| 12 | | Many system components including stack smashing protector, mktemp, and |
|---|
| 13 | | cryptography, depend on a supply of random bits to ensure data integrity. |
|---|
| 14 | | In the Linux kernel a combination of input devices are used to gather |
|---|
| 15 | | randomness from. This includes the keyboard, mouse, network, and hard disc. |
|---|
| 16 | | On an idle system none of these devices are receiving input, and the entropy |
|---|
| 17 | | (randomness) of the system is easy to deplete, especially with cryptography. |
|---|
| | 12 | The word "entropy" generally means "chaos", "disorder", or "uncertainty". In |
|---|
| | 13 | this hint "entropy" is used to describe random computer data. |
|---|
| | 14 | |
|---|
| | 15 | Many system components depend on entropy (random numbers) for various tasks. |
|---|
| | 16 | One of the simplest examples would be the fortune(6) program, which gives a |
|---|
| | 17 | random quote from a list when we log in. Another simple example is a solitaire |
|---|
| | 18 | card game, or the shuffle option in a music player. Without random numbers |
|---|
| | 19 | these programs would generate the same results every time they run. The above |
|---|
| | 20 | examples are low security applications. It is not critical for them to use |
|---|
| | 21 | high quality random numbers, and in applications like these the current system |
|---|
| | 22 | time and date is usually an adequate source of entropy. |
|---|
| | 23 | |
|---|
| | 24 | Examples of medium security uses for entropy would be applications like |
|---|
| | 25 | mktemp(1), password salt, or the Stack Smashing Protector (SSP) GCC feature. |
|---|
| | 26 | These applications need unpredictable entropy to function securely, but the |
|---|
| | 27 | life span of these applications is generally short, so they do not need to use |
|---|
| | 28 | the highest quality entropy available. Using the system time is unsafe for |
|---|
| | 29 | these applications because it is predictable. |
|---|
| | 30 | |
|---|
| | 31 | Cryptographic keys tend to have a very long life, often several years. Even |
|---|
| | 32 | after the key is eventually replaced, everything it was used to encrypt remains |
|---|
| | 33 | only as safe as the entropy used to generate the key. For cryptography we want |
|---|
| | 34 | to use the best entropy possible, and conserve this high quality entropy |
|---|
| | 35 | specifically for cryptography. |
|---|
| | 36 | |
|---|
| | 37 | Generating true entropy in a computer is fairly difficult because nothing, |
|---|
| | 38 | outside of quantum physics, is random. The Linux kernel uses keyboard, mouse, |
|---|
| | 39 | network, and disc activities, with a cryptographic algorithm (SHA1), to |
|---|
| | 40 | generate data for the /dev/random device. One of the problems with this is that |
|---|
| | 41 | the input is not constant, so the kernel entropy pool can easily become empty. |
|---|
| | 42 | The /dev/random device is called a "blocking device". This means if the entropy |
|---|
| | 43 | pool is empty applications trying to use /dev/random will have to wait, |
|---|
| | 44 | indefinitely, until something refills the pool. This is both a feature and a |
|---|
| | 45 | nuisance, and can cause a denial of service depending on the application. |
|---|
| | 46 | Another problem with using the keyboard, mouse, network, and disc activity is |
|---|
| | 47 | that on idle, unmanned, and disc-less systems there is very little, or no, input |
|---|
| | 48 | of this kind. It is also theoretically possible for an observer (keyboard or |
|---|
