From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wi0-x236.google.com (mail-wi0-x236.google.com [IPv6:2a00:1450:400c:c05::236]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id A43FD21F150 for ; Thu, 10 Oct 2013 08:39:48 -0700 (PDT) Received: by mail-wi0-f182.google.com with SMTP id ez12so2826847wid.9 for ; Thu, 10 Oct 2013 08:39:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=yFjwjXSJr8Uf9QRurgY9QyRXgJ2YP1L+5ebIl+iPm/g=; b=b3kTGyk1ylYJPSn5I23LQtlhcxMHj/XixxpC7CPEJUp3IzOdFKS3Pvm5YtCcw2MMDA geWE8KcEqLCTHXrOcGbWz5heKztsA8NiDEYGb4LzxB4tWLiUIhpiE0AH4sIT7zTxyFD8 35Bcmt7Q2rne+YVyHL8KTZgBgKqA44tjGZbdyIYGKirElVb5Sb1QkaJXNyxfoYTFauUM DlOA96x8k6+nz6XVypwzb97Q/kLlQTkFrctlJ19IY6F7h73/GWbLDn2MLxHO8Pz2Y3dQ lVam1zHegSuZQGrIDbYlyZ6WerUpF8GoGgmx1o9UusXgviNccxq7nxmg0bqzKdmip/3P EEFQ== MIME-Version: 1.0 X-Received: by 10.180.184.107 with SMTP id et11mr8485231wic.60.1381419586793; Thu, 10 Oct 2013 08:39:46 -0700 (PDT) Received: by 10.217.67.202 with HTTP; Thu, 10 Oct 2013 08:39:46 -0700 (PDT) Date: Thu, 10 Oct 2013 08:39:46 -0700 Message-ID: From: Dave Taht To: =?ISO-8859-1?Q?T=F6r=F6k_Edwin?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "cerowrt-devel@lists.bufferbloat.net" Subject: [Cerowrt-devel] How to get enough entropy in an embedded router (was Re: cerowrt-3.10.13-2 released) X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Oct 2013 15:39:49 -0000 On Tue, Oct 1, 2013 at 7:28 AM, T=F6r=F6k Edwin wrote: > On 10/01/2013 04:42 PM, Dave Taht wrote: >> + Proved it is possible to build an OS release on a "Narrowboat" >> - but not test one without hacking at the 12v power supply off the sola= r panel >> + merge with openwrt head >> + dnsmasq 2.67test17 >> + ipv6subtrees now part of 3.10.12 >> + htb adsl fixes also >> + Simon kelly is starting to finalize dnsmasq 2.67 now that summer is ov= er >> >> - still no fix for the sysupgrade bug >> - Most of the get_cycles() and /dev/random keruffle has settled down >> but I did not fold the latest patchset for that into this. The >> discussion on PRNGs was very illuminating and worth reading.There were >> multiple threads on this topic on lkml, this is one: >> >> https://lkml.org/lkml/2013/9/10/188 > > Does this mean that we can get rid of running rngd the wrong way? [1] rngd can be disabled via /etc/init.d/rngd disable; /etc/init.d/rngd stop Along the way in this keruffle I saw someone using mrtg + a snmpd script to track available entropy, which strikes me as useful, but lacking that you can loo= k at: cat /proc/sys/kernel/random/entropy_avail periodically instead. The picture for entropy looks pretty dim with the current kernel, available entropy_avail with rngd disabled oscillates between 132 and 190 on the box I just tested on, which was basically an idle machine. I look forward to sorting out the new patchset which fixes get_cycles() on mips, when it stablizes a bit more, but more entropy sources for this and many other embedded arches seem required to keep up with the demands for it. > [1] Currently cerowrt runs rngd -r /dev/urandom, which is exactly what sh= ould not be done > ,as it would essentially make /dev/random non-blocking like /dev/urandom = and fool userspace into generating keys without enough entropy, etc.: > https://lwn.net/Articles/525459/ Many embedded OSes (not just openwrt) are using rngd that way as there is a paucity of entropy sources regardless. The majority of the patches under discussion on the lkml thread above increase the quality of the existing entropy, but not the quantity. An embedded router needs entropy for initial key generation for the web cert and ssh key. At this point I'm prepared to argue that it should try to regenerate those a few hours after first boot... It also needs ongoing entropy for wireless encryption, ssl connections to the web browser, ssh connections, vpns, etc. For which we need to measure peak entropy consumption in a world of wpa, people attacking dropbear (which, unlike openwrt in cerowrt spawns from xinetd), and the web configuration server, and full on vpn usage.... Getting to where we have enough entropy out of the box would be great, but I just don't think we can get there with out a hwrng which this atheros chipset lacks. Maybe some wifi registers can be sampled, carefully. > Best regards, > --Edwin > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel --=20 Dave T=E4ht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.= html