From owner-freebsd-hackers@freebsd.org Thu Jul 12 15:57:57 2018 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 301451047241 for ; Thu, 12 Jul 2018 15:57:57 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9A38F70263 for ; Thu, 12 Jul 2018 15:57:56 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: by mail-wr1-x429.google.com with SMTP id h10-v6so22225642wre.6 for ; Thu, 12 Jul 2018 08:57:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=iOqA2mRrNLUgKDhApltpFoKebK09N/pnLV54OJFE25A=; b=PXdkyg7OObtktl7chldThc8bTQI6rLa+zkvOvrhd1h5UwcRLS619NgdzK24sxioECb GYqaXB/00wJCjhsGL8oaLGu42fakXHTQbG2g4XNogoUU9FL9Gvv6en6ue8oGslV0RdKQ 0siVLFHPDZdEv3mkYgEmoA1yygPeJ8WTM9q265UsHddpJl19Iccmpgqz/d7xPKEEK2nW hB13jTCJ+Pevb9X5z/J/I9CbRPF+i2bFZVSg8J7mfMUxDNbHXDBj9SfanN0aQZ9kvu7A 4BkJrwnOZQ+6OwOQyYT3tOFk+W6nqrH4qEwby2AfXA83VR3g0ts26x1QaveEcaTmijRV Ljfg== X-Gm-Message-State: AOUpUlFNrR3u+6sJWb4dPeNwF6Z9d4EdANxzmApZic/8jb+MbPJKLBO9 FwQdkd4MOuSFlXyKqQ27+s3oqA== X-Google-Smtp-Source: AAOMgpdQ+w390XP4Ogd5SHDXw5eg7QJWC28Bw6V0f+N/88sT5TD/1bqwNUjRVJkYwDTSzjO3WxweVw== X-Received: by 2002:adf:a197:: with SMTP id u23-v6mr2398070wru.50.1531411075315; Thu, 12 Jul 2018 08:57:55 -0700 (PDT) Received: from gumby.homeunix.com ([90.220.84.208]) by smtp.gmail.com with ESMTPSA id u11-v6sm2250781wmf.28.2018.07.12.08.57.53 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 12 Jul 2018 08:57:54 -0700 (PDT) Date: Thu, 12 Jul 2018 16:57:51 +0100 From: RW To: freebsd-hackers@freebsd.org Subject: Re: Limits to seeding /dev/random | random(4) Message-ID: <20180712165751.1e5b8e24@gumby.homeunix.com> In-Reply-To: <1531317515.66719.20.camel@freebsd.org> References: <3A988D26-7B08-4301-8176-B0ED8A559420@webweaving.org> <1531317515.66719.20.camel@freebsd.org> X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; amd64-portbld-freebsd11.1) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jul 2018 15:57:57 -0000 On Wed, 11 Jul 2018 07:58:35 -0600 Ian Lepore wrote: > When asking our prng gurus for advice on writing a device driver for > an on-chip entropy source, the advice I got was basically: there's no > need to feed in more entropy on an ongoing basis, but no harm in > doing so either, within reason. The recommendation was to feed at or > below an average rate of about 128 bits/second. Pushing in more isn't > harmful, just wasteful of system resources because it doesn't make > anything better. This is a bit simplistic because it ignores the way that fortuna stripes entropy across 32 pools. In order to fully secure the prng at boot time you need to get 256 bits of entropy into it, and to guarantee that you need to have 256 bits in pool[0], which means you need to write 256*32=8192 bits into the random device. This should be done as early in the rc.d boot process as possible. Once the pools are primed you could trickle entropy in in smaller amounts if you wish.