Limits to seeding /dev/random | random(4)

Conrad Meyer cem at freebsd.org
Thu Jul 12 18:48:29 UTC 2018 

On Thu, Jul 12, 2018 at 10:42 AM, Dirk-Willem van Gulik
<dirkx at webweaving.org> wrote:
> Is there any point - much later post boot, in a non-network, read-only situation with essentially just 3 or 4 user processes running with no IO or interaction - to send some entropy (withewashed (or raw with random_harvest_queue()) to wards the PRNG ?
>
> Or is that pointless from thereon.

It isn't needed, but it doesn't hurt either (barring elevated CPU use
from excessive feeding).

> On 12 Jul 2018, at 19:32, Conrad Meyer <cem at freebsd.org> wrote:
>> /dev/u?random never produces unseeded results.  If it is not seeded,
>> reads will just block indefinitely, until it is seeded.
>
> As we’ve found out the hard way (although we are not sure it is indefinitely).

It is indefinite, until seeding.  Maybe signals can interrupt the
wait, but you should be checking the return value of read(2) of
/dev/random.

>> To seed the device without a writable filesystem, write 1kB+ of
>> whitened random from your device into /dev/random early in boot, and
>> you will be good to go.  You can do the ongoing trickle after that if
>> you want, but it is not necessary.  On FreeBSD 12-CURRENT, you can
>> verify /dev/random is seeded when getrandom(..., GRND_NONBLOCK) no
>> longer returns -1 with EAGAIN errno.  If you need to use a FreeBSD
>> prior to 12, you'll know random is seeded when reads no longer block.
>
> Thanks for that. Unfortunately we’re in a read-only situation. And we’ve had CI testing yield identical results a few times now.

Identical results are very troubling.  Maybe your readonly filesystems
contain a static "entropy" file that is being fed in every boot (with
identical contents)?  If so, you definitely want to remove that during
image generation.  That, in tandem with few other sources of entropy,
could explain identical results.

Another thing I would suggest is taking samples directly from your
random device and running them through
https://github.com/usnistgov/SP800-90B_EntropyAssessment to sanity
check their randomness.  W. Dean Freeman did some great work
evaluating random sources in FreeBSD within the last couple years; you
can check out his work here:
https://github.com/badfilemagic/fbsd-entropy

Best,
Conrad

More information about the freebsd-hackers mailing list