| | 49 | network sniffer) to predict the entropy pool without having root level access. |
|---|
| | 50 | The only real solution to these vulnerabilities is in using a hardware-based |
|---|
| | 51 | random number generator. These hardware devices usually use electrical static |
|---|
| | 52 | as a source of entropy, because there is currently no technology that can |
|---|
| | 53 | reliably predict this. The best hardware random number generators use |
|---|
| | 54 | radioactive decay as an entropy source. |
|---|
| | 55 | |
|---|
| | 56 | The /dev/urandom device is referred to as a pseudo-random device (like-random), |
|---|
| | 57 | although /dev/random is also pseudo-random but to a lesser extent. /dev/urandom |
|---|
| | 58 | uses small amounts of data from /dev/random to seed a secondary entropy pool. |
|---|
| | 59 | This has the effect of inflating the real entropy so it can be conserved. Using |
|---|
| | 60 | /dev/urandom can cause /dev/random's pool to become empty, but if this happens |
|---|
| | 61 | /dev/urandom will not block, and it will continue using the last available |
|---|
| | 62 | seed. This makes /dev/urandom theoretically vulnerable to outputting repeating |
|---|
| | 63 | data, depending on the limitations of the algorithm used, but this is extremely |
|---|
| | 64 | rare and to my knowledge has never actually happened. /dev/urandom is widely |
|---|
| | 65 | considered safe for all cryptographic purposes, except by the most paranoid |
|---|
| | 66 | people. |
|---|
| | 67 | |
|---|
| | 68 | This hint contains links to web sites and patches to help you get more entropy, |
|---|
| | 69 | and use it more conservatively. |
|---|
| 37 | | This describes two daemons which use either the static noise from the |
|---|
| 38 | | system audio, or the video frames from a video4linux device. These devices |
|---|
| 39 | | have a never ending supply of randomness created by thermal fluctuation and |
|---|
| 40 | | electric fields on the devices. These entropy gathering daemons depend on the |
|---|
| 41 | | kernel driver for your hardware to work properly, be it your sound or video |
|---|
| 42 | | card. These programs will re-seed the kernel entropy pool. The programs can |
|---|
| 43 | | be used together in combination with the kernel's internal values to create |
|---|
| 44 | | a very random pool from several different sources. |
|---|
| 45 | | |
|---|
| 46 | | - LavaRnd Random Number Generator: |
|---|
| | 134 | These two daemons use either the static noise from the sound card, or the video |
|---|
| | 135 | frames from a video4linux device. These devices have a never ending supply of |
|---|
| | 136 | entropy created by thermal fluctuation and electric fields on the devices. |
|---|
| | 137 | These entropy gathering daemons depend on the kernel driver for your hardware, |
|---|
| | 138 | to work properly, be it your sound or video card. These programs will refill |
|---|
| | 139 | the kernel entropy pool as needed. The programs can be used together in |
|---|
| | 140 | combination, including with Gkernel, to maintain a kernel entropy pool which |
|---|
| | 141 | uses several different sources. |
|---|
| | 142 | |
|---|
| | 143 | http://www.vanheusden.com/aed/audio-entropyd-0.0.6.tgz |
|---|
| | 144 | |
|---|
| | 145 | make && |
|---|
| | 146 | install -g 0 -o 0 -m 755 audio-entropyd /usr/sbin/audio-entropyd |
|---|
| | 147 | |
|---|
| | 148 | Edit your /etc/rc.d/init.d/random and start audio-entropyd just after seeding |
|---|
| | 149 | urandom, and stop it just after saving random-seed. Or use the boot script |
|---|
