[Soekris] vpn1411 RNG, FreeBSD 7: how to activate?
patfbsd at davenulle.org
Thu Sep 4 11:15:43 UTC 2008
Le Thu, 04 Sep 2008 03:46:52 -0500,
"James R. Van Artsdalen" <soekris-tech at jrv.org> a écrit :
> >> Has Hi/fn stated what kind of random number generator the 7955 has?
> >> How is this enabled in FreeBSD 7? I've added these lines to the
> >> kernel config file:
> >> device crypto # core crypto support
> >> device cryptodev # /dev/crypto for access to h/w
> >> device hifn # Hifn 7951, 7781, etc.
> >> options HIFN_DEBUG # enable debugging support: hw.hifn.debug
> >> options HIFN_RNDTEST # enable rndtest support
> >> device rndtest # FIPS 140-2 entropy tester
> >> I'm not convinced it's being used instead of the kernal's Yarrow
> >> code.
> > It should work.
> > By default rndtest only reports failure, use the sysctl
> > kern.rndtest.verbose=2 (not sure for the sysctl, something like
> > that) to reports success.
> Thanks. rndtest is working but the hifn is apparently not being used
> by openssl at all - hifnstats reports no activity as a result of
> "openssl speed". cryptostats reports no activity either. cryptotest
> does result in some activity in cryptostats and hifnstats so it may
> be an openssl issue with /dev/crypto
This is a known bug on FreeBSD 7. OPenssl does not use the cryptodev
engine by default.
> It's still not clear if the kernel is using the hifn for random
> numbers or not. And even if it is, I can't find any indication of
> what sort of RNG hifn uses or how good it is.
I can't tell if it provides good random numbers or not. If rndtest
does not report failure it looks good IMHO.
Rndtest feeds the random subsystem if the random datas provided by hifn
are good. Without rndtest, hifn feeds directly the random subsytem.
More information about the Soekris-tech