[OpenWrt-Devel] [PATCH RFC 5/5] ath79: make urngd default RNG seed source

Mon May 20 12:13:25 EDT 2019

This fixes some of the current urandom-seed based flaws.

First, simply writing to /dev/urandom does not increase the kernel's
entropy count, this casuses processes obtaining randomness to block.
Particularly processes using OpenSSL's RAND_bytes() will block until the
kernel emits 'random: crng init done'. This can take upwards of twenty
minutes.

According to random(4) the entropy count is only increased when using
the RNDADDENTROPY ioctl.

Second, urandom-seed is using /etc/urandom.seed file to seed the
kernel's RNG machinery upon every boot. This file is created only once
during first-boot and then reused on every consecutive boot, so pretty
much static.

So this patch removes urandom-seed package in favor of urngd, which is
micro non-physical true random number generator based on timing jitter.

Using the Jitter RNG core, the urngd provides an entropy source that
feeds into the Linux /dev/random device if its entropy runs low. It
updates the /dev/random entropy estimator such that the newly provided
entropy unblocks /dev/random.

The seeding of /dev/random also ensures that /dev/urandom benefits from
entropy. Especially during boot time, when the entropy of Linux is low,
the Jitter RNGd provides a source of sufficient entropy.

Some RNG init time numbers from qca9563 (TP-Link Archer C7 v5):

 [   12.045693] random: crng init done        (urngd)
 [  120.043132] random: crng init done        (urandom-seed)

Flash space details:

 urngd:        + 4579 b
 getrandom:    - 1635 b
 urandom-seed: -  841 b
 ----------------------
 diff          + 2103 b

Ref: https://patchwork.ozlabs.org/patch/1056981/
Ref: https://github.com/openwrt/openwrt/pull/2069#issue-279977445
Signed-off-by: Petr Štetiar <ynezz at true.cz>
Signed-off-by: Stephan Mueller <smueller at chronox.de>
[parts of the commit message]
Signed-off-by: Dustin Lundquist <d.lundquist at temperednetworks.com>
[parts of the commit message]

---
 target/linux/ath79/Makefile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/target/linux/ath79/Makefile b/target/linux/ath79/Makefile
index 0ccc0bed1ce0..840f30fb11be 100644
--- a/target/linux/ath79/Makefile
+++ b/target/linux/ath79/Makefile
@@ -13,8 +13,9 @@ KERNEL_TESTING_PATCHVER := 4.19
 
 include $(INCLUDE_DIR)/target.mk
 
+DEFAULT_PACKAGES:=$(filter-out urandom-seed,$(DEFAULT_PACKAGES))
 DEFAULT_PACKAGES += \
 	kmod-gpio-button-hotplug swconfig \
-	kmod-ath9k uboot-envtools
+	kmod-ath9k uboot-envtools urngd
 
 $(eval $(call BuildTarget))
-- 
1.9.1


_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
