entropy hint

Robert Connolly robert at linuxfromscratch.org
Sun Nov 28 12:56:31 PST 2004

Added patch for linux-2.6.7 and older. Please update this hint.

-------------- next part --------------
AUTHOR:		Robert Connolly <robert at linuxfromscratch dot org> (ashes)

DATE:		2004-11-28

LICENSE:	Public Domain

SYNOPSIS:	Random number generation

PRIMARY URL:	http://www.linuxfromscratch.org/hints/

Many system components including smashing stack protector, mktemp,
cryptography, depend on a supply of random bits to ensure data integrity.
In the Linux kernel a combination of input devices are used to gather
randomness from. This includes the keyboard, mouse, and hard disc.
On an idle system none of these devices are receiving input, and the entropy
(randomness) of the system is easy to deplete, especially with cryptography.

Hardware random:
Some systems have hardware devices for random numbers. The kernel supports
many of them. For more information check the above web site. Also see:

audio/video entropy daemon:
This describes two daemons which use either the static noise from the
system audio, or the video frames from a video4linux device. These devices
have a never ending supply of randomness created by thermal fluctuation and
electric fields on the devices. These entropy gathering daemons depend on the
kernel driver for your hardware to work properly, be it your sound or video
card. These programs will re-seed the kernel entropy pool. The programs can
be used together in combination with the kernel's internal values to create
a very random pool from several different sources.

Fast and Economical Random number suite:
Frandom uses an arcfour stream cipher of seed data from the kernel's internal
pool. The advantage to frandom is that 256 bytes of kernel entropy can be
expanded into gigabytes of random output. Ideal for wiping discs, and maybe
even for online (casino) gaming. A new addition to the frandom package is
erandom. Economical random uses the state of frandom as a seed, and its use
does not drain any kernel entropy. This is done very efficiently, completely in
the kernel. Erandom is ideal for Smashing Stack Protector. Frandom now also
supports sysctl so SSP can use it regardless if /dev/erandom exists or not.
This is slightly faster and works through chroot. 

Note: The name "frandom" is used because thats the name of the package. The
patches for mktemp and ssp used the erandom interface even though the patch
is named frandom. Also, if you expect to have very long uptimes, the frandom
device should be dumped into /dev/null once in a while to reseed erandom.
Something like 'dd if=/dev/frandom of=/dev/null count=1' should be added to
your random script on boot, and done daily or weekly in your system scripts;
to prevent the output of erandom from ever repeating itself over several years
of use.

Libarc4random is an OpenBSD library function ported to Linux. So far only
Mktemp has been ported to use it. Libarc4random will use the Erandom sysctl
interface if SYSCTL_ERANDOM is defined from /usr/include/linux/sysctl.h
(if it is installed). This libaray will always return random data. If you
built Libarc4random with Erandom and later boot a vanilla kernel, this
library will try to use /dev/urandom next, if /dev/urandom does not exist
then gettimeofday will be used as a seed. The seed is used to stir an
Arcfour hash function. Therefore this library is more reliable then using
any one or two random sources alone.

LavaRnd Random Number Generator:
This uses hardware as a source of entropy much like Video Entropy Daemon.



Audio entropy daemon:

make &&
install -g 0 -o 0 -m 755 audio-entropyd /usr/sbin/audio-entropyd

Edit your /etc/rc.d/init.d/random and start audio-entropyd just after seeding
urandom, and stop it just after saving random-seed. The PID file will be in
/var/run. You don't need to reboot to use it, but you do need your sound card
driver loaded, and be root.

Video entropy daemon:

make &&
install -g 0 -o 0 -m 755 video_entropyd /usr/sbin/video_entropyd

Add this to root's crontab every minute or so. It can not run as a daemon
because it will lock the video device. Depends on video4linux. Using one or
both of these daemons should be adequate for sustained moderate-to-heavy use.

Nothing else needs to be done, applications can continue to use /dev/random
and /dev/urandom normally. You should notice crypto keys get made faster.



If you are still using linux-2.6.7 or before you need to use the 2.6.7
patch below. An interface changed after 2.6.8 and the code is not the same.



And for LFS-6.0


Or get frandom and other patches in:
This filename will change, for example: hlfs-patches-20041028.tar.bz2

You don't need the frandom-0.8 source, its presented so you can read more
about it if you want. The Linux kernel patch is all we need.
Frandom is built in by default with this patch. It can be found in the
character devices menu. Build and install the new kernel.

The frandom device is enabled by default. Make sure sysctl is also built in
and not a module or else erandom will only work as a character device.
cd linux-2.4.27
patch -Np1 -i ../linux-2.4.27-frandom-1.patch

mknod /dev/frandom c 235 11
mknod /dev/erandom c 235 12

Add something like this to root's crontab:

0 0 * * 1 /bin/dd if=/dev/frandom of=/dev/null count=1 >/dev/null 2>&1

This will reseed frandom every Monday.

Finally patch the header. On an existing system the header can be patched like
this (this works for both kernel 2.4 and 2.6):

cd /usr/include &&
patch -Np2 -i /path/to/linux-libc-headers-2.6-frandom-1.patch

To use it for SSP use the glibc-ssp-frandom patch.

This is easy to install. libarc4random.so and .a are installed to /lib,
two example programs are installed to /usr/bin, and a man page to /usr.
`man 3 arc4random` for more info.

make &&
make install

In the patches/ directory is a patch for Mktemp. To install Mktemp with
libarc4random support simply do:

patch -Np1 -i ../mktemp-1.5-arc4random-1.patch

Then install Mktemp normally but _without_ the --with-libc option, which
will use libc's mkstemp function.

 - Testing entropy
You should try to test this on an idle machine. Nothing compiling in
background, no updatedb running, etc. Moving/clicking the mouse, keyboard, and
even network traffic will create entropy in the pool, and affect results.
Todo: Have tests for entropy quality, not just quantity.

Fetch this:

Open two windows with non-root login. This is easiest to do in X, else split
a console window in two. In one window do this:

sh ./entropy_avail.sh

In the next window do something like this:

dd if=/dev/{u,f,e}random of=/dev/null bs=1 count=1024

If one or both of the entropyd programs are running you should see the pool
being refilled. Kill the entropyd program(s) and you should see it does not
refill so quickly. Move the mouse and play with it if you like. If you use a
small count like count=512 the entropyd program(s) may not refill immediately
because the pool is still large enough. This is to improve preformance.

You might want to delete entropy_avail.log when you're done.

* Thanks to Eli Billauer for the Frandom suite. -
* Thanks to hlfs-dev at linuxfromscratch.org

* Initial post
* Added test.
* Added frandom/erandom.
* Added hardware random url and notes.
* Switched the entropy_avail program to a more simple shell script.
* Added patch for kernel 2.6 and for mktemp.
* Added LavaRnd.
* Added libc-headers patch.
* New patch tarball url added.
* Added second url for linux-libc-headers patch.
* Added Libarc4random.
* Changed Mktemp patch from frandom to libarc4random.
* Added patch for linux-2.6.7 and older kernels because the 2.6.9 patch
  does not compile on older kernel versions.

More information about the hints mailing list