Re: FYI/RFC: early-rng-init-tools

To: Kurt Roeckx <kurt@roeckx.be>
Cc: Thorsten Glaser <tg@debian.org>, debian-devel@lists.debian.org
Subject: Re: FYI/RFC: early-rng-init-tools
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 03 Mar 2019 23:17:47 +0000
Message-id: <[🔎] 3155407431e96678b625bd16c77d542558738ad9.camel@decadent.org.uk>
In-reply-to: <[🔎] 20190303215520.GU1615@roeckx.be>
References: <Pine.BSM.4.64L.1902241918320.19896@herc.mirbsd.org> <[🔎] 20190303175922.GA3306@roeckx.be> <[🔎] 3815046ddfa0d7909503bd0d37ec0adb5e907e57.camel@decadent.org.uk> <[🔎] 20190303215520.GU1615@roeckx.be>

On Sun, 2019-03-03 at 22:55 +0100, Kurt Roeckx wrote:
> On Sun, Mar 03, 2019 at 08:19:44PM +0000, Ben Hutchings wrote:
> > On Sun, 2019-03-03 at 18:59 +0100, Kurt Roeckx wrote:
> > [...]
> > > Most people will actually have at least 2 hardware RNGs: One in
> > > the CPU and one in the TPM. We can make the kernel trust those as
> > > entropy source without using something in userspace to feed it.
> > > I'm not sure in the kernel has the option to use the TPM directly
> > > as source, but it makes it available as /dev/hwrng.
> > [...]
> > 
> > If there is at least one hardware RNG with a non-zero "quality" then
> > the kernel will start a thread (khwrngd) that reads from the hardware
> > RNG and adds those bits to the core RNG, crediting each bit with
> > quality/1024 bits of entropy.
> > 
> > Most hardware RNG drivers don't specify quality and it defaults to
> > zero, but this can be overridden by setting the module parameter
> > rng-core.default_quality.  Perhaps we should set a low but non-zero
> > default value?
> 
> I think choas key is the exception to this, the kernel uses it by
> default. Changing that is going to surprise people.

The module parameter only affects devices where the driver doesn't
specify quality.  The chaoskey driver should be unaffected.

> I don't know if we can find actually find out what quality the
> RNG should provide for most devices. I think for some we can set
> reasonable defaults. But at least with TPMs it can be one of
> various manufacturers, so the quality might be totally different.
>
> > There are potential problems with doing this: some of these hardware
> > RNGs are probably quite weak, so we have to be very conservative, but
> > then the less entropy we credit the more CPU time will be spent in the
> > hardware RNG reader thread.
> 
> I gues that what I would like is that at the start it just gets
> the entropy it needs, and then keeps feeding it at a low rate, for
> instance a few bytes every few seconds. I don't know if that's
> something that can be set, or that it currently does.
[...]

khwrngd will block (in add_hwgenerator_randomness()) when the estimated
entropy in the random pool is above a certain threshold, which appears
to be 7/8 of the pool size by default.

Ben.

-- 
Ben Hutchings
No political challenge can be met by shopping. - George Monbiot

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

References:
- Re: FYI/RFC: early-rng-init-tools
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: FYI/RFC: early-rng-init-tools
  - From: Ben Hutchings <ben@decadent.org.uk>
- Re: FYI/RFC: early-rng-init-tools
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: Re: FYI/RFC: early-rng-init-tools
Next by Date: Re: Help request: Contribute to MariaDB 10.3 in Debian efforts
Previous by thread: Re: FYI/RFC: early-rng-init-tools
Next by thread: Re: FYI/RFC: early-rng-init-tools
Index(es):
- Date
- Thread