-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is the ESPIDF implementation actually correct? #397
Comments
I also think that we should consider adding support for the |
This issue has more information about
I would expect to at least get an error code in this case. Also, I couldn't find whether they use proper whitening of entropy received from hardware. We probably should work with ESP IDF people to clarify exact guarantees and if necessary maybe ask them to add a separate function for cryptographically secure randomness. |
Looking at espressif/esp-idf#8725 and the ESP-IDF RNG docs, it seems like the only thing we are missing API-wise is a function to check if we are in the "secure configuration" or not, which would basically check that either:
My reading of the docs is that if one of those conditions is true, ESP-IDF guarantees For now we should probably try to convince Espressif to add an Until such a function exists, we should probably just add a warning in the docs that you have to be running ESP-IDF in the secure configuration mentioned above to get cryptographically secure random numbers. Disabling support entirely seems counterproductive as it's not like there's anything better ESP-IDF users can do right now. |
I am open to the possibility of having built-in ESP-IDF support if they provide APIs that allow us to be confident that the implementation is correct. However, I think that we shouldn't provide an implementation that we don't think is correct in the meantime. So I suggest we move this target back to being a "custom" target for now. Then somebody can provide the current implementation in a separate crate, and people can choose whether that crate is good enough for their need. |
Personally, I would want our policy to roughly reflect what's currently in the
The main reason for having such a policy is that:
This also reduces the scope of what this crate is responsible for. If our policy is "we use the best OS API available" then:
For the ESP-IDF issue specifically, if it were possible for users to write a better implementation than ours using |
OTOH, people are using So, I do think that on espidf we should allow a custom implementation to override our default, and get entropy from the espidf entropy source through One scheme that would work well for ESP-IDF would be for the user to register a custom implementation of |
cc @0xjakob |
This also could be useful for the seed CSR defined in the RISC-V scalar crypto spec. It (somewhat annoyingly for software developers) states the following:
So we can not use its output directly as we do with RDRAND, we have to use it as a CSPRNG seed. But it's unclear how to make plugging of a custom userspace CSPRNG implementation convenient enough. By relying on For now, we probably can just hide the backend behind a configuration flag introduced as part of #498, i.e. users would have to explicitly opt-in into it, fully understanding potential consequences. |
When reviewing the corresponding change to ring, briansmith/ring#1944, I noticed that the implementation in
getrandom
for ESPIDF seems really questionable. The ESPIDF documentation is quite vague on what promises its PRNG is making, especially when the OS isn't fully configured. It also encourages people to use a userspace CSPRNG; it isn't clear if this suggestion is intended to just address performance or security or both.In particular, should the ESPIDF random API considered more of an entropy source, but not a full CSPRNG?
In ring we've taken the approach, temporarily, of using
getrandom
on this OS only if the user opts in with a feature flag that draws attention to this concern.The text was updated successfully, but these errors were encountered: