Remove All Software Generators
Dmitry Belyavsky
beldmit at gmail.com
Wed Oct 30 14:48:16 UTC 2019
Did you try to create your own RAND_METHOD and set it as default on loading
the engine?
On Wed, Oct 30, 2019 at 5:40 PM Frederick Gotham <cauldwell.thomas at gmail.com>
wrote:
>
> I'm working on Linux with a x86-64 CPU.
>
> I have a TPM2 chip, and so I want OpenSSL to do all of its encryption
> and random number generation through the TPM2 chip.
>
> In the event that the chip fails, I do NOT want there to be a backup
> system. I do NOT want any kind of software psuedorandom number generator
> nor any software encryption routines.
>
> The engine that I'm using for OpenSSL is "libtpm2tss.so". This engine
> library requires two more libraries, "libtss2-tcti-device.so" and
> "libtss2-tcti-mssim.so". (The former is for using the TPM2 chip, whereas
> the latter is a software simulator).
>
> As I don't want to have a simulator, I tried simply deleting the
> simulator library, but this caused linkage problems for the mother
> engine library. As an alternative, I made a new dummy library in which
> all of the functions return an error value, and I put this dummy library
> in the place of the simulator. This transplant went fine.
>
> It appears that OpenSSL will kick and scream and refuse to die not
> matter how hard you hit it. If I try to generate a random number like
> this:
>
> openssl rand -hex 8
>
> Then it seems it will try in this order:
>
> 1) The TPM2 chip
> 2) The software simulator of the TPM2 chip
> 3) The built-in RDRAND number
> 4) Another one that I can't find
>
> I have recompiled OpenSSL with the flag OPENSSL_NO_RDRAND to get rid of
> the in-built engine. I have even done "rm /dev/random" and "rm
> /dev/urandom", but SOME HOW, SOME WAY, I'm still getting output when I
> run openssl rand -hex 8.
>
> How on earth to get OpenSSL to simply give up? I simply cannot have it
> use anything other than my TPM2 chip.
>
> Frederick
>
>
>
--
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191030/f343ab10/attachment.html>
More information about the openssl-users
mailing list