Page MenuHomePhabricator

install jitterentropy by default
Open, NormalPublic

Description

Summary: jitterentropy is a RNG designed in the spirit of haveged (using CPU timer jitter as entropy source) except it made up of a kernel module - mainlined since Linux 4.2 and a userspace daemon (jitterentropy-rngd*) to prevent /dev/random from blocking. The advantage of jitterentropy is by taking advantage of a loaded kernel module, it can ensure randomness is being collected before the CSPRNG is initialized. So, when CSPRNG initialization happens, we can ensure that it is properly seeded on first boot, minimizing the likelihood that exact keys will be created on distinct systems. This is something haveged can't provide, as it runs entirely in userspace.

*jitterentropy-rngd is now included in Debian sid so we should look out for its eventual inclusion in stable next.

http://www.chronox.de/jent.html
http://www.chronox.de/jent/doc/CPU-Jitter-NPTRNG.pdf
https://pthree.org/2016/05/24/cpu-jitter-entropy-for-the-linux-kernel/
https://packages.debian.org/sid/jitterentropy-rngd


It would be a good alternative to haveged especially for hypervisors that don't support virtio-RNG and so don't have access to entropy sources early during boot process.

Details

Impact
Normal

Event Timeline

HulaHoop created this task.Jul 31 2018, 4:22 AM
HulaHoop triaged this task as Normal priority.
Patrick renamed this task from jitterentropy to install jitterentropy by default.Jul 31 2018, 6:38 AM
Patrick updated the task description. (Show Details)