[Soekris] 4801, Linux, and entropy
kudzu at tenebras.com
Tue Oct 18 19:17:48 UTC 2005
steve davidson wrote:
> I wanted to poll the group to see if anyone has any suggestions for
> working around the lack of entropy on the 4801 for security
> applications. This is a common problem among embedded devices - the
> common entropy devices used by *nix (keyboard, mouse, HDD, etc) simply
> are not present on these appliances. Via has provided a nice solution
> to this problem in their Eden-N line - the CPU itself has a hardware
> entropy pool generated by electrical noise.
> I'm using Linux on my 4801s and switching to BSD is not an option at
> this point.
Too bad -- that would be the correct solution. ;-)
You could port rndcontrol, which is the BSD util for
manipulating /dev/random. You'll just need to figure
out the correct ioctl() magic to add and remove IRQs from
the list of those used to "stir the entropy pool". It's
only about 100 lines of code.
Another alternative would be to implement a fifo and
supply random bits using Yarrow, which can be configured
to get random material from /dev/random.
I wouldn't worry about /dev/urandom -- I'm a security wonk,
and don't consider using it to be a "very bad idea" --
the theory of operation of /dev/random itself is not
particularly sound. Even with hardware RBGs, the problem
is that these have a very low output rate (ca. 16k bits/sec),
which might not be enough for a busy server -- so at best it's
useful for adding entropy to a pseudo-random number generator.
More information about the Soekris-tech