style fixes, see Help:Style and related
← Older revision
Revision as of 02:42, 12 November 2015
Line 4:
Line 4:
{{Related articles end}}
{{Related articles end}}
−
The [https://git.kernel.org/cgit/utils/kernel/rng-tools/rng-tools.git/ rng-tools] is a set of utilities related to random number generation in kernel. The main program is
{{ic|
rngd
}}
, a daemon developed to check and feed random data from hardware device to kernel entropy pool.
+
The [https://git.kernel.org/cgit/utils/kernel/rng-tools/rng-tools.git/ rng-tools] is a set of utilities related to random number generation in kernel. The main program is
'''
rngd
'''
, a daemon developed to check and feed random data from hardware device to kernel entropy pool.
−
This is mainly useful to increase the quantity of entropy in kernel to make {{ic|/dev/random}} faster. By default, {{ic|/dev/random}} is very slow since it only collects entropy from [[wikipedia:/dev/random|device drivers and other (slow) sources]].
{{ic|
rngd
}}
allows the use of faster entropy sources, mainly [[wikipedia:Hardware_random_number_generator|hardware random number generators (TRNG)]], present in modern hardware like [[wikipedia:RdRand|recent AMD/Intel processors]], [https://jve.linuxwall.info/blog/index.php?post/2013/08/19/Hardware-RNG-from-Via-CPU-(on-debibox) Via Nano] or even [http://scruss.com/blog/2013/06/07/well-that-was-unexpected-the-raspberry-pis-hardware-random-number-generator/ Raspberry Pi].
+
This is mainly useful to increase the quantity of entropy in kernel to make {{ic|/dev/random}} faster. By default, {{ic|/dev/random}} is very slow since it only collects entropy from [[wikipedia:/dev/random|device drivers and other (slow) sources]].
''
rngd
''
allows the use of faster entropy sources, mainly [[wikipedia:Hardware_random_number_generator|hardware random number generators (TRNG)]], present in modern hardware like [[wikipedia:RdRand|recent AMD/Intel processors]], [https://jve.linuxwall.info/blog/index.php?post/2013/08/19/Hardware-RNG-from-Via-CPU-(on-debibox) Via Nano] or even [http://scruss.com/blog/2013/06/07/well-that-was-unexpected-the-raspberry-pis-hardware-random-number-generator/ Raspberry Pi].
−
While Linux itself uses the result from TRNG in {{ic|/dev/random}}, if available, they are only used as a [https://www.lvh.io/posts/2013/10/thoughts-on-rdrand-in-linux.html XOR after the entropy is collected by kernel]. So {{ic|/dev/random}}, by default, is slow even if you do have a TRNG.
{{ic|
rngd
}}
feeds {{ic|/dev/random}} itself, increasing the available entropy by far.
+
While Linux itself uses the result from TRNG in {{ic|/dev/random}}, if available, they are only used as a [https://www.lvh.io/posts/2013/10/thoughts-on-rdrand-in-linux.html XOR after the entropy is collected by kernel]. So {{ic|/dev/random}}, by default, is slow even if you do have a TRNG.
''
rngd
''
feeds {{ic|/dev/random}} itself, increasing the available entropy by far.
−
==Installation==
+
== Installation ==
−
[[Install]] the {{pkg|rng-tools}} package
from the [[official repositories]]
.
+
[[Install]] the {{pkg|rng-tools}} package.
−
==Configuration==
+
== Configuration ==
The configuration file is located in {{ic|/etc/conf.d/rngd}}. There is only one option though, that is {{ic|RNGD_OPTS}}, the parameters to be passed to the daemon when running it with the included [[systemd]] service ({{ic|rngd.service}}). The default parameter ({{ic|""}}, or blank) should work in the majority of cases.
The configuration file is located in {{ic|/etc/conf.d/rngd}}. There is only one option though, that is {{ic|RNGD_OPTS}}, the parameters to be passed to the daemon when running it with the included [[systemd]] service ({{ic|rngd.service}}). The default parameter ({{ic|""}}, or blank) should work in the majority of cases.
−
By default,
{{ic|
rngd
}}
will try to automatically detect your TRNG and use it. This
works (at least for me)
for
both my
Raspberry Pi and Intel Ivy Bridge CPU using the lastest versions of rng-tools. If this does not work, you may manually pass the [[wikipedia:Device_file|device file]] used by your TRNG, as in the below example:
+
By default,
''
rngd
''
will try to automatically detect your TRNG and use it. This
is reported to work
for Raspberry Pi and Intel Ivy Bridge CPU using the lastest versions of
''
rng-tools
''
. If this does not work, you may manually pass the [[wikipedia:Device_file|device file]] used by your TRNG, as in the below example:
RNGD_OPTS="-o /dev/random -r /dev/my_hw_random_device"
RNGD_OPTS="-o /dev/random -r /dev/my_hw_random_device"
−
{{Warning | Some tutorials available in the Internet, and even early versions of rng-tools package,
recommends
the following line for systems without TRGN:
+
{{Warning|Some tutorials available in the Internet, and even early versions of rng-tools package,
recommend
the following line for systems without TRGN:
<nowiki>RNGD_OPTS="-o /dev/random -r /dev/urandom"</nowiki>
<nowiki>RNGD_OPTS="-o /dev/random -r /dev/urandom"</nowiki>
−
Of course, this is a [https://lwn.net/Articles/525459/
'''REALLY BAD IDEA'''
], since you are simple filling the kernel entropy pool with entropy coming from the kernel itself! If your system does not have an available TRGN consider using [[haveged]] instead. See {{Bug|34580}} for details}}
+
Of course, this is a [https://lwn.net/Articles/525459/
really bad idea
], since you are simple filling the kernel entropy pool with entropy coming from the kernel itself! If your system does not have an available TRGN consider using [[haveged]] instead. See {{Bug|34580}} for details
.
