urandom vs haveged
Paul Wouters
pwouters at redhat.com
Fri Mar 30 22:06:02 UTC 2012
On Fri, 30 Mar 2012, Steve Grubb wrote:
> Something else I'd like to mention is that during system installation there is
> very little system entropy. There is no saved seed to prime the generators with.
> (LiveCD's have the same problem.) I have a feeling that the randomness of the
> numbers is not what you would expect.
Exactly. This is why daemons generating keys (opensshd, sendmail, openswan)
generate their keys on "first start" and not on "install".
> entropy. But if you don't have a mouse and are doing a text or kickstart
> install, you need to find a way to get keystrokes involved. If you can think of a
> key that has no effect on any questions in the install, hit it a bunch of times.
> If you have a kickstart, put something in the script requiring typing a bunch of
> keystrokes and throw them away.
Or if it is a net install, you can try and ping (-f) the machine for a
little while and see if the network card or interrupts gives you
entropy. Though that does not seem to be the case for virtual network adaptors.
It's sad that even old cheap VIA CPUs have such a strong random device,
that's fully supported with Linux, but that Intel and AMD still haven't
caught up yet. My 3 week old intel cpu still seems to be lacking support
for anything (like intel-rng.ko). A few years ago, I had a server that
supported the intel-rng driver, and rngd kept dropping zeroes and
logging warnings. I've never ever gotten a single warning from a VIA
CPU.
Paul
More information about the devel
mailing list