Re: hifn errors on console

Fri, 07 Apr 2006 12:36:50 -0700 

Eric W. Bates wrote:


Sam Leffler wrote:

Eric W. Bates wrote:


I'm running pfsense (an embedded FreeBSD 6.1) on a wrap2C.  I recently
added a Soekris vpn1411 and am now getting infrequent errors:

hifn0: rndtest: ones interval 4 failed (382, 251-373)
hifn0: rndtest: ones interval 1 failed (2663, 2343-2657)
hifn0: rndtest: zeros interval 5 failed (206, 111-201)
hifn0: rndtest: ones interval 2 failed (1385, 1135-1365)
hifn0: rndtest: zeros interval 3 failed (718, 542-708)
hifn0: rndtest: zeros interval 4 failed (243, 251-373)
hifn0: rndtest: zeros interval 3 failed (717, 542-708)

IPSec works fine.  However, I do not know how to tell whether the hifn
is being used.

I had no luck with Google.  Can anyone enlighten me?


man rndtest(4).  pfSense has configured the FIPS rng testing module to
monitor the entropy sent by the h/w to the system prng.  Looks like

sysctl kern.rdntest.verbose=0

will turn off console msgs.


I guess I want to follow up on this a bit.  It seems that rndtest is
unsatisfied with the degree of randomness presented by the card.

Is that randomness used to produce /dev/random?

Is this an indication of a fault with the card?



The entropy is fed into the system PRNG where it is processed again 
before being supplied as data from /dev/random.  So there is nothing to 
worry about.




How does such a card "create"/"collect" entropy?



Drivers that manage h/w entropy sources (such as those found on crypto 
devices) periodically collect data and feed it to the PRNG.




Is there anything I can do to improve the situation?



rndtest was done to evaluate the goodness of h/w entropy sources for 
various reasons that are not important.  It is not intended for 
production use.  Why pfsense includes it is unclear.




Thanks.

btw: adding a similar card (Soekris VPN 1410  -- PCI not mini-pci) to a
full size motherboard running 6.0-RELEASE-p6 produces the same errors.


    Sam



_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"




_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"






















					Reply via email to