FW: [OpenWrt-Devel] [PATCH RFC 0/5] ath79: add micro non-physical true RNG based on timing jitter

Adrian Schmutzler mail at adrianschmutzler.de
Mo Mai 20 19:52:34 CEST 2019 

FYI:

Bei OpenWrt wird gerade was zwecks dem urandom diskutiert, was ggf. für unsere Nutzung durch fastd relevant sein könnte.

Habe aber nicht allzu viel verstanden von dem, was die da tun.

Grüße

Adrian

-----Original Message-----
From: openwrt-devel [mailto:openwrt-devel-bounces at lists.openwrt.org] On Behalf Of Petr Štetiar
Sent: Montag, 20. Mai 2019 18:13
To: openwrt-devel at lists.openwrt.org
Cc: Stephan Mueller <smueller at chronox.de>; Petr Štetiar <ynezz at true.cz>; Dustin Lundquist <d.lundquist at temperednetworks.com>
Subject: [OpenWrt-Devel] [PATCH RFC 0/5] ath79: add micro non-physical true RNG based on timing jitter

Hi,

this patch series is an RFC which attempts to fix some of the current
urandom-seed based flaws.

First, simply writing to /dev/urandom does not increase the kernel's
entropy count, this casuses processes obtaining randomness to block.
Particularly processes using OpenSSL's RAND_bytes() will block until the
kernel emits 'random: crng init done'. This can take upwards of twenty
minutes.

According to random(4) the entropy count is only increased when using the
RNDADDENTROPY ioctl, which urandom-seed currently doesn't use when feeding the
kernel RNG.

Second, urandom-seed is using /etc/urandom.seed file to seed the kernel's RNG
machinery upon every boot. The problem is, that this file is created only once
during first-boot and then reused on every consecutive boot, so pretty much
static.

So this patch series removes urandom-seed package in favor of urngd, which is
new micro non-physical true random number generator (system service) based on
timing jitter.

Using the Jitter RNG core, the urngd provides an entropy source that
feeds into the Linux /dev/random device if its entropy runs low. It
updates the /dev/random entropy estimator such that the newly provided
entropy unblocks /dev/random.

The seeding of /dev/random also ensures that /dev/urandom benefits from
entropy. Especially during boot time, when the entropy of Linux is low,
the Jitter RNGd provides a source of sufficient entropy.

Some RNG init time numbers from qca9563 (TP-Link Archer C7 v5):

 [   12.045693] random: crng init done        (urngd)
 [  120.043132] random: crng init done        (urandom-seed)

Flash space details:

 urngd:        + 4579 b
 getrandom:    - 1635 b
 urandom-seed: -  841 b
 ----------------------
 diff          + 2103 b

Cc: Stephan Mueller <smueller at chronox.de>
Cc: Dustin Lundquist <d.lundquist at temperednetworks.com>

Petr Štetiar (5):
  urng: add micro non-physical true RNG based on timing jitter
  ubox: move getrandom into separate getrandom package
  base-files: move urandom seed bits into separate package
  build: add urandom-seed to the default packages set
  ath79: make urngd default RNG seed source

 include/target.mk                                  |  2 +-
 package/base-files/Makefile                        | 11 ++++-
 package/base-files/files/etc/init.d/urandom_seed   | 12 ------
 .../base-files/files/lib/preinit/81_urandom_seed   | 24 -----------
 package/base-files/files/sbin/urandom_seed         | 20 ---------
 package/system/ubox/Makefile                       | 17 ++++++--
 package/system/urandom-seed/Makefile               | 32 +++++++++++++++
 .../urandom-seed/files/etc/init.d/urandom_seed     | 12 ++++++
 .../urandom-seed/files/lib/preinit/81_urandom_seed | 24 +++++++++++
 .../system/urandom-seed/files/sbin/urandom_seed    | 20 +++++++++
 package/system/urngd/Makefile                      | 48 ++++++++++++++++++++++
 package/system/urngd/files/urngd.init              | 21 ++++++++++
 target/linux/ath79/Makefile                        |  3 +-
 13 files changed, 184 insertions(+), 62 deletions(-)
 delete mode 100755 package/base-files/files/etc/init.d/urandom_seed
 delete mode 100644 package/base-files/files/lib/preinit/81_urandom_seed
 delete mode 100755 package/base-files/files/sbin/urandom_seed
 create mode 100644 package/system/urandom-seed/Makefile
 create mode 100755 package/system/urandom-seed/files/etc/init.d/urandom_seed
 create mode 100644 package/system/urandom-seed/files/lib/preinit/81_urandom_seed
 create mode 100755 package/system/urandom-seed/files/sbin/urandom_seed
 create mode 100644 package/system/urngd/Makefile
 create mode 100755 package/system/urngd/files/urngd.init

-- 
1.9.1


_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname   : nicht verfügbar
Dateityp    : application/pgp-signature
Dateigröße  : 834 bytes
Beschreibung: nicht verfügbar
URL         : <https://{'listname': 'franken-dev-freifunk.net', 'hostname': 'lists.freifunk.net'}/pipermail/franken-dev-freifunk.net/attachments/20190520/14ce419d/attachment.sig>

Mehr Informationen über die Mailingliste franken-dev