| | 150 | template and make a dedicated boot script. The PID file will be in /var/run. |
|---|
| | 151 | You don't need to reboot to use it, but you do need your sound card driver |
|---|
| | 152 | loaded, and be root. Add something like this: |
|---|
| | 153 | |
|---|
| | 154 | if [ -f /usr/sbin/audio-entropyd ] && [ -c /dev/dsp ]; then |
|---|
| | 155 | echo "Starting audio entropy daemon..." |
|---|
| | 156 | loadproc /usr/sbin/audio-entropyd |
|---|
| | 157 | fi |
|---|
| | 158 | |
|---|
| | 159 | and... |
|---|
| | 160 | |
|---|
| | 161 | echo "Stopping audio entropy daemon..." |
|---|
| | 162 | killproc /usr/sbin/audio-entropyd |
|---|
| | 163 | |
|---|
| | 164 | http://www.vanheusden.com/ved/video_entropyd-0.7.tgz |
|---|
| | 165 | |
|---|
| | 166 | make && |
|---|
| | 167 | install -g 0 -o 0 -m 755 video_entropyd /usr/sbin/video_entropyd |
|---|
| | 168 | |
|---|
| | 169 | Add this to root's crontab every minute or so. It can not run as a daemon |
|---|
| | 170 | because it will lock the video device. Depends on video4linux. Using one or |
|---|
| | 171 | both of these daemons should be adequate for sustained moderate-to-heavy use. |
|---|
| | 172 | |
|---|
| | 173 | Nothing else needs to be done, applications can continue to use /dev/random |
|---|
| | 174 | and /dev/urandom normally. You should notice crypt keys get made faster. |
|---|
| | 175 | |
|---|
| | 176 | Note: I have not personally used video_entropyd. |
|---|
| | 177 | |
|---|
| | 178 | - LavaRnd entropy daemon: |
|---|
| 52 | | Frandom, and erandom, use md5 hashes of seeds taken from the kernel entropy |
|---|
| 53 | | pool. Erandom is seeded from the state of frandom and uses no kernel entropy, |
|---|
| 54 | | but consequently is unsafe for cryptography. Frandom is seeded directly from |
|---|
| 55 | | the kernel entropy pool, but only once per use, and can provide gigabytes of |
|---|
| 56 | | output while only consuming 256 bytes of kernel entropy. To reseed erandom |
|---|
| 57 | | simply use frandom, such as dumping one block from frandom to /dev/null. Sysctl |
|---|
| 58 | | interfaces are available to provide entropy through chroot. Sysctl is a single |
|---|
| 59 | | thread interface, so the devices in /dev are attempted first. Even if the |
|---|
| 60 | | devices in /dev are not available sysctl has performed very well. The frandom, |
|---|
| 61 | | erandom, and sysctl urandom devices and interfaces are available from the |
|---|
| 62 | | pseudo_random kernel patch. |
|---|
| 63 | | |
|---|
| 64 | | - Arc4random: |
|---|
| 65 | | In this implementation the Libc patches for arc4random provide two key |
|---|
| 66 | | functions, arc4random() and arc4randomII(). arc4random() uses urandom and is |
|---|
| 67 | | intended for cryptographic applications, arc4randomII() uses erandom and is |
|---|
| 68 | | intended for non-cryptographic applications. Both of these functions include |
|---|
| 69 | | gettimeofday(2) when initializing, making it impossible to generate the same |
|---|
| 70 | | sequence twice, even if the kernel random generator (urandom) has crashed. |
|---|
| 71 | | The first 256 long words (1024 bytes) are discarded due to a 'known text' |
|---|
| 72 | | weakness in the rc4 cipher. There is a man page provided with the Libc patches. |
|---|
| 73 | | The man page for arc4random(3) provided by OpenBSD assumes arc4random() uses |
|---|
| 74 | | arandom, and it is incorrect for this implementation. The Libc patches also |
|---|
| 75 | | patch mktemp(3) to use arc4randomII(). OpenSSL and OpenSSH can use arc4random() |
|---|
| 76 | | too. OpenSSL needs a patch, OpenSSH will find arc4random() with its configure |
