Generate random bytes

[matzedav]

Hey,

I want to use LibTomCrypt in my TA to generate random keys (on QEMU Optee v8). If I use the following methods I get repeatedly the same "random" bytes.

res = TEE_GenerateKey(obh, key_size, attr, attr_size)
res = TEE_GenerateRandom(buf, buf_size)

Did I have to initialize the PRNG by myself or is it initialized automatically when i call the functions?
Your help is much appreciated!

[jforissier]

Hi @xNado,

TL;DR: it looks like something's wrong with entropy gathering. You should not need to call any PRNG initialization function. More investigation is needed.

• QEMU v8 uses a software PRNG. This is configured by CFG_WITH_SOFTWARE_PRNG=y (here) because there is no hardware source of randomness on this platform (or we don't have a driver for it). The software implementation is based on the Fortuna algorithm in LibTomcrypt, unless AES or SHA256 are disabled (here), in which case RC4 is used (here).
• Entropy is injected into the PRNG (whatever its type) by plat_prng_add_jitter_entropy() and plat_prng_add_jitter_entropy_no_rpc() (here). Those can be redefined by platform-specific code. For QEMU, which has a CNTPCT counter (CFG_SECURE_TIME_SOURCE_CNTPCT=y, here), entropy is read from the CNTPCT (here).
• Entropy is injected first at OP-TEE initialization time (here), and also when switching from secure to normal world (here and when a TA opens (here) or closes (here) a session. So we should expect no repeating pattern in the random output.

That's for the theory. Now, indeed I observe that after each boot of QEMU, the output of TEE_GenerateRandom() is the same, although plat_prng_add_jitter_entropy() claims it is adding a different value each time (you need to build with CFG_TEE_CORE_LOG_LEVEL=4 to get the following traces):

# First boot
INFO:    TEE-CORE: OP-TEE version: 2.5.0-dev #8 Thu Aug  3 07:34:41 UTC 2017 aarch64
DEBUG:   [0x0] TEE-CORE:mobj_mapped_shm_init:592: Shared memory address range: f800000, 10c00000
FLOW:    [0x0] TEE-CORE:plat_prng_add_jitter_entropy:98: plat_prng_add_jitter_entropy: 0x3F79
INFO:    TEE-CORE: Initialized

# Second boot
INFO:    TEE-CORE: OP-TEE version: 2.5.0-dev #8 Thu Aug  3 07:34:41 UTC 2017 aarch64
DEBUG:   [0x0] TEE-CORE:mobj_mapped_shm_init:592: Shared memory address range: f800000, 10c00000
FLOW:    [0x0] TEE-CORE:plat_prng_add_jitter_entropy:98: plat_prng_add_jitter_entropy: 0xB8EB
INFO:    TEE-CORE: Initialized

It looks like prng_add_entropy() has no effect on the bytes returned by prng_read(). Weird.

[jforissier]

It seems Fortuna needs to be fed lots of entropy bytes before the output of the first random read will change. See this discussion: https://groups.google.com/forum/#!msg/libtom/yzfarD7k2nA/-7h9zyuuHjcJ.

[d3zd3z]

It may be worth looking at how FreeBSD does the randomness. Their /dev/random device will block initially, until the driver believes it has enough entropy (such as loading a previous state). Then it doesn't block any more.

[matzedav]

Hi,

what's the status with this bug? It's a very critical point. Without randomness the whole cryptography is pointless.

Should I call the function as many times as described in the google discussion? Or will this be fixed in optee os?

[jbech-linaro]

Hi @xNado ,

We have patches ready basically since this was brought up, we will submit them as a PR probably this week. Reason for delaying is that we have a disclosure process which involves talking to the stakeholders of OP-TEE also. So even though we could and want to submit fixes asap, there are some cases where we do things with the stakeholders before publish everything. But again, we will submit the PR probably this week. Thanks for reaching out and sending a reminder.

[jforissier]

Hi @xNado,

Please see #1843.