On Fri, May 26, 2023 at 11:32 AM Bill Cunningham <bill.cu1...@gmail.com> wrote:
>
> On 5/26/2023 4:38 AM, J.Witvliet--- via users wrote:
> >
> > -----Original Message-----
> > From: Jeffrey Walton <noloa...@gmail.com>
> >
> > On Thu, May 25, 2023 at 9:18 PM Bill Cunningham <bill.cu1...@gmail.com>
> > wrote:
> >> How would you access randomization at the system level? No via
> >> srand or rand, but the randomization the system offers through
> >> /dev/random. Would this be a fedora level system call ?
> >>
> >> I intend to take a 512 or 1024, for example, size chunk and fill
> >> that with system randomization. Not what you get with srand and rand I
> >> believe they are inferior to system randomization.
> > You should use /dev/urandom nowadays, not /dev/random. According to
> > Theodore Ts'o on the Linux Kernel Crypto mailing list, /dev/random has been
> > deprecated for a decade.
> >
> > From Re: [RFC PATCH v12 3/4] Linux Random Number Generator:[1]
> >
> > Practically no one uses /dev/random. It's essentially a deprecated
> > interface; the primary interfaces that have been recommended for well over
> > a decade is /dev/urandom, and now, getrandom(2).
> >
> > There is a difference between random and urandom, mainly the "quality of it
> > randomness"
> > Especially when doing crypto related tasks (VPNs) on a virtual machine, you
> > might find that your entropy pool is small and easiliy depleted.
> > In such cases, reading from /dev/random will block (bad), but reading from
> > /dev/urandom get bad quality (perhaps even worse)
> > However, there are ways to replenish the entropy buffer...
> >
> That leads me to the idea of haveged. I have my system set up to ctivate it
> manually. My question was about a C related function originally, that would
> provide powerful randomness, but this is very interesting. Has anyone
> actually used haveged?
I usually install rng-tools to help with entropy gathering. It feeds
the kernel entropy pool directly, so /dev/{u}random is always in
working order.
haveged is a userspace daemon. It helps programs which use it, but it
does not help the system.
The implications are... without an entropy gatherer, a program can
exhaust /dev/random to the point it will return EAGAIN. If a program
does not check return values, it may truck on as if it got a bunch of
random bytes. Or a program could hang in a loop while waiting for some
random bytes. If you install rng-tools, then /dev/random and
/dev/urandom will stay in good working order. If you install haveged,
your program will be Ok, but the system may still be in bad shape.
The downside to rng-tools is, it is not available everywhere. It is
available on Debian and Fedora (and friends), but it is missing on
other platforms like FreeBSD and Solaris. rng-tools has problems on
some chipsets, like VIA with a C7-D. VIA had crypto acceleration in
some of its chipsets a decade before Intel provided AESNI and RDRAND.
Finally, rng-tools is an old service; it is not systemd aware (or it
used to be).
Jeff
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