|---|
| 77 | | script. |
|---|
| | 185 | Frandom stands for "fast random". Erandom stands for "economical random". |
|---|
| | 186 | They both use the arcfour algorithm |
|---|
| | 187 | |
|---|
| | 188 | The /dev/frandom device is similar to /dev/urandom except that it only takes |
|---|
| | 189 | one single seed from /dev/random, each time it is opened. As a result it is |
|---|
| | 190 | able to output random data much faster than /dev/urandom because there is |
|---|
| | 191 | no stirring of frandom's pool. This is ideal for wiping discs, or any time you |
|---|
| | 192 | need gigabytes of random data. |
|---|
| | 193 | |
|---|
| | 194 | The /dev/erandom device uses the constantly changing state of frandom's pool, |
|---|
| | 195 | in a read-only mode, for entropy. /dev/erandom consumes no entropy from |
|---|
| | 196 | /dev/random, and is ideal for applications that want to open the device |
|---|
| | 197 | thousands of times, such as Stack Smashing Protector. /dev/erandom is also |
|---|
| | 198 | well suited for any medium security application, and should be used for any |
|---|
| | 199 | non-cryptographic application instead of /dev/urandom. /dev/erandom will |
|---|
| | 200 | eventually output repeating data, but can be reinitialized by using |
|---|
| | 201 | /dev/frandom (dumping one block from /dev/frandom to /dev/null). This is |
|---|
| | 202 | done automatically after each reboot, and should be done once per week. |
|---|
| | 203 | |
|---|
| | 204 | http://www.linuxfromscratch.org/patches/downloads/linux/ |
|---|
| | 205 | linux-2.6.21.1-frandom-1.patch |
|---|
| | 206 | |
|---|
| | 207 | CONFIG_FRANDOM is in "Character Devices" and "UserMode" menus. |
|---|
| | 208 | |
|---|
| | 209 | Add Udev permissions with the following command: |
|---|
| | 210 | echo 'NAME=="erandom", MODE="0444" |
|---|
| | 211 | NAME=="frandom", MODE="0444"' >>/etc/udev/rules.d/25-lfs.rules |
|---|
| | 212 | |
|---|
| | 213 | Add this to your crontab, so /dev/erandom will be reinitialized weekly: |
|---|
| | 214 | 0 0 * * 1 /bin/dd if=/dev/frandom of=/dev/null count=1 >/dev/null 2>&1 |
|---|
| | 215 | |
|---|
| | 216 | Note: The sysctl interfaces are considered obsolete in the latest Linux-2.6 |
|---|
| | 217 | kernels, and may not be supported much longer. As a result the SYSCTL_ERANDOM |
|---|
| | 218 | interface is no longer recommended, but it's there if you want it. |
|---|
| | 219 | |
|---|
| | 220 | - Fortuna kernel driver: |
|---|
| | 221 | http://jlcooke.ca/random |
|---|
| | 222 | http://en.wikipedia.org/wiki/Fortuna_(PRNG) |
|---|
| | 223 | The Fortuna driver is a complete replacement for the Linux random number |
|---|
| | 224 | driver. While the vanilla kernel uses the SHA1 algorithm, the Fortuna driver |
|---|
| | 225 | uses AES and SHA-256, and is capable of producing far more volume of random |
|---|
| | 226 | data from the same entropy, due to using superior algorithms. The Fortuna |
|---|
| | 227 | driver is also able to use any other algorithms supplied by the Linux crypto |
|---|
| | 228 | API. The Fortuna driver includes several other improvements to the vanilla |
|---|
| | 229 | driver. |
|---|
| | 230 | |
|---|
| | 231 | At the time of this writing the patch on the Fortuna home page does not build |
|---|
| | 232 | with linux-2.6.21.1, because of changes to the crypto api. |
|---|
| | 233 | |
|---|
| | 234 | CONFIG_CRYPTO_RANDOM_FORTUNA - This depends on CONFIG_CRYPTO, SHA256, |
|---|
| | 235 | and AES, in the crypto menu. |
|---|
| | 236 | |
|---|
| | 237 | - Arc4random library: |
|---|
