A while ago, I added support for the TPM’s pRNG to the rng-tools package in Ubuntu. Since then, Kent Yoder added TPM support directly into the kernel’s /dev/hwrng device. This means there’s no need to carry the patch in rng-tools any more, since I can use /dev/hwrng directly now:
# modprobe tpm-rng # echo tpm-rng >> /etc/modules # grep -v ^# /etc/default/rng-tools RNGDOPTIONS="--fill-watermark=90%" # service rng-tools restart
And as before, once it’s been running a while (or you send SIGUSR1 to rngd), you can see reporting in syslog:
# pkill -USR1 rngd # tail -n 15 /var/log/syslog Aug 13 09:51:01 linux rngd[39114]: stats: bits received from HRNG source: 260064 Aug 13 09:51:01 linux rngd[39114]: stats: bits sent to kernel pool: 216384 Aug 13 09:51:01 linux rngd[39114]: stats: entropy added to kernel pool: 216384 Aug 13 09:51:01 linux rngd[39114]: stats: FIPS 140-2 successes: 13 Aug 13 09:51:01 linux rngd[39114]: stats: FIPS 140-2 failures: 0 Aug 13 09:51:01 linux rngd[39114]: stats: FIPS 140-2(2001-10-10) Monobit: 0 Aug 13 09:51:01 linux rngd[39114]: stats: FIPS 140-2(2001-10-10) Poker: 0 Aug 13 09:51:01 linux rngd[39114]: stats: FIPS 140-2(2001-10-10) Runs: 0 Aug 13 09:51:01 linux rngd[39114]: stats: FIPS 140-2(2001-10-10) Long run: 0 Aug 13 09:51:01 linux rngd[39114]: stats: FIPS 140-2(2001-10-10) Continuous run: 0 Aug 13 09:51:01 linux rngd[39114]: stats: HRNG source speed: (min=10.433; avg=10.442; max=10.454)Kibits/s Aug 13 09:51:01 linux rngd[39114]: stats: FIPS tests speed: (min=73.360; avg=75.504; max=86.305)Mibits/s Aug 13 09:51:01 linux rngd[39114]: stats: Lowest ready-buffers level: 2 Aug 13 09:51:01 linux rngd[39114]: stats: Entropy starvations: 0 Aug 13 09:51:01 linux rngd[39114]: stats: Time spent starving for entropy: (min=0; avg=0.000; max=0)us
I’m pondering getting this running in Chrome OS too, but I want to make sure it doesn’t suck too much battery.
© 2013, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.