"By this year, the Sigint Enabling Project had found ways inside some of the encryption chips that scramble information for businesses and governments, either by working with chipmakers to insert back doors..."
A bug deliberately introduced in an AES instruction, or in general purpose instructions that detects crypto operations and leaks information somehow, is much, much harder to implement and hide than a pseudo-random number generator that passes all tests that you apply to it, but produces predictable output for someone who knows some secret key.
> It's worth noting that the maintainer of record (me) for the Linux RNG quit the project about two years ago precisely because Linus decided to include a patch from Intel to allow their unauditable RdRand to bypass the entropy pool over my strenuous objections.
> From a quick skim of current sources, much of that has recently been rolled back (/dev/random, notably) but kernel-internal entropy users like sequence numbers and address-space randomization appear to still be exposed to raw RdRand output.
Ted Ts'o later reverted this, separating out Intel's hardware random number generation into a separate function that could be used to seed the entropy pool but wouldn't be trusted directly as the main kernel source of random numbers:
If I had to guess what happened, some intel people pushed this as a feature, probably pushing it via one of the x86 git trees, and Linus either (a) didn't notice, or (b) didn't understand the implications, and then Matt quit in a huff --- by just stopping to do work, and not even updating the entry in the MAINTAINERS file. (That didn't happen until I took over the random driver again.)
It doesn't really look like he had NAKed it on paranoia grounds, but more on design grounds; others brought up the paranoia arguments. You were even involved in that thread, so you should have seen his stepping down, although he didn't submit a patch to MAINTAINERS.
Regardless, I'm glad that paranoia did eventually prevail, despite Linus's original strong objections.
"The NSA's codeword for its decryption program, Bullrun, is taken from a major battle of the American civil war. Its British counterpart, Edgehill"
"N.S.A. spends more than $250 million a year on its Sigint Enabling Project, which “actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to make them “exploitable.”"
Bull Mountain, is Intel's code name for both the RdRand instruction and the underlying random number generator (RNG) hardware implementation.
bull [mountain|hill] [intel|processor]
did Linus ever comment on the roll-back ?