Jaervosz' Burrow. Coming Underground
« Mee too ... the 200 line kernel wonder patchRooting the HTC Desire »

Sharing entropy with the Entropy Key on Gentoo Hardened

2010-10-20

Sharing entropy with the Entropy Key on Gentoo Hardened

A couple of weeks ago I bought an Entropy Key. Compared to some of the other hardware Random Number Generators it's pretty cheap at 52.49€ including postage to .dk. Thanks to flameeyes it was just a matter of emerge -v app-crypt/ekeyd to get started.

Naturally I choose to the use the userland version with udev, but to no avail. Strangely the serial number for my Entropy Key had a slash in it, giving some strange errors with paths etc. I'm wondering why they don't filter out serial numbers with slashes.

After messing a bit around with it I surrendered and joined #ekey on oftc. In less than 30 minutes I had support and was proposed to use the kernel version. After compiling a new kernel with CONFIG_USB_ACM a few minutes of configuration my KVM host had plenty of new entropy.

Let's see how good the entropy is:

cat /dev/random | rngtest -c 100

rngtest: starting FIPS tests...
rngtest: bits received from input: 2000032
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=55.017; avg=78.882; max=88.778)Kibits/s
rngtest: FIPS tests speed: (min=0.000; avg=inf; max=0.000)bits/s
rngtest: Program run time: 24773206 microseconds

This all seems fine. For futher details see this post.

Trying the same on a guest without help of the Entropy Key is just to slow for my patience.

However the objective of the whole exercise was to provide entropy for the KVM guests not the KVM host. VIRTIO_RNG is supposed to do this, however it's currently not supported with the KVM versions in Portage.

To solve this problem the Entropy Key provides the egd-linux daemon to share entropy among hosts, however the current ekey ebuild does not install the egd-linux binary.

One of the great things about Gentoo is how easily you can add your own ebuilds, at least for simple stuff like this.

Update: Since saturday the ebuild is in the tree thanks to flameeyes!

So all you have to do is unmask and emerge app-crypt/ekey-egd-linux.

Have fun!

Jaervosz This entry was posted by jaervosz @ 22:01:00, 8020 views and is filed under: General, Gentoo Tips, Gentoo, Universe/English, Opensource, Hardened. Tags: ebuild, egd, entropy, gentoo, hardened, kvm
PermalinkPermalink  

Trackback address for this post

This is a captcha-picture. It is used to prevent mass-access by robots.
Please enter the characters from the image above. (case insensitive)

6 comments

Comment from: Anton [Visitor]
AntonSince I'm not a gentoo dev, I learned to open a bug reports instead.
2010-10-20 @ 22:48
Comment from: Rob Kendrick [Visitor]
Rob KendrickDisclaimer: I work for the manufacturer.

Couple of things; using udev shouldn't mean you should automatically use the userland driver. If your kernel has ACM support (it costs you a few kilobytes), then it can use the kernel driver, and this is much more efficient. The userland driver is provided only for older kernels which have buggy ACM support.

Secondly, modern versions of the Entropy Key software support slashes in their serial numbers (although older udevs handle this wrongly.) Unfortunately, we do not control the serial numbers; they are embedded into the CPU that is inside each Entropy Key.

Thirdly, Lua is not an acronym, and as such shouldn't be written in all-caps :)

Hope you're enjoying your new toy!
2010-10-21 @ 02:20
Comment from: jaervosz [Member] Email
jaervoszYes, both versions use udev, I just added a small note above. Somehow I missed that you should try the kernel version first, might have been on the driver CD I never used.

As for the slahes everything seems to be working, it was just odd and initially I suspected that was the cause of my problems.

Thirdly LUA was copied from flameeyes ebuild:)
2010-10-21 @ 07:26
Comment from: Jeremy Olexa [Visitor]
Jeremy Olexa"Note: since I'm not an ebuild maintainer I just posted it here."

*cough* bugs.gentoo.org *cough* =D
2010-10-21 @ 18:31
Comment from: jaervosz [Member] Email
jaervoszSince everybody is asking so politely see bug #342079.
2010-10-21 @ 23:36
Comment from: Mikael [Visitor]
MikaelJust tried running rngtest on /dev/urandom and it showed 100% success most of the time. Even running with -c 10000 only gave 6 failures, so you might want to run a bit longer test than -c 100.
2010-10-22 @ 14:41

Leave a comment


Your email address will not be revealed on this site.

Your URL will be displayed.
(Line breaks become <br />)
(Name, email & website)
(Allow users to contact you through a message form (your email will not be revealed.)
This is a captcha-picture. It is used to prevent mass-access by robots.
Please enter the characters from the image above. (case insensitive)

Search

Friends

Gentoo

Various stuff

Tag cloud

analytics antispam autogroup b2evolution bash bugs «configuration management» cryptsetup debian debugging devops dns ebuild egd entropy «error message» fan gentoo git googlecl hack hardened hdmi invoke-rc isp kernel kvm lighttpd luks mcollective mythtv mythweb panasonic perl policy-rc puppet rabbitmq rooting scheduler script seo snmpd ssh-agent stomp sysadm terratec tip ubuntu userjob webalizer

Categories

XML Feeds

RSS feeds RSS 2.0 posts Atom posts

Been here recently

Banners

hacker emblem Gentoo Linux emblem Coffee Powered Any browser Creative Commons Coffee Powered Powered by b2evolution Valid CSS! Valid XHTML 1.0 Transitional