[OpenWrt-Devel] [PATCH RFC 0/5] ath79: add micro non-physical true RNG based on timing jitter

Etienne Champetier champetier.etienne at gmail.com
Tue May 21 05:55:42 PDT 2019


Hi Petr,

Le lun. 20 mai 2019 à 18:14, Petr Štetiar <ynezz at true.cz> a écrit :
>
> Hi,
>
> this patch series is an RFC which attempts to fix some of the current
> urandom-seed based flaws.
>
> First, simply writing to /dev/urandom does not increase the kernel's
> entropy count, this casuses processes obtaining randomness to block.
> Particularly processes using OpenSSL's RAND_bytes() will block until the
> kernel emits 'random: crng init done'. This can take upwards of twenty
> minutes.

20 minutes seems excessive, isn't one of the process blocking boot ?

>
> According to random(4) the entropy count is only increased when using the
> RNDADDENTROPY ioctl, which urandom-seed currently doesn't use when feeding the
> kernel RNG.

we could use RNDADDENTROPY, but as I'm no cryptographer,
I just imitated what was done in debian before systemd and in systemd
at the time
(read a seed when random pool is initialized, feed it on next boot)

One of the issue is that if you try to generate a new seed, you are
just reading a hash of the seed you injected seconds earlier with
maybe few new bits of entropy

>
> Second, urandom-seed is using /etc/urandom.seed file to seed the kernel's RNG
> machinery upon every boot. The problem is, that this file is created only once
> during first-boot and then reused on every consecutive boot, so pretty much
> static.

Just for the record, this is the default setting, you can change your
config to generate a new one at each boot
(the worry was that we would wear off the flash too fast)

>
> So this patch series removes urandom-seed package in favor of urngd, which is
> new micro non-physical true random number generator (system service) based on
> timing jitter.

Having a seed file never hurts, so I would keep it

>
> Using the Jitter RNG core, the urngd provides an entropy source that
> feeds into the Linux /dev/random device if its entropy runs low. It
> updates the /dev/random entropy estimator such that the newly provided
> entropy unblocks /dev/random.
>
> The seeding of /dev/random also ensures that /dev/urandom benefits from
> entropy. Especially during boot time, when the entropy of Linux is low,
> the Jitter RNGd provides a source of sufficient entropy.

why not use jitterentropy RNG that is in kernel since 4.2 ?
https://github.com/torvalds/linux/commit/bb5530e4082446aac3a3d69780cd4dbfa4520013

I haven't had time to read all the papers from Stephan Muller, but I
don't know how safe & tested Jitter RNG is on ALL architectures
For example this comment doesn't inspire me
https://github.com/torvalds/linux/commit/bb5530e4082446aac3a3d69780cd4dbfa4520013#diff-8e0798e05c8dca3aa9007504c87cee73R125
> If random_get_entropy does not return a value (which is possible on,
> for example, MIPS), invoke __getnstimeofday
> hoping that there are timers we can work with.

Regards
Etienne

>
>
> Some RNG init time numbers from qca9563 (TP-Link Archer C7 v5):
>
>  [   12.045693] random: crng init done        (urngd)
>  [  120.043132] random: crng init done        (urandom-seed)
>
> Flash space details:
>
>  urngd:        + 4579 b
>  getrandom:    - 1635 b
>  urandom-seed: -  841 b
>  ----------------------
>  diff          + 2103 b
>
> Cc: Stephan Mueller <smueller at chronox.de>
> Cc: Dustin Lundquist <d.lundquist at temperednetworks.com>
>
> Petr Štetiar (5):
>   urng: add micro non-physical true RNG based on timing jitter
>   ubox: move getrandom into separate getrandom package
>   base-files: move urandom seed bits into separate package
>   build: add urandom-seed to the default packages set
>   ath79: make urngd default RNG seed source
>
>  include/target.mk                                  |  2 +-
>  package/base-files/Makefile                        | 11 ++++-
>  package/base-files/files/etc/init.d/urandom_seed   | 12 ------
>  .../base-files/files/lib/preinit/81_urandom_seed   | 24 -----------
>  package/base-files/files/sbin/urandom_seed         | 20 ---------
>  package/system/ubox/Makefile                       | 17 ++++++--
>  package/system/urandom-seed/Makefile               | 32 +++++++++++++++
>  .../urandom-seed/files/etc/init.d/urandom_seed     | 12 ++++++
>  .../urandom-seed/files/lib/preinit/81_urandom_seed | 24 +++++++++++
>  .../system/urandom-seed/files/sbin/urandom_seed    | 20 +++++++++
>  package/system/urngd/Makefile                      | 48 ++++++++++++++++++++++
>  package/system/urngd/files/urngd.init              | 21 ++++++++++
>  target/linux/ath79/Makefile                        |  3 +-
>  13 files changed, 184 insertions(+), 62 deletions(-)
>  delete mode 100755 package/base-files/files/etc/init.d/urandom_seed
>  delete mode 100644 package/base-files/files/lib/preinit/81_urandom_seed
>  delete mode 100755 package/base-files/files/sbin/urandom_seed
>  create mode 100644 package/system/urandom-seed/Makefile
>  create mode 100755 package/system/urandom-seed/files/etc/init.d/urandom_seed
>  create mode 100644 package/system/urandom-seed/files/lib/preinit/81_urandom_seed
>  create mode 100755 package/system/urandom-seed/files/sbin/urandom_seed
>  create mode 100644 package/system/urngd/Makefile
>  create mode 100755 package/system/urngd/files/urngd.init
>
> --
> 1.9.1
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list