Wednesday, May 8th 2019
Some AMD Processors Have a Hardware RNG Bug, Losing Randomness After Suspend Resume
Red Hat Systemd (system and service manager) lead developer Lennart Poettering discovered that AMD A6-6310 "Beema" SoC that's popular among low-cost notebooks, has a faulty implementation of the RdRand random-number generation instruction. The processor's hardware random number generator (RNG) loses "randomness" after the machine resumes from a suspended state (i.e. waking up the notebook from sleep by opening its lid while it's powered on). Modern computers rely on RNGs for "entropy," critical to generation of unpredictable keys on the fly for SSL. However, the entropy source needn't be hardware, and isn't so by default. Software RNGs exist, and by default the Linux kernel does not use RdRand to generate entropy. Windows is not known to use RdRand for basic ACPI functions such as suspend/resume; however a faulty hardware RNG is not without implications for the platform, and applications that run on it.
Users on GitHub and Bugzilla report that with this bug, you cannot make a machine suspend a second time after waking it up from a suspended state, if your kernel uses RdRand. Commit cc83d51 to Systemd introduced optional randomness generation based on RdRand instruction. So, if RdRand instruction is present, it is used to generate UUIDs for invocation IDs. Michael Larabel of Phoronix comments that the RdRand bug is only found on older generations of AMD processors, "Excavator" and older; and does not affect the latest "Zen" processors. This bug report chronicles what's wrong with RdRand on the affected processors, as does this Linux kernel bugzilla thread. By avoiding RdRand usage on the system as part of generating a UUID, the reported systemd issue no longer happens. Red Hat is working on a solution to this bug.
Source:
Phoronix
Users on GitHub and Bugzilla report that with this bug, you cannot make a machine suspend a second time after waking it up from a suspended state, if your kernel uses RdRand. Commit cc83d51 to Systemd introduced optional randomness generation based on RdRand instruction. So, if RdRand instruction is present, it is used to generate UUIDs for invocation IDs. Michael Larabel of Phoronix comments that the RdRand bug is only found on older generations of AMD processors, "Excavator" and older; and does not affect the latest "Zen" processors. This bug report chronicles what's wrong with RdRand on the affected processors, as does this Linux kernel bugzilla thread. By avoiding RdRand usage on the system as part of generating a UUID, the reported systemd issue no longer happens. Red Hat is working on a solution to this bug.
27 Comments on Some AMD Processors Have a Hardware RNG Bug, Losing Randomness After Suspend Resume
That would be a bit less "attention grabbing" though I suppose. ;)
Let's hope they bring out a microcode update quickly.
It's also odd that this appears to have been first reported in 2014 and it's only being worked on now? Maybe it's a non-issue (per the comments) as most of this stuff is now in software/windows doesn't use it. So why have the Linux folks just decided to do an update/fix for it recently? Strange.
You think they are going to do something with this? I mean, Ryzen going to replace these older AMD products anyway.
There are embedded chips on this arch running a lot of hardware. How would you feel taking money from an ATM, if you know it may have faulty encryption? ;-)
These embedded chips will work for many years (hopefully).
If we searched long enough, I'm sure we'd find trains or planes using these chips as well.
Thing is: Intel implemented this first and introduced and instruction set that got popular. AMD made a workaround, computation-based implementation (so not really random, but still extremely good). Problem is: people found a situation when this algorithm breaks and RNG quality drops significantly.
Zen uses an entropy-based implementation similar to Intel's, so it isn't affected by this issue.
Definitely not recent.
In case you wonder where scientists got random numbers earlier: they ordered them. For money.
Entropy-based implementations in CPUs are rather good, just very slow. A fast quantum-based RNG costs $1000.
If AMD's workaround (before Zen it was not a true hardware RNG, just a boosted pseudo) is faulty and there's a chance of a problem in some critical applications (embedded!), it has to be fixed or killed.
bugzilla.redhat.com/show_bug.cgi?id=1150286
I don't particularly love systemd, but it works and it adds value.
EDIT: fixed. My post was duped all over if anyones curious.
fromwakeup the laptop from sleep.