Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Read Intel DRBG parameters

Newer Intel processors include a DRBG, which generates random numbers which you can read with the RDRAND instruction. It involves a 256-bit seed S generated from a hardware entropy source dependant on noise in a metastable oscillator. The algorithm used to arrive at the numbers is effectively AES(K,V), where K is an ephemeral key derived from half of S, and V is an IV which is derived from the other half of S. I think, anyway; this is explained much better by some people who audited it.

For various reasons, I would like to audit the performance of this mechanism programmatically in situ, which requires the ability to read or derive two things:

  • The value of S
  • The value of either K or V

Using this and the output of RDRAND across several iterations will provide me with the required test data to make this determination.

However, nowhere in the software developer's manual or elsewhere can I find any documented means of accomplishing either of these tasks.

Assuming that I am willing to write a Linux kernel module to accomplish this, and that I am willing to use RDMSR for it or any other means available including calls to on-die devices such as the MEI, is it possible to acquire this data?

like image 552
Falcon Momot Avatar asked Nov 02 '22 14:11

Falcon Momot


1 Answers

The internal state of the DRBG is within a FIPS 140-2 compliant security boundary. You cannot access those state variables.

like image 120
David Johnston Avatar answered Nov 22 '22 15:11

David Johnston