| | 238 | The arc4random interfaces were designed by OpenBSD to solve the problem of |
|---|
| | 239 | emptying the kernel entropy pool with non-cryptographic applications. In |
|---|
| | 240 | Linux this is solved with /dev/erandom. The arc4random library function is |
|---|
| | 241 | a companion function. It is designed to never fail. |
|---|
| | 242 | |
|---|
| | 243 | For example, a program can be coded to try to use /dev/urandom for entropy, |
|---|
| | 244 | and use the gettimeofday library function if /dev/urandom fails (like in a |
|---|
| | 245 | chroot). The problem with this is that when the gettimeofday function is |
|---|
| | 246 | being used it is fairly obvious that the output has a sequence, and it tells |
|---|
| | 247 | an attacker that the system time is being used for entropy in this program. |
|---|
| | 248 | The arc4random library function also uses /dev/urandom (or /dev/erandom), |
|---|
| | 249 | and the gettimeofday library function if /dev/urandom fails, except that the |
|---|
| | 250 | entropy is digested by the arcfour algorithm. The result is that even with a |
|---|
| | 251 | one microsecond difference from gettimeofday, arc4random's output will be |
|---|
| | 252 | completely different, and it is impossible for an attacker to know whether |
|---|
| | 253 | the entropy came from /dev/urandom or the system time. Furthermore, even if |
|---|
| | 254 | /dev/urandom (or /dev/erandom), and gettimeofday fail, arc4random will use the |
|---|
| | 255 | uninitialized variables in a large character array (garbage data in memory). |
|---|
| | 256 | |
|---|
| | 257 | Many packages will use the arc4random library function if it is found, such as |
|---|
| | 258 | OpenSSL, OpenSSH, OpenNTPD, and Bind9. |
|---|
| | 259 | |
|---|
| | 260 | The arc4random library function discards the first 256 bytes of the stream to |
|---|
| | 261 | deal with the early key stream weakness, which is described in the paper below. |
|---|
| | 262 | |
|---|
| | 263 | This function is included with uClibc. There is a patch below for Glibc. |
|---|
| 91 | | |
|---|
| 92 | | It's usually 512 bytes. The random poolsize can not be reset on the fly like |
|---|
| 93 | | it used to because an overflow vulnerability was discovered. Read more here: |
|---|
| 94 | | http://www.securityfocus.com/bid/12196/ |
|---|
| 95 | | |
|---|
| 96 | | So if you want to increase the random poolsize you must hard code it in the |
|---|
| 97 | | kernel, and reboot the new kernel. |
|---|
| 98 | | |
|---|
| 99 | | Change to your kernel source directory. |
|---|
| 100 | | |
|---|
| 101 | | Replace 512 with 1024 on the line with DEFAULT_POOL_SIZE: |
|---|
| 102 | | |
|---|
| 103 | | sed -e 's/^\(.*DEFAULT_POOL_SIZE.*\) 512/\1 1024/' -i drivers/char/random.c |
|---|
| 104 | | |
|---|
| 105 | | Increase the SECONDARY_POOL_SIZE: |
|---|
| 106 | | |
|---|
| 107 | | sed -e 's/^\(.*SECONDARY_POOL_SIZE.*\) 128/\1 256/' -i drivers/char/random.c |
|---|
| 108 | | |
|---|
| 109 | | And increase BATCH_ENTROPY_SIZE: |
|---|
| 110 | | |
|---|
| 111 | | sed -e 's/^\(.*BATCH_ENTROPY_SIZE.*\) 256/\1 512/' -i drivers/char/random.c |
|---|
| 112 | | |
|---|
| 113 | | These sed command change this: |
|---|
| 114 | | #define DEFAULT_POOL_SIZE 512 |
|---|
| 115 | | #define SECONDARY_POOL_SIZE 128 |
|---|
| 116 | | #define BATCH_ENTROPY_SIZE 256 |
|---|
| 117 | | |
|---|
| 118 | | to this: |
|---|
| 119 | | #define DEFAULT_POOL_SIZE 1024 |
|---|
| 120 | | #define SECONDARY_POOL_SIZE 256 |
|---|
| 121 | | #define BATCH_ENTROPY_SIZE 512 |
|---|
| 122 | | |
|---|
| 123 | | Then compile and install the kernel normally. |
