Remove All Software Generators
cauldwell.thomas at gmail.com
Wed Oct 30 14:12:19 UTC 2019
I'm working on Linux with a x86-64 CPU.
I have a TPM2 chip, and so I want OpenSSL to do all of its encryption
and random number generation through the TPM2 chip.
In the event that the chip fails, I do NOT want there to be a backup
system. I do NOT want any kind of software psuedorandom number generator
nor any software encryption routines.
The engine that I'm using for OpenSSL is "libtpm2tss.so". This engine
library requires two more libraries, "libtss2-tcti-device.so" and
"libtss2-tcti-mssim.so". (The former is for using the TPM2 chip, whereas
the latter is a software simulator).
As I don't want to have a simulator, I tried simply deleting the
simulator library, but this caused linkage problems for the mother
engine library. As an alternative, I made a new dummy library in which
all of the functions return an error value, and I put this dummy library
in the place of the simulator. This transplant went fine.
It appears that OpenSSL will kick and scream and refuse to die not
matter how hard you hit it. If I try to generate a random number like
openssl rand -hex 8
Then it seems it will try in this order:
1) The TPM2 chip
2) The software simulator of the TPM2 chip
3) The built-in RDRAND number
4) Another one that I can't find
I have recompiled OpenSSL with the flag OPENSSL_NO_RDRAND to get rid of
the in-built engine. I have even done "rm /dev/random" and "rm
/dev/urandom", but SOME HOW, SOME WAY, I'm still getting output when I
run openssl rand -hex 8.
How on earth to get OpenSSL to simply give up? I simply cannot have it
use anything other than my TPM2 chip.
More information about the openssl-users