On Sun, 2019-03-03 at 22:55 +0100, Kurt Roeckx wrote: > On Sun, Mar 03, 2019 at 08:19:44PM +0000, Ben Hutchings wrote: > > On Sun, 2019-03-03 at 18:59 +0100, Kurt Roeckx wrote: > > [...] > > > Most people will actually have at least 2 hardware RNGs: One in > > > the CPU and one in the TPM. We can make the kernel trust those as > > > entropy source without using something in userspace to feed it. > > > I'm not sure in the kernel has the option to use the TPM directly > > > as source, but it makes it available as /dev/hwrng. > > [...] > > > > If there is at least one hardware RNG with a non-zero "quality" then > > the kernel will start a thread (khwrngd) that reads from the hardware > > RNG and adds those bits to the core RNG, crediting each bit with > > quality/1024 bits of entropy. > > > > Most hardware RNG drivers don't specify quality and it defaults to > > zero, but this can be overridden by setting the module parameter > > rng-core.default_quality. Perhaps we should set a low but non-zero > > default value? > > I think choas key is the exception to this, the kernel uses it by > default. Changing that is going to surprise people.
The module parameter only affects devices where the driver doesn't specify quality. The chaoskey driver should be unaffected. > I don't know if we can find actually find out what quality the > RNG should provide for most devices. I think for some we can set > reasonable defaults. But at least with TPMs it can be one of > various manufacturers, so the quality might be totally different. > > > There are potential problems with doing this: some of these hardware > > RNGs are probably quite weak, so we have to be very conservative, but > > then the less entropy we credit the more CPU time will be spent in the > > hardware RNG reader thread. > > I gues that what I would like is that at the start it just gets > the entropy it needs, and then keeps feeding it at a low rate, for > instance a few bytes every few seconds. I don't know if that's > something that can be set, or that it currently does. [...] khwrngd will block (in add_hwgenerator_randomness()) when the estimated entropy in the random pool is above a certain threshold, which appears to be 7/8 of the pool size by default. Ben. -- Ben Hutchings No political challenge can be met by shopping. - George Monbiot
signature.asc
Description: This is a digitally signed message part