Re: FYI/RFC: early-rng-init-tools

To: Ben Hutchings <ben@decadent.org.uk>
Cc: Thorsten Glaser <tg@debian.org>, debian-devel@lists.debian.org
Subject: Re: FYI/RFC: early-rng-init-tools
From: Kurt Roeckx <kurt@roeckx.be>
Date: Sun, 3 Mar 2019 22:55:20 +0100
Message-id: <[🔎] 20190303215520.GU1615@roeckx.be>
In-reply-to: <[🔎] 3815046ddfa0d7909503bd0d37ec0adb5e907e57.camel@decadent.org.uk>
References: <Pine.BSM.4.64L.1902241918320.19896@herc.mirbsd.org> <[🔎] 20190303175922.GA3306@roeckx.be> <[🔎] 3815046ddfa0d7909503bd0d37ec0adb5e907e57.camel@decadent.org.uk>

On Sun, Mar 03, 2019 at 08:19:44PM +0000, Ben Hutchings wrote:
> On Sun, 2019-03-03 at 18:59 +0100, Kurt Roeckx wrote:
> [...]
> > Most people will actually have at least 2 hardware RNGs: One in
> > the CPU and one in the TPM. We can make the kernel trust those as
> > entropy source without using something in userspace to feed it.
> > I'm not sure in the kernel has the option to use the TPM directly
> > as source, but it makes it available as /dev/hwrng.
> [...]
> 
> If there is at least one hardware RNG with a non-zero "quality" then
> the kernel will start a thread (khwrngd) that reads from the hardware
> RNG and adds those bits to the core RNG, crediting each bit with
> quality/1024 bits of entropy.
> 
> Most hardware RNG drivers don't specify quality and it defaults to
> zero, but this can be overridden by setting the module parameter
> rng-core.default_quality.  Perhaps we should set a low but non-zero
> default value?

I think choas key is the exception to this, the kernel uses it by
default. Changing that is going to surprise people.

I don't know if we can find actually find out what quality the
RNG should provide for most devices. I think for some we can set
reasonable defaults. But at least with TPMs it can be one of
various manufacturers, so the quality might be totally different.

> There are potential problems with doing this: some of these hardware
> RNGs are probably quite weak, so we have to be very conservative, but
> then the less entropy we credit the more CPU time will be spent in the
> hardware RNG reader thread.

I gues that what I would like is that at the start it just gets
the entropy it needs, and then keeps feeding it at a low rate, for
instance a few bytes every few seconds. I don't know if that's
something that can be set, or that it currently does.

I have a FST-01 / NeuG, which I guess is like the worst RNG you
can get. It generates less then 0.03 bit / bit of entropy, but can
do this at 80 or 280 kB/s depending on the setting. With 0.03 bit
/ bit, it takes 533 byte to get to the 128 bit entropy level. At
80 kB/s, that takes 6.6 ms. So even if we set the quality very
low, it can still be very useful.

(The kernel does not recoginize it as an RNG, you need rng-tools
for it.)

Kurt

Reply to:

Follow-Ups:
- Re: FYI/RFC: early-rng-init-tools
  - From: Ben Hutchings <ben@decadent.org.uk>

References:
- Re: FYI/RFC: early-rng-init-tools
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: FYI/RFC: early-rng-init-tools
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Re: FYI/RFC: early-rng-init-tools
Next by Date: Re: FYI/RFC: early-rng-init-tools
Previous by thread: Re: FYI/RFC: early-rng-init-tools
Next by thread: Re: FYI/RFC: early-rng-init-tools
Index(es):
- Date
- Thread