|---|
| 124 | | |
|---|
| 125 | | --- Installations --- |
|---|
| 126 | | This software is mirrored here: |
|---|
| 127 | | http://blaze.topside.org/~ashes/random/ |
|---|
| 128 | | |
|---|
| 129 | | - Hardware random: |
|---|
| 130 | | http://prdownloads.sourceforge.net/gkernel/rng-tools-2.tar.gz?download |
|---|
| 131 | | |
|---|
| 132 | | This is strait forward: |
|---|
| 133 | | |
|---|
| 134 | | ./configure --prefix=/usr && make && make install |
|---|
| 135 | | |
|---|
| 136 | | uClibc does not have argp, because argp is not defined by any standard and |
|---|
| 137 | | does not belong in a C library (it's Glibc specific). So get the standalone |
|---|
| 138 | | argp library: |
|---|
| 139 | | http://www.lysator.liu.se/~nisse/misc/argp-standalone-1.3.tar.gz |
|---|
| 140 | | |
|---|
| 141 | | For uClibc first unpack argp-standalone, we don't need to install this: |
|---|
| 142 | | |
|---|
| 143 | | cd argp-standalone-1.3 && |
|---|
| 144 | | ./configure --prefix=/usr && make |
|---|
| 145 | | |
|---|
| 146 | | Then unpack rng-tools: |
|---|
| 147 | | |
|---|
| 148 | | cd rng-tools-2 && |
|---|
| 149 | | env LIBS=-largp \ |
|---|
| 150 | | CFLAGS="-O2 -L../argp-standalone-1.3 -I../argp-standalone-1.3" \ |
|---|
| 151 | | ./configure --prefix=/usr && make && make install |
|---|
| 152 | | |
|---|
| 153 | | My system uses /dev/hw_random, rngd expects to use /dev/hwrandom, so you may |
|---|
| 154 | | need to use: |
|---|
| 155 | | |
|---|
| 156 | | rngd -r /dev/hw_random |
|---|
| 157 | | |
|---|
| 158 | | This should be started on boot just like audio-entropyd. |
|---|
| 159 | | |
|---|
| 160 | | - Audio entropy daemon: |
|---|
| 161 | | http://www.vanheusden.com/aed/ |
|---|
| 162 | | http://www.vanheusden.com/aed/audio-entropyd-0.0.6.tgz |
|---|
| 163 | | |
|---|
| 164 | | make && |
|---|
| 165 | | install -g 0 -o 0 -m 755 audio-entropyd /usr/sbin/audio-entropyd |
|---|
| 166 | | |
|---|
| 167 | | Edit your /etc/rc.d/init.d/random and start audio-entropyd just after seeding |
|---|
| 168 | | urandom, and stop it just after saving random-seed. Or use the bootscript |
|---|
| 169 | | template and make a dedicated bootscript. The PID file will be in /var/run. |
|---|
| 170 | | You don't need to reboot to use it, but you do need your sound card driver |
|---|
| 171 | | loaded, and be root. Add something like this: |
|---|
| 172 | | |
|---|
| 173 | | if [ -f /usr/sbin/audio-entropyd ] && [ -c /dev/dsp ]; then |
|---|
| 174 | | echo "Starting audio entropy daemon..." |
|---|
| 175 | | loadproc /usr/sbin/audio-entropyd |
|---|
| 176 | | fi |
|---|
| 177 | | |
|---|
| 178 | | and... |
|---|
| 179 | | |
|---|
| 180 | | echo "Stopping audio entropy daemon..." |
|---|
| 181 | | killproc /usr/sbin/audio-entropyd |
|---|
| 182 | | |
|---|
| 183 | | - Video entropy daemon: |
|---|
| 184 | | http://www.vanheusden.com/ved/ |
|---|
| 185 | | http://www.vanheusden.com/ved/video_entropyd-0.7.tgz |
|---|
| 186 | | |
|---|
| 187 | | make && |
|---|
| 188 | | install -g 0 -o 0 -m 755 video_entropyd /usr/sbin/video_entropyd |
|---|
| 189 | | |
|---|
| 190 | | Add this to root's crontab every minute or so. It can not run as a daemon |
|---|
| 191 | | because it will lock the video device. Depends on video4linux. Using one or |
|---|
| 192 | | both of these daemons should be adequate for sustained moderate-to-heavy use. |
|---|
| 193 | | |
|---|
| 194 | | Nothing else needs to be done, applications can continue to use /dev/random |
|---|
| 195 | | and /dev/urandom normally. You should notice crypto keys get made faster. |
|---|
| 196 | | |
