From owner-freebsd-hackers@freebsd.org Thu Jul 12 16:04:56 2018 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2C3101047E73 for ; Thu, 12 Jul 2018 16:04:56 +0000 (UTC) (envelope-from dirkx@webweaving.org) Received: from weser.webweaving.org (weser.webweaving.org [148.251.234.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "weser.webweaving.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A772A708C5 for ; Thu, 12 Jul 2018 16:04:55 +0000 (UTC) (envelope-from dirkx@webweaving.org) Received: from beeb.leiden.webweaving.org (5ED29A06.cm-7-3c.dynamic.ziggo.nl [94.210.154.6]) (authenticated bits=0) by weser.webweaving.org (8.15.2/8.15.2) with ESMTPSA id w6CG3W33044758 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 12 Jul 2018 18:03:33 +0200 (CEST) (envelope-from dirkx@webweaving.org) X-Authentication-Warning: weser.webweaving.org: Host 5ED29A06.cm-7-3c.dynamic.ziggo.nl [94.210.154.6] claimed to be beeb.leiden.webweaving.org Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: Limits to seeding /dev/random | random(4) From: Dirk-Willem van Gulik In-Reply-To: <20180712165751.1e5b8e24@gumby.homeunix.com> Date: Thu, 12 Jul 2018 18:03:27 +0200 Cc: freebsd-hackers@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <7C42CD28-078F-4AF6-90F2-5E951F8386D5@webweaving.org> References: <3A988D26-7B08-4301-8176-B0ED8A559420@webweaving.org> <1531317515.66719.20.camel@freebsd.org> <20180712165751.1e5b8e24@gumby.homeunix.com> To: RW X-Mailer: Apple Mail (2.3273) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (weser.webweaving.org [148.251.234.232]); Thu, 12 Jul 2018 18:03:33 +0200 (CEST) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jul 2018 16:04:56 -0000 On 12 Jul 2018, at 17:57, RW via freebsd-hackers = wrote: > On Wed, 11 Jul 2018 07:58:35 -0600 Ian Lepore wrote: >=20 >=20 >> When asking our prng gurus for advice on writing a device driver for >> an on-chip entropy source, the advice I got was basically: there's no >> need to feed in more entropy on an ongoing basis, but no harm in >> doing so either, within reason. The recommendation was to feed at or >> below an average rate of about 128 bits/second. Pushing in more isn't >> harmful, just wasteful of system resources because it doesn't make >> anything better. >=20 > This is a bit simplistic because it ignores the way that fortuna > stripes entropy across 32 pools. >=20 > In order to fully secure the prng at boot time you need to get 256 = bits > of entropy into it, and to guarantee that you need to have 256 bits in > pool[0], which means you need to write 256*32=3D8192 bits into the = random > device. This should be done as early in the rc.d boot process as > possible. Once the pools are primed you could trickle entropy in in > smaller amounts if you wish. So these HW devices [1] give us a raw feed =E2=80=94 which one usually = whitewashes [2] in order to use. It is fairly well defined how many bits of entropy we get =E2=80=98raw=E2=80= =99. During boot - can I feed the right number of bits without whitewashing - = letting the kernel do the trick (much like random_harvest_queue() does = in for example the mouse driver) ? Or should it be properly whitened first ? Our goal is to get to a point where a very stripped down BSD can be = booted up (sans network or much in terms of attached devices but for a = printer and chipcard reader) =E2=80=94 yet is know to have a solid = seeded RNG. With kind regards, Dw. 1: https://13-37.org/en/shop/infinite-noise-trng/ 2: https://github.com/manuel-domke/infnoise=