Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S262466AbVCXNky (ORCPT ); Thu, 24 Mar 2005 08:40:54 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S262465AbVCXNky (ORCPT ); Thu, 24 Mar 2005 08:40:54 -0500 Received: from dea.vocord.ru ([217.67.177.50]:27279 "EHLO vocord.com") by vger.kernel.org with ESMTP id S262457AbVCXNk0 (ORCPT ); Thu, 24 Mar 2005 08:40:26 -0500 Subject: Re: [PATCH] API for true Random Number Generators to add entropy (2.6.11) From: Evgeniy Polyakov Reply-To: johnpol@2ka.mipt.ru To: David McCullough Cc: Jeff Garzik , cryptoapi@lists.logix.cz, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, Andrew Morton , James Morris , Herbert Xu In-Reply-To: <20050324132342.GD7115@beast> References: <20050315133644.GA25903@beast> <20050324042708.GA2806@beast> <1111665551.23532.90.camel@uganda> <4242B712.50004@pobox.com> <20050324132342.GD7115@beast> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-CcHHT4Pe1VAxgN4l99YF" Organization: MIPT Date: Thu, 24 Mar 2005 16:46:33 +0300 Message-Id: <1111671993.23532.115.camel@uganda> Mime-Version: 1.0 X-Mailer: Evolution 2.0.4 (2.0.4-1) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.4 (vocord.com [192.168.0.1]); Thu, 24 Mar 2005 16:39:23 +0300 (MSK) Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3301 Lines: 101 --=-CcHHT4Pe1VAxgN4l99YF Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Thu, 2005-03-24 at 23:23 +1000, David McCullough wrote: > Jivin Jeff Garzik lays it down ... > > Evgeniy Polyakov wrote: > > >On Thu, 2005-03-24 at 14:27 +1000, David McCullough wrote: > > > > > >>Hi all, > > >> > > >>Here is a small patch for 2.6.11 that adds a routine: > > >> > > >> add_true_randomness(__u32 *buf, int nwords); > > >> > > >>so that true random number generator device drivers can add a entropy > > >>to the system. Drivers that use this can be found in the latest rele= ase > > >>of ocf-linux, an asynchronous crypto implementation for linux based = on > > >>the *BSD Cryptographic Framework. > > >> > > >> http://ocf-linux.sourceforge.net/ > > >> > > >>Adding this can dramatically improve the performance of /dev/random o= n > > >>small embedded systems which do not generate much entropy. > > > > > > > > >People will not apply any kind of such changes. > > >Both OCF and acrypto already handle all RNG cases - no need for any ki= nd > > >of userspace daemon or entropy (re)injection mechanism. > > >Anyone who want to use HW randomness may use OCF/acrypto mechanism. > > >For example here is patch to enable acrypto support for hw_random.c > > >It is very simple and support only upto 4 bytes request, of course it > > >is=20 > > >not interested for anyone, but it is only 2-minutes example: > >=20 > > If you want to add entropy to the kernel entropy pool from hardware RNG= ,=20 > > you should use the userland daemon, which detects non-random (broken)=20 > > hardware and provides throttling, so that RNG data collection does not=20 > > consume 100% CPU. > >=20 > > If you want to use the hardware RNG directly, it's simple: just open=20 > > /dev/hw_random. > >=20 > > Hardware RNG should not go kernel->kernel without adding FIPS tests and= =20 > > such. >=20 > For reference, the RNG on the Safenet I am using this with is > FIPS140 certified. I believe the HIFN part is also but I place the doc = that > says so. At least HIFN 795x is certified. Idea to validate entropy data is good in general,=20 but it should be implemented in a way allowing external both in-kernel and userspace processes to contribute data. So for in-kernel use we need such a mechanism, and userspace gkernel daemon should use it(as the latest "step") too. Your changes are correct, ioctl(RNDADDENTROPY) could even use it instead of direct add_entropy_words()/credit_entropy_store(), but without external entropy contributors it will not be applied by maintainers. > Cheers, > Davidm >=20 --=20 Evgeniy Polyakov Crash is better than data corruption -- Arthur Grabowski --=-CcHHT4Pe1VAxgN4l99YF Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQBCQsS5IKTPhE+8wY0RAvQIAJ9k7AvtYM3NMaXJ56YdZgEIAuxlHACgiNtK doJpgANgdvvTf4fBejJEHus= =c2MR -----END PGP SIGNATURE----- --=-CcHHT4Pe1VAxgN4l99YF-- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/