Re: [PATCH] API for true Random Number Generators to add entropy(2.6.11)

From: Evgeniy Polyakov
Date: Thu Mar 24 2005 - 08:43:17 EST

Next message: Rafael J. Wysocki: "Re: 2.6.12-rc1-mm1: resume regression [update] (was: Re:2.6.12-rc1-mm1: Kernel BUG at pci:389)"
Previous message: Martin Schwidefsky: "[patch 2/9] s390: signal stack bug."
In reply to: David McCullough: "Re: [PATCH] API for true Random Number Generators to add entropy (2.6.11)"
Next in thread: Jeff Garzik: "Re: [PATCH] API for true Random Number Generators to add entropy(2.6.11)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2005-03-24 at 23:23 +1000, David McCullough wrote:
> Jivin Jeff Garzik lays it down ...
> > Evgeniy Polyakov wrote:
> > >On Thu, 2005-03-24 at 14:27 +1000, David McCullough wrote:
> > >
> > >>Hi all,
> > >>
> > >>Here is a small patch for 2.6.11 that adds a routine:
> > >>
> > >> add_true_randomness(__u32 *buf, int nwords);
> > >>
> > >>so that true random number generator device drivers can add a entropy
> > >>to the system. Drivers that use this can be found in the latest release
> > >>of ocf-linux, an asynchronous crypto implementation for linux based on
> > >>the *BSD Cryptographic Framework.
> > >>
> > >> http://ocf-linux.sourceforge.net/
> > >>
> > >>Adding this can dramatically improve the performance of /dev/random on
> > >>small embedded systems which do not generate much entropy.
> > >
> > >
> > >People will not apply any kind of such changes.
> > >Both OCF and acrypto already handle all RNG cases - no need for any kind
> > >of userspace daemon or entropy (re)injection mechanism.
> > >Anyone who want to use HW randomness may use OCF/acrypto mechanism.
> > >For example here is patch to enable acrypto support for hw_random.c
> > >It is very simple and support only upto 4 bytes request, of course it
> > >is
> > >not interested for anyone, but it is only 2-minutes example:
> >
> > If you want to add entropy to the kernel entropy pool from hardware RNG,
> > you should use the userland daemon, which detects non-random (broken)
> > hardware and provides throttling, so that RNG data collection does not
> > consume 100% CPU.
> >
> > If you want to use the hardware RNG directly, it's simple: just open
> > /dev/hw_random.
> >
> > Hardware RNG should not go kernel->kernel without adding FIPS tests and
> > such.
>
> For reference, the RNG on the Safenet I am using this with is
> FIPS140 certified. I believe the HIFN part is also but I place the doc that
> says so.

At least HIFN 795x is certified.

Idea to validate entropy data is good in general,
but it should be implemented in a way allowing external both in-kernel
and userspace
processes to contribute data.
So for in-kernel use we need such a mechanism, and userspace gkernel
daemon
should use it(as the latest "step") too.

Your changes are correct, ioctl(RNDADDENTROPY) could even use it instead
of direct
add_entropy_words()/credit_entropy_store(), but without external entropy
contributors
it will not be applied by maintainers.

> Cheers,
> Davidm
>
--
Evgeniy Polyakov

Crash is better than data corruption -- Arthur Grabowski

Attachment: signature.asc
Description: This is a digitally signed message part

Next message: Rafael J. Wysocki: "Re: 2.6.12-rc1-mm1: resume regression [update] (was: Re:2.6.12-rc1-mm1: Kernel BUG at pci:389)"
Previous message: Martin Schwidefsky: "[patch 2/9] s390: signal stack bug."
In reply to: David McCullough: "Re: [PATCH] API for true Random Number Generators to add entropy (2.6.11)"
Next in thread: Jeff Garzik: "Re: [PATCH] API for true Random Number Generators to add entropy(2.6.11)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]