Hi, this patch series is an RFC which attempts to fix some of the current urandom-seed based flaws.
First, simply writing to /dev/urandom does not increase the kernel's entropy count, this casuses processes obtaining randomness to block. Particularly processes using OpenSSL's RAND_bytes() will block until the kernel emits 'random: crng init done'. This can take upwards of twenty minutes. According to random(4) the entropy count is only increased when using the RNDADDENTROPY ioctl, which urandom-seed currently doesn't use when feeding the kernel RNG. Second, urandom-seed is using /etc/urandom.seed file to seed the kernel's RNG machinery upon every boot. The problem is, that this file is created only once during first-boot and then reused on every consecutive boot, so pretty much static. So this patch series removes urandom-seed package in favor of urngd, which is new micro non-physical true random number generator (system service) based on timing jitter. Using the Jitter RNG core, the urngd provides an entropy source that feeds into the Linux /dev/random device if its entropy runs low. It updates the /dev/random entropy estimator such that the newly provided entropy unblocks /dev/random. The seeding of /dev/random also ensures that /dev/urandom benefits from entropy. Especially during boot time, when the entropy of Linux is low, the Jitter RNGd provides a source of sufficient entropy. Some RNG init time numbers from qca9563 (TP-Link Archer C7 v5): [ 12.045693] random: crng init done (urngd) [ 120.043132] random: crng init done (urandom-seed) Flash space details: urngd: + 4579 b getrandom: - 1635 b urandom-seed: - 841 b ---------------------- diff + 2103 b Cc: Stephan Mueller <smuel...@chronox.de> Cc: Dustin Lundquist <d.lundqu...@temperednetworks.com> Petr Štetiar (5): urng: add micro non-physical true RNG based on timing jitter ubox: move getrandom into separate getrandom package base-files: move urandom seed bits into separate package build: add urandom-seed to the default packages set ath79: make urngd default RNG seed source include/target.mk | 2 +- package/base-files/Makefile | 11 ++++- package/base-files/files/etc/init.d/urandom_seed | 12 ------ .../base-files/files/lib/preinit/81_urandom_seed | 24 ----------- package/base-files/files/sbin/urandom_seed | 20 --------- package/system/ubox/Makefile | 17 ++++++-- package/system/urandom-seed/Makefile | 32 +++++++++++++++ .../urandom-seed/files/etc/init.d/urandom_seed | 12 ++++++ .../urandom-seed/files/lib/preinit/81_urandom_seed | 24 +++++++++++ .../system/urandom-seed/files/sbin/urandom_seed | 20 +++++++++ package/system/urngd/Makefile | 48 ++++++++++++++++++++++ package/system/urngd/files/urngd.init | 21 ++++++++++ target/linux/ath79/Makefile | 3 +- 13 files changed, 184 insertions(+), 62 deletions(-) delete mode 100755 package/base-files/files/etc/init.d/urandom_seed delete mode 100644 package/base-files/files/lib/preinit/81_urandom_seed delete mode 100755 package/base-files/files/sbin/urandom_seed create mode 100644 package/system/urandom-seed/Makefile create mode 100755 package/system/urandom-seed/files/etc/init.d/urandom_seed create mode 100644 package/system/urandom-seed/files/lib/preinit/81_urandom_seed create mode 100755 package/system/urandom-seed/files/sbin/urandom_seed create mode 100644 package/system/urngd/Makefile create mode 100755 package/system/urngd/files/urngd.init -- 1.9.1 _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
