SoylentNews is people
SoylentNews
Recent upgrades that depend on the new Linux getrandom() syscall can cause OpenSSH to delay starting for tens of minutes while waiting for enough bytes of randomness. There are currently not any feasible work-arounds.
Systemd makes this behaviour worse, see issue #4271, #4513 and #10621.
Basically as of now the entropy file saved as /var/lib/systemd/random-seed will not - drumroll - add entropy to the random pool when played back during boot. Actually it will. It will just not be accounted for. So Linux doesn't know. And continues blocking getrandom(). This is obviously different from SysVinit times when /var/lib/urandom/random-seed (that you still have laying around on updated systems) made sure the system carried enough entropy over reboot to continue working right after enough of the system was booted.#4167 is a re-opened discussion about systemd eating randomness early at boot (hashmaps in PID 0...). Some Debian folks participate in the recent discussion and it is worth reading if you want to learn about the mess that booting a Linux system has become.
While we're talking systemd ... #10676 also means systems will use RDRAND in the future despite Ted Ts'o's warning on RDRAND [Archive.org mirror and mirrored locally as 130905_Ted_Tso_on_RDRAND.pdf, 205kB as Google+ will be discontinued in April 2019].
Related post: OneRNG: a Fully-Open Entropy Generator (2014)
(Score: 2, Interesting) by Coward, Anonymous on Friday December 21 2018, @08:19PM (9 children)
With random numbers being so important for security, you'd think that servers include would include a hardware random-number generator that relies on physically-proper entropy, rather other weird sources (e.g. network or user input timing). How expensive can it be to make a chip that amplifies and digitizes Johnson- or Shot-noise?
(Score: 4, Interesting) by Arik on Friday December 21 2018, @08:41PM
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Friday December 21 2018, @08:46PM
And for virtual machines, a virtual hardware RNG, much like you get virtualised other hardware like NICs, TPM etc. VMs using this virtual RNG device can then use the hypervisor's pool as an additional entropy source (or whatever the hypervisor chooses to feed to the VM through this interface). Of course there'd need to be safeguards in the hypervisor to ensure there isn't a denial-of-service on the host if one VM suddenly asks for a huge amount of entropy in a short period of time, or a large amount of requests from lots of machines.
(Score: 0) by Anonymous Coward on Friday December 21 2018, @10:11PM
Some BT dongles (only those by CSR chip?) have RNG, you can get 16bits with each call. Check http://www.digifail.com/projects/bt_rng.shtml [digifail.com] for analysis. Based in his first test, 500 iterations in 10 seconds, 50 per second, so 100 bytes, 800 bits. And from the further tests, those 100 bytes are probably high quality.
That was at least 9 years ago, a guy with a shell script and then a small C utility. https://hackaday.com/2009/12/19/bluetooth-based-psuedorandom-number-generation/ [hackaday.com]
And then we got https://en.wikipedia.org/wiki/RdRand [wikipedia.org] but that one could be poisoned.
I suggest reading https://hackaday.com/tag/prng/ [hackaday.com] https://hackaday.com/tag/rng/ [hackaday.com] https://hackaday.com/tag/entropy/ [hackaday.com] etc and see if something else is useful.
So yes, it is possible. When there is a will to do it.
(Score: 0) by Anonymous Coward on Friday December 21 2018, @10:46PM
(Score: 2) by sjames on Saturday December 22 2018, @12:16AM (1 child)
It's not expensive at all. I've even seen RNGs thrown in as a freebie on various chips including flash chips. BUT, unlike the various auditable open software solutions, how do we audit the hardware?
(Score: 0) by Anonymous Coward on Saturday December 22 2018, @10:52AM
http://nosuchlabs.com/ [nosuchlabs.com]
(Score: 3, Insightful) by stormwyrm on Saturday December 22 2018, @06:23AM (1 child)
The thing here is if you had a hardware RNG you didn't build yourself, the question becomes one of trust. How can you be certain that the RNG isn't actually a kleptographic system that produces output that LOOKS random to all statistical tests, but can really be predicted by someone with the right keys? Would you really trust, say, Intel to include a "true" RNG circuit in their CPUs that doesn't have such a back door? Judging from their past behaviour [soylentnews.org], I'd rather use the Arduino-based RNG [soylentnews.org] I built myself instead, slow as it is, thank you very much.
Numquam ponenda est pluralitas sine necessitate.
(Score: 0) by Anonymous Coward on Saturday December 22 2018, @01:03PM
a solution would be to have a standard port for hardware RNG so you can plug external ones. The paranoid should be able to sidechain/combine/xor two or more of them. Two backdoored RNG combined do not add two backdoors, but probably void both.
(Score: 1) by DeVilla on Saturday December 22 2018, @08:07PM
Have you read Ted's warning about RDRAND? It would probably apply to any other HWRNG.