From: Robert Hancock <hancockr@shaw.ca>
To: Pierre Chifflier <p.chifflier@inl.fr>
Cc: Henrique de Moraes Holschuh <hmh@hmh.eng.br>,
linux-kernel@vger.kernel.org
Subject: Re: intel_rng: FWH not detected (and no entropy)
Date: Thu, 23 Aug 2007 17:27:07 -0600 [thread overview]
Message-ID: <46CE17CB.10302@shaw.ca> (raw)
In-Reply-To: <fa.bebINmq7qS5j+XUn0INfBmoRKMo@ifi.uio.no>
Pierre Chifflier wrote:
> On Thu, Aug 23, 2007 at 09:53:04AM -0300, Henrique de Moraes Holschuh wrote:
>> On Thu, 23 Aug 2007, Pierre Chifflier wrote:
>>> I'm not sure the mhat a hardware RNG is present, so I want to check.
>> Open the mobo, and locate all FLASH chips. If one of them is a 82802AB or
>> 82802AC, then you *MIGHT* have an Intel FWH with a HRNG (some of the FWHs
>> have their RNGs disabled, and since Intel stopped guaranteeing the RNG is
>> there, they would install one such FWH in their boards just the same). If
>> none are a 82802AB or 82802AC, you don't have an Intel FWH with a HRNG.
>>
>> Even if you had an Intel board that is known to sometimes have an Intel FWH
>> with an RNG, like the D875PBZ, that wouldn't mean much. They could have
>> used an non-Intel equivalent part for that production run, for unknown
>> reasons. You really have to check.
>
> Well, I've seen nothing more than the 82801DB (which was listed in
> lspci). So maybe there is no HRNG :(
>
> This leaves the main problem, which is the lack of entropy. Does anyone
> have an idea on how to solve this problem ?
> It appeared with recent kernels. For ex, 2.6.8 had an entropy pool
> always > 3000, while 2.6.18 and other recent kernels show ~ 150.
>
> # sysctl kernel.random.poolsize
> kernel.random.poolsize = 4096
> # sysctl kernel.random.entropy_avail
> kernel.random.entropy_avail = 196
>
> This is really annoying, since the box should also use SSL/TLS
> operations, and it will be real slow ..
I believe that the timing of network interrupts used to be used to
provide entropy, however in later kernels this was taken out as it was
thought unsafe, since an attacker could detect or control the timing of
these packets and thus determine the contents of the entropy pool.
--
Robert Hancock Saskatoon, SK, Canada
To email, remove "nospam" from hancockr@nospamshaw.ca
Home Page: http://www.roberthancock.com/
next parent reply other threads:[~2007-08-23 23:28 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <fa.htD9D53DODI/2aOgxkVH8l7syew@ifi.uio.no>
[not found] ` <fa.2v4wVrqxU4LJuuB/0Pes0Aw5CoY@ifi.uio.no>
[not found] ` <fa.bebINmq7qS5j+XUn0INfBmoRKMo@ifi.uio.no>
2007-08-23 23:27 ` Robert Hancock [this message]
2007-08-23 9:04 intel_rng: FWH not detected (and no entropy) Pierre Chifflier
2007-08-23 12:53 ` Henrique de Moraes Holschuh
2007-08-23 14:41 ` Pierre Chifflier
2007-08-24 21:38 ` Folkert van Heusden
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46CE17CB.10302@shaw.ca \
--to=hancockr@shaw.ca \
--cc=hmh@hmh.eng.br \
--cc=linux-kernel@vger.kernel.org \
--cc=p.chifflier@inl.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox