[Openswan dev] Support for hardware random number generators

David McCullough David_Mccullough at securecomputing.com
Wed Nov 19 19:56:19 EST 2008

Jivin Paul Wouters lays it down ...
> On Wed, 19 Nov 2008, Vrabete, Brad wrote:
> > That's exactly what I'm running now  but I'm concerned about performance:
> > rngd is running in the user space and all these user space to kernel (and
> > back) transfers are using processor time.  I was trying to find a way to use
> > a proper HW RNG (no streams of 0, FIPS compliant) without having to use
> > rngd.
> You'd have to move FIPS compliance into the kernel. And Linus does not want
> policy into the kernel....

Fair call,  OCF has a "pseudo fips" test on all RNG data it pushes into
the kernel.

It's not just Linus either, the general consensus from most kernel
people on the topic is that your HW RNG data should be pushed to user
space and back.  So happens I don't agree, especially on small embedded
systems ;-)

> > I know OCF adds that but the OCF function does not get called on a
> > system with a HD, due to the way Linux's entropy pool is filled (on every
> > disk access and/or interrupt). Any suggestions? 
> Perhaps OCF could get a hook to do this? David?

I don't believe that is the case any more.  Current OCF versions put
directly into the entropy pool from the HW and keep the pool full.
Unfortunately you need kernel patches to do this.

> > Are you using get_random_bytes in Openswan?  
> That is used at various places, yes. (KLIPS, not sure about NETKEY, I don't
> think it does)

The OCF stuff fills the standard pools,  so in kernel and userspace will


David McCullough,  david_mccullough at securecomputing.com,   Ph:+61 734352815
Secure Computing - SnapGear  http://www.uCdot.org   http://www.snapgear.com

More information about the Dev mailing list