Remove All Software Generators

Frederick Gotham cauldwell.thomas at gmail.com
Wed Oct 30 14:12:19 UTC 2019


I'm working on Linux with a x86-64 CPU.

I have a TPM2 chip, and so I want OpenSSL to do all of its encryption 
and random number generation through the TPM2 chip.

In the event that the chip fails, I do NOT want there to be a backup 
system. I do NOT want any kind of software psuedorandom number generator 
nor any software encryption routines.

The engine that I'm using for OpenSSL is "libtpm2tss.so". This engine 
library requires two more libraries, "libtss2-tcti-device.so" and 
"libtss2-tcti-mssim.so". (The former is for using the TPM2 chip, whereas 
the latter is a software simulator).

As I don't want to have a simulator, I tried simply deleting the 
simulator library, but this caused linkage problems for the mother 
engine library. As an alternative, I made a new dummy library in which 
all of the functions return an error value, and I put this dummy library 
in the place of the simulator. This transplant went fine.

It appears that OpenSSL will kick and scream and refuse to die not 
matter how hard you hit it. If I try to generate a random number like 
this:

    openssl rand -hex 8

Then it seems it will try in this order:

1) The TPM2 chip
2) The software simulator of the TPM2 chip
3) The built-in RDRAND number
4) Another one that I can't find

I have recompiled OpenSSL with the flag OPENSSL_NO_RDRAND to get rid of 
the in-built engine. I have even done "rm /dev/random" and "rm 
/dev/urandom", but SOME HOW, SOME WAY, I'm still getting output when I 
run openssl rand -hex 8.

How on earth to get OpenSSL to simply give up? I simply cannot have it 
use anything other than my TPM2 chip.

Frederick




More information about the openssl-users mailing list