[OpenWrt-Devel] [PATCH RFC 0/5] ath79: add micro non-physical true RNG based on timing jitter
Petr Štetiar
ynezz at true.cz
Mon May 20 12:13:20 EDT 2019
Hi,
this patch series is an RFC which attempts to fix some of the current
urandom-seed based flaws.
First, simply writing to /dev/urandom does not increase the kernel's
entropy count, this casuses processes obtaining randomness to block.
Particularly processes using OpenSSL's RAND_bytes() will block until the
kernel emits 'random: crng init done'. This can take upwards of twenty
minutes.
According to random(4) the entropy count is only increased when using the
RNDADDENTROPY ioctl, which urandom-seed currently doesn't use when feeding the
kernel RNG.
Second, urandom-seed is using /etc/urandom.seed file to seed the kernel's RNG
machinery upon every boot. The problem is, that this file is created only once
during first-boot and then reused on every consecutive boot, so pretty much
static.
So this patch series removes urandom-seed package in favor of urngd, which is
new micro non-physical true random number generator (system service) based on
timing jitter.
Using the Jitter RNG core, the urngd provides an entropy source that
feeds into the Linux /dev/random device if its entropy runs low. It
updates the /dev/random entropy estimator such that the newly provided
entropy unblocks /dev/random.
The seeding of /dev/random also ensures that /dev/urandom benefits from
entropy. Especially during boot time, when the entropy of Linux is low,
the Jitter RNGd provides a source of sufficient entropy.
Some RNG init time numbers from qca9563 (TP-Link Archer C7 v5):
[ 12.045693] random: crng init done (urngd)
[ 120.043132] random: crng init done (urandom-seed)
Flash space details:
urngd: + 4579 b
getrandom: - 1635 b
urandom-seed: - 841 b
----------------------
diff + 2103 b
Cc: Stephan Mueller <smueller at chronox.de>
Cc: Dustin Lundquist <d.lundquist at temperednetworks.com>
Petr Štetiar (5):
urng: add micro non-physical true RNG based on timing jitter
ubox: move getrandom into separate getrandom package
base-files: move urandom seed bits into separate package
build: add urandom-seed to the default packages set
ath79: make urngd default RNG seed source
include/target.mk | 2 +-
package/base-files/Makefile | 11 ++++-
package/base-files/files/etc/init.d/urandom_seed | 12 ------
.../base-files/files/lib/preinit/81_urandom_seed | 24 -----------
package/base-files/files/sbin/urandom_seed | 20 ---------
package/system/ubox/Makefile | 17 ++++++--
package/system/urandom-seed/Makefile | 32 +++++++++++++++
.../urandom-seed/files/etc/init.d/urandom_seed | 12 ++++++
.../urandom-seed/files/lib/preinit/81_urandom_seed | 24 +++++++++++
.../system/urandom-seed/files/sbin/urandom_seed | 20 +++++++++
package/system/urngd/Makefile | 48 ++++++++++++++++++++++
package/system/urngd/files/urngd.init | 21 ++++++++++
target/linux/ath79/Makefile | 3 +-
13 files changed, 184 insertions(+), 62 deletions(-)
delete mode 100755 package/base-files/files/etc/init.d/urandom_seed
delete mode 100644 package/base-files/files/lib/preinit/81_urandom_seed
delete mode 100755 package/base-files/files/sbin/urandom_seed
create mode 100644 package/system/urandom-seed/Makefile
create mode 100755 package/system/urandom-seed/files/etc/init.d/urandom_seed
create mode 100644 package/system/urandom-seed/files/lib/preinit/81_urandom_seed
create mode 100755 package/system/urandom-seed/files/sbin/urandom_seed
create mode 100644 package/system/urngd/Makefile
create mode 100755 package/system/urngd/files/urngd.init
--
1.9.1
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list