codeblog code is freedom — patching my itch

August 13, 2013

TPM providing /dev/hwrng

Filed under: Blogging,Chrome OS,Debian,Security,Ubuntu,Ubuntu-Server — kees @ 9:10 am

A while ago, I added support for the TPM’s pRNG to the rng-tools package in Ubuntu. Since then, Kent Yoder added TPM support directly into the kernel’s /dev/hwrng device. This means there’s no need to carry the patch in rng-tools any more, since I can use /dev/hwrng directly now:

# modprobe tpm-rng
# echo tpm-rng >> /etc/modules
# grep -v ^# /etc/default/rng-tools
RNGDOPTIONS="--fill-watermark=90%"
# service rng-tools restart

And as before, once it’s been running a while (or you send SIGUSR1 to rngd), you can see reporting in syslog:

# pkill -USR1 rngd
# tail -n 15 /var/log/syslog
Aug 13 09:51:01 linux rngd[39114]: stats: bits received from HRNG source: 260064
Aug 13 09:51:01 linux rngd[39114]: stats: bits sent to kernel pool: 216384
Aug 13 09:51:01 linux rngd[39114]: stats: entropy added to kernel pool: 216384
Aug 13 09:51:01 linux rngd[39114]: stats: FIPS 140-2 successes: 13
Aug 13 09:51:01 linux rngd[39114]: stats: FIPS 140-2 failures: 0
Aug 13 09:51:01 linux rngd[39114]: stats: FIPS 140-2(2001-10-10) Monobit: 0
Aug 13 09:51:01 linux rngd[39114]: stats: FIPS 140-2(2001-10-10) Poker: 0
Aug 13 09:51:01 linux rngd[39114]: stats: FIPS 140-2(2001-10-10) Runs: 0
Aug 13 09:51:01 linux rngd[39114]: stats: FIPS 140-2(2001-10-10) Long run: 0
Aug 13 09:51:01 linux rngd[39114]: stats: FIPS 140-2(2001-10-10) Continuous run: 0
Aug 13 09:51:01 linux rngd[39114]: stats: HRNG source speed: (min=10.433; avg=10.442; max=10.454)Kibits/s
Aug 13 09:51:01 linux rngd[39114]: stats: FIPS tests speed: (min=73.360; avg=75.504; max=86.305)Mibits/s
Aug 13 09:51:01 linux rngd[39114]: stats: Lowest ready-buffers level: 2
Aug 13 09:51:01 linux rngd[39114]: stats: Entropy starvations: 0
Aug 13 09:51:01 linux rngd[39114]: stats: Time spent starving for entropy: (min=0; avg=0.000; max=0)us

I’m pondering getting this running in Chrome OS too, but I want to make sure it doesn’t suck too much battery.

© 2013, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

9 Comments

  1. Hm.

    I’ve currently something set up with stunnel and rngd that streams some entropy over the network and feeds it to rngd’s stdin on the Linux side.

    Now I wonder whether it’s possible to tell rngd to pull from *both* TPM and stdin to mix those entropy sources?

    Comment by mirabilos — August 14, 2013 @ 1:08 am

  2. For sharing entropy over the network, I like using ekeyd-egd-linux with an EGD server. (I’m using ekeyd’s EGD server, but that requires an entropy key.) Someone should write an EGD extension to rng-tools. :)

    Comment by kees — August 14, 2013 @ 6:45 am

  3. I have a solution for sharing entropy over a network. What I want is to tell rngd to use *both* the remote entropy from the network *and* the local entropy from the TPM.

    Comment by mirabilos — August 14, 2013 @ 7:01 am

  4. Perhaps run two instances of rngd? The interface that feeds entropy into the kernel isn’t exclusive, I don’t think.

    Comment by kees — August 14, 2013 @ 7:06 am

  5. Isn’t the TPM a ludicrously slow source of random numbers, both in an absolute sense and especially compared to something like rdrand? Are you just hoping to use it as a source of entropy, rather than directly as an RNG? I assume you don’t plan to use it on platforms new enough to have better options?

    Comment by Anonymous — August 14, 2013 @ 11:56 am

  6. Anything is better than nothing. And it’s not too bad, actually. On a newer laptop, the speeds are even better than shown in the post:

    Aug 14 11:31:06 linux rngd[8755]: stats: HRNG source speed: (min=25.881; avg=27.443; max=29.065)Kibits/s
    Aug 14 11:31:06 linux rngd[8755]: stats: FIPS tests speed: (min=57.278; avg=61.169; max=66.227)Mibits/s 
    

    But yeah, on systems with RDRAND, who cares about this. You’ll never run out of entropy there. :) But there are plenty of devices that have a TPM and lack RDRAND.

    Comment by kees — August 14, 2013 @ 11:59 am

  7. Plus many systems with rdrand don’t have a new enough rng-tools package to actually use it. Debian and Ubuntu are still using rng-tools-2, whereas you need rng-tools-4 for rdrand. I guess Debian forked it a while back which is part of the reason for the lag in updating. Ubuntu does seem to have added rng-tools-4 to 13.10, but since that’s not released yet…

    Using the TPM as a source of randomness is better than having nothing at all in my opinion. I’ll use this until I can get rng-tools-4 with rdrand support.

    Comment by Josh — August 29, 2013 @ 4:41 pm

  8. I don’t think this is working in Ubuntu 14.04 LTS, unfortunately. Any chance you could check, and perhaps update your instructions, Kees?

    Thanks!
    :-Dustin

    Comment by Dustin Kirkland — March 17, 2014 @ 5:51 pm

  9. I just play with rngd5 9.4 but when sending USR1 signal to rngd it kills the daemon….
    rngd produces no output at all. The daemon runs, but how can I now find out it really does what it´s meant to do?

    Comment by numberpruncher — May 18, 2017 @ 3:59 am

Powered by WordPress