, 2006 NetBSD-2-1 branch: February 26, 2006 (2.1.1 will include the fix) NetBSD-2-0 branch: February 26, 2006 (2.0.4 will include the fix) NetBSD-2 branch: February 26, 2006 NetBSD-1-6 branch: February 26, 2006 Abstract ======== The driver for Intel's random number generator may incorrectly detect the presence of the device on some hardware. This can lead to the driver feeding a constant stream into the entropy pool. Technical Details ================= When Intel introduced the i8xx motherboard chipsets for x86 CPUs they also released the 82802 chip called the "firmware hub". One of the features provided by this chip is a hardware random number generator. The NetBSD kernel provides a driver which uses this hardware random number generator to collect entropy for the kernel random number generator, rnd(4). This kernel random number generator is, among other things, used to provide random input to applications which need to create cryptographic keys, e.g. the SSH daemon or GnuPG. However, some later Intel chipsets incorrectly report the presence of the hardware RNG device, and the NetBSD driver unfortunately incorrectly detected the chip in systems which didn't really have one. When this happened a constant stream of bytes with the value 255 was fed into the kernel random number generator. Users relying on a falsely-attached 82802 chip as the sole randomness source for rnd(4) may be at significant risk of poor-quality or highly predictable output. Such circumstances may arise on embedded-style systems without hard disks or other common sources, or where the administrator has explicitly disabled the other sources in the belief that the hardware RNG was superior or sufficient. This could therefore result in the use of predictable keys for cryptography, disabling the expected protection. Please refer to this web page for details: http://home.comcast.net/~andrex/hardware-RNG/doihave.html Systems potentially affected meet the following conditions: - Using an Intel i8xx motherboard chipset for x86 CPUs - The kernel prints out "pchb0: random number generator enabled" during boot, additionally the device "pchb0" should show in the output from "rndctl -l". Solutions and Workarounds ========================= The rndctl(8) command can be used to examine and control which sources contribute to the rnd(4) randomness pool. Using this command is it possible to discover if the pchb0 device is contributing to the randomness pool, and also to disable this input in an existing kernel if you suspect the 82802 device has been falsely detected. In general, it is desirable to mix data from a wide range of sources into the rnd(4) pool, and several types of devices are enabled by default, including disks and user-input devices such as keyboards and mice. On some hardware, none of these devices may exist or be used, and thus little or no good-quality random data may be contributed to the pool. Network devices are disabled by default, but owners of such systems should consider enabling them if no other sources are available. To correct the false detection of Intel RNG hardware, for all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), and KERNCONF with the name of your kernel configuration file. To update from CVS, re-build, and re-install the kernel for any of the netbsd-2, netbsd-2-0, netbsd-2-1, netbsd-3 or netbsd-3-0 branches: # cd src # cvs update -d -P sys/arch/i386/pci/pchb_rnd.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now To update from CVS, re-build, and re-install the kernel for the -current (a.k.a HEAD) branch: # cd src # cvs update -d -P sys/arch/x86/pci/pchb_rnd.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To ========= Matthias Scheler for reporting the bug and implementing the fixes. Thor Lancelot Simon for initial identification and discussion of the issue. Revision History ================ 2006-04-12 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-009.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2006, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2006-009.txt,v 1.11 2006/04/12 22:09:50 adrianp Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (NetBSD) iQCVAwUBRD1+jD5Ru2/4N2IFAQIiZQQAunM8esJbsKmK6HngUuDS2wRhHCXiWR1t /fnp1HZFR+oOaLAOru9YYNSM9JZCdGKs8JGn2QPkr5GE98sLOyqqquNlBJ0pxnCY oNTi33UndMxIETapPZU7EnRsqhyDzF/0Xfy6egjhSVepIDVV8gSTnV0wnyFTAzB+ MJFjCsMcHTw= =iCSI -----END PGP SIGNATURE-----