}}
If your system does not have a [[wikipedia:Trusted_Platform_Module|TPM module]], you may pass {{ic|1="--no-tpm=1"}} to {{ic|RNGD_OPTS}} to suppress the following warning message from log:
If your system does not have a [[wikipedia:Trusted_Platform_Module|TPM module]], you may pass {{ic|1="--no-tpm=1"}} to {{ic|RNGD_OPTS}} to suppress the following warning message from log:
Line 32:
Line 32:
Unable to open file: /dev/tpm0
Unable to open file: /dev/tpm0
−
==Testing and usage==
+
== Testing and usage ==
−
You may test if
{{ic|
rngd
}}
is working before enabling its service by running
(as root)
:
+
You may test if
''
rngd
''
is working before enabling its service by running:
# rngd -f
# rngd -f
Line 42:
Line 42:
$ dd if=/dev/random of=/dev/null bs=1024 count=1 iflag=fullblock
$ dd if=/dev/random of=/dev/null bs=1024 count=1 iflag=fullblock
−
Without
{{ic|
rngd
}}
, the above command will take lots of time to run. With
{{ic|
rngd
}}
working properly, the result should be almost instantaneous:
+
Without
''
rngd
''
, the above command will take lots of time to run. With
''
rngd
''
working properly, the result should be almost instantaneous:
1+0 records in
1+0 records in
Line 48:
Line 48:
1024 bytes (1.0 kB) copied, 0.0199623 s, 51.3 kB/s
1024 bytes (1.0 kB) copied, 0.0199623 s, 51.3 kB/s
−
A speed of '''kB/s''' in
{{ic|
dd
}}
shows that everything is working properly (for comparison, without
{{ic|
rngd
}}
you would get
speed
of '''b/s'''
(yeah, bits)
.
+
A speed of '''kB/s''' in
''
dd
''<nowiki>'</nowiki>s output
shows that everything is working properly (for comparison, without
''
rngd
''
you would get
speeds
of '''b/s'''.
−
Another interesting test is to run
{{ic|
rngtest
}}
, to check the randomness of data using [[wikipedia:FIPS_140-2|FIPS 140-2 tests]]:
+
Another interesting test is to run
'''
rngtest
'''
, to check the randomness of data using [[wikipedia:FIPS_140-2|FIPS 140-2 tests]]:
−
$ cat /dev/random | rngtest -c 1000
+
{{hc|<nowiki>
$ cat /dev/random | rngtest -c 1000
</nowiki>|2=
−
rngtest 5
+
rngtest 5
−
Copyright (c) 2004 by Henrique de Moraes Holschuh
+
Copyright (c) 2004 by Henrique de Moraes Holschuh
−
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
−
+
−
rngtest: starting FIPS tests...
+
rngtest: starting FIPS tests...
−
rngtest: bits received from input: 20000032
+
rngtest: bits received from input: 20000032
−
rngtest: FIPS 140-2 successes: 999
+
rngtest: FIPS 140-2 successes: 999
−
rngtest: FIPS 140-2 failures: 1
+
rngtest: FIPS 140-2 failures: 1
−
rngtest: FIPS 140-2(2001-10-10) Monobit: 1
+
rngtest: FIPS 140-2(2001-10-10) Monobit: 1
−
rngtest: FIPS 140-2(2001-10-10) Poker: 0
+
rngtest: FIPS 140-2(2001-10-10) Poker: 0
−
rngtest: FIPS 140-2(2001-10-10) Runs: 0
+
rngtest: FIPS 140-2(2001-10-10) Runs: 0
−
rngtest: FIPS 140-2(2001-10-10) Long run: 0
+
rngtest: FIPS 140-2(2001-10-10) Long run: 0
−
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
+
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
−
rngtest: input channel speed: (min=301.394; avg=417.091; max=693.187)Kibits/s
+
rngtest: input channel speed: (min=301.394; avg=417.091; max=693.187)Kibits/s
−
rngtest: FIPS tests speed: (min=64.656; avg=91.010; max=123.055)Mibits/s
+
rngtest: FIPS tests speed: (min=64.656; avg=91.010; max=123.055)Mibits/s
−
rngtest: Program run time: 47037492 microseconds
+
rngtest: Program run time: 47037492 microseconds
+
}}
It is normal for any random number generator to fail in a small number of tests in 1000 passes, however if the number of failures is too great (like 10), probably there is something wrong.
It is normal for any random number generator to fail in a small number of tests in 1000 passes, however if the number of failures is too great (like 10), probably there is something wrong.
−
After that, you can start the {{ic|rngd.service}}
using [[systemd]], and enable this service to start at each boot:
+
After that, you can
[[
start
]]/[[enable]]
the {{ic|rngd.service}}.
−
+
−
# systemctl start rngd
.
service
+
−
# systemctl enable rngd.service
+