|---|
| 197 | | - Pseudo random and arc4random: |
|---|
| 198 | | Sorry, this has not been backported to older versions yet. |
|---|
| 199 | | |
|---|
| 200 | | http://www.linuxfromscratch.org/patches/downloads/linux/\ |
|---|
| 201 | | linux-2.6.10-pseudo_random-1.patch |
|---|
| 202 | | http://www.linuxfromscratch.org/patches/downloads/linux/\ |
|---|
| 203 | | linux-libc-headers-2.6.10.0-pseudo_random-1.patch |
|---|
| 204 | | http://www.linuxfromscratch.org/patches/downloads/linux/\ |
|---|
| 205 | | glibc-2.3.4-arc4random-1.patch |
|---|
| 206 | | http://www.linuxfromscratch.org/patches/downloads/openssl/\ |
|---|
| 207 | | openssl-0.9.7f-arc4random-1.patch |
|---|
| 208 | | |
|---|
| 209 | | You can install this as an upgrade or new LFS installation. |
|---|
| 210 | | |
|---|
| 211 | | cd linux-libc-headers-2.6.10.0 && |
|---|
| 212 | | patch -Np1 -i ../linux-libc-headers-2.6.10.0-pseudo_random-1.patch |
|---|
| 213 | | ... |
|---|
| 214 | | |
|---|
| 215 | | cd glibc-2.3.4 && |
|---|
| 216 | | patch -Np1 -i ../glibc-2.3.4-arc4random-1.patch |
|---|
| 217 | | ... |
|---|
| 218 | | |
|---|
| 219 | | Repeat for chapter 6, except add this after Glibc's 'make install'. |
|---|
| 220 | | |
|---|
| 221 | | install -m644 ../glibc-2.3.4/manual/arc4random.3 /usr/share/man/man3 |
|---|
| 222 | | |
|---|
| 223 | | This patch adds two menu options, one for sysctl urandom, another for frandom |
|---|
| 224 | | character device. They are enabled by default. Frandom must not be a module |
|---|
| 225 | | otherwise sysctl will be unable to work. |
|---|
| 226 | | |
|---|
| 227 | | cd linux-2.6.10 && |
|---|
| 228 | | patch -Np1 -i ../linux-2.6.10-pseudo_random-1.patch |
|---|
| 229 | | ... |
|---|
| 230 | | echo "erandom:root:root:0444 |
|---|
| 231 | | frandom:root:root:0444 |
|---|
| 232 | | " >> /etc/udev/permissions.d/25-lfs.permissions |
|---|
| 233 | | |
|---|
| 234 | | Then complete LFS installation if necessary and reboot. |
|---|
| 235 | | |
|---|
| 236 | | Add something like this to root's crontab to reseed frandom/erandom every |
|---|
| 237 | | Monday: |
|---|
| 238 | | |
|---|
| 239 | | 0 0 * * 1 /bin/dd if=/dev/frandom of=/dev/null count=1 >/dev/null 2>&1 |
|---|
| 240 | | |
|---|
| 241 | | - Testing entropy |
|---|
| | 299 | or |
|---|
| | 300 | sysctl kernel.random.poolsize |
|---|
| | 301 | |
|---|
| | 302 | This was recently increased from 512 bytes to 4096 bytes. This /proc file, and |
|---|
| | 303 | sysctl, is read-only, and can not be changed without hard coding it in the |
|---|
| | 304 | kernel. |
|---|
| | 305 | |
|---|
| | 306 | If you want to increase this then I suggest you use the Grsecurity kernel patch |
|---|
| | 307 | at: http://www.grsecurity.net/ |
|---|
| | 308 | |
|---|
| | 309 | And enable the "Larger entropy pools" option to double the size: |
|---|
| | 310 | CONFIG_GRKERNSEC_RANDNET |
|---|
| | 311 | |
|---|
| | 312 | - OpenSSL modifications: |
|---|
| | 313 | OpenSSL command line tools will try to use the $RANDFILE, $HOME/.rnd, or |
|---|
| | 314 | $(pwd)/.rnd file to initially seed its random number generator. If none are |
|---|
| | 315 | found then the "PRNG not seeded" error message may occur. We can build OpenSSL |
|---|
| | 316 | with a contingency plan, to use /dev/urandom, instead of causing an error. |
|---|
| | 317 | |
|---|
| | 318 | Do this with the following command in the OpenSSL source: |
|---|
| | 319 | |
|---|
| | 320 | sed -e 's/__OpenBSD__/__linux__/' \ |
|---|
| | 321 | -e 's/arandom/urandom/' -i crypto/rand/randfile.c |
|---|
| | 322 | |
|---|
| | 323 | - Testing entropy quantity |
|---|
