r908 - trunk
tushar at linuxfromscratch.org
tushar at linuxfromscratch.org
Sun Nov 14 09:00:10 PST 2004
Date: 2004-11-14 10:00:08 -0700 (Sun, 14 Nov 2004)
New Revision: 908
Updated Hint: entropy
--- trunk/entropy.txt 2004-11-14 16:58:12 UTC (rev 907)
+++ trunk/entropy.txt 2004-11-14 17:00:08 UTC (rev 908)
@@ -1,6 +1,6 @@
AUTHOR: Robert Connolly <robert at linuxfromscratch dot org> (ashes)
LICENSE: Public Domain
@@ -9,7 +9,7 @@
PRIMARY URL: http://www.linuxfromscratch.org/hints/
-Many system components including smashing stack protector, mkstemp,
+Many system components including smashing stack protector, mktemp,
cryptography, depend on a supply of random bits to ensure data integrity.
In the Linux kernel a combination of input devices are used to gather
randomness from. This includes the keyboard, mouse, and hard disc.
@@ -22,18 +22,30 @@
many of them. For more information check the above web site. Also see:
+audio/video entropy daemon:
+This describes two daemons which use either the static noise from the
+system audio, or the video frames from a video4linux device. These devices
+have a never ending supply of randomness created by thermal fluctuation and
+electric fields on the devices. These entropy gathering daemons depend on the
+kernel driver for your hardware to work properly, be it your sound or video
+card. These programs will re-seed the kernel entropy pool. The programs can
+be used together in combination with the kernel's internal values to create
+a very random pool from several different sources.
Fast and Economical Random number suite:
Frandom uses an arcfour stream cipher of seed data from the kernel's internal
pool. The advantage to frandom is that 256 bytes of kernel entropy can be
expanded into gigabytes of random output. Ideal for wiping discs, and maybe
-even for online gaming. A new addition to the frandom package is erandom.
-Economical random uses the state of frandom as a seed, and its use does not
-drain any kernel entropy. This is done very efficiently, completely in the
-kernel. Erandom is ideal for Smashing Stack Protector. Frandom now also
+even for online (casino) gaming. A new addition to the frandom package is
+erandom. Economical random uses the state of frandom as a seed, and its use
+does not drain any kernel entropy. This is done very efficiently, completely in
+the kernel. Erandom is ideal for Smashing Stack Protector. Frandom now also
supports sysctl so SSP can use it regardless if /dev/erandom exists or not.
-This is slightly faster and works through chroot. There is an mktemp patch
-for frandom too.
+This is slightly faster and works through chroot.
Note: The name "frandom" is used because thats the name of the package. The
patches for mktemp and ssp used the erandom interface even though the patch
is named frandom. Also, if you expect to have very long uptimes, the frandom
@@ -43,22 +55,20 @@
to prevent the output of erandom from ever repeating itself over several years
+Libarc4random is an OpenBSD library function ported to Linux. So far only
+Mktemp has been ported to use it. Libarc4random will use the Erandom sysctl
+interface if SYSCTL_ERANDOM is defined from /usr/include/linux/sysctl.h
+(if it is installed). This libaray will always return random data. If you
+built Libarc4random with Erandom and later boot a vanilla kernel, this
+library will try to use /dev/urandom next, if /dev/urandom does not exist
+then gettimeofday will be used as a seed. The seed is used to stir an
+Arcfour hash function. Therefore this library is more reliable then using
+any one or two random sources alone.
LavaRnd Random Number Generator:
This uses hardware as a source of entropy much like Video Entropy Daemon.
-audio/video entropy daemon:
-This describes two daemons which use either the static noise from the
-system audio, or the video frames from a video4linux device. These devices
-have a never ending supply of randomness created by thermal fluctuation and
-electric fields on the devices. These entropy gathering daemons depend on the
-kernel driver for your hardware to work properly, be it your sound or video
-card. These programs will re-seed the kernel entropy pool. The programs can
-be used together in combination with the kernel's internal values to create
-a very random pool from several different sources.
@@ -99,12 +109,14 @@
And for LFS-6.0
@@ -121,6 +133,8 @@
Frandom is built in by default with this patch. It can be found in the
character devices menu. Build and install the new kernel.
+The frandom device is enabled by default. Make sure sysctl is also built in
+and not a module or else erandom will only work as a character device.
patch -Np1 -i ../linux-2.4.27-frandom-1.patch
@@ -129,12 +143,37 @@
mknod /dev/frandom c 235 11
mknod /dev/erandom c 235 12
+Add something like this to root's crontab:
+0 0 * * 1 /bin/dd if=/dev/frandom of=/dev/null count=1 >/dev/null 2>&1
+This will reseed frandom every Monday.
+Finally patch the header. On an existing system the header can be patched like
+this (this works for both kernel 2.4 and 2.6):
+cd /usr/include &&
+patch -Np2 -i /path/to/linux-libc-headers-2.6-frandom-1.patch
To use it for SSP use the glibc-ssp-frandom patch.
-To build mktemp with frandom instead of urandom do _not_ use the "--with-libc"
-option during configure. Apply the patch and otherwise install normaly.
+This is easy to install. libarc4random.so and .a are installed to /lib,
+two example programs are installed to /usr/bin, and a man page to /usr.
+`man 3 arc4random` for more info.
+In the patches/ directory is a patch for Mktemp. To install Mktemp with
+libarc4random support simply do:
+patch -Np1 -i ../mktemp-1.5-arc4random-1.patch
+Then install Mktemp normally but _without_ the --with-libc option, which
+will use libc's mkstemp function.
- Testing entropy
You should try to test this on an idle machine. Nothing compiling in
background, no updatedb running, etc. Moving/clicking the mouse, keyboard, and
@@ -186,3 +225,6 @@
* New patch tarball url added.
* Added second url for linux-libc-headers patch.
+* Added Libarc4random.
+* Changed Mktemp patch from frandom to libarc4random.
More information about the hints