Glen Turner (vk5tu) wrote,
Glen Turner
vk5tu

Raspberry Pi random number generator

The Raspberry Pi's BCM2835 system-on-a-chip has a hardware random number generator. Since the Pi doesn't have a lot of the usual sources of randomness it is well worth turning on.

Edit /etc/modules and add the line:

bcm2708_rng

This will create the device /dev/hwrng at the next boot. If you can't wait until then say modprobe bcm2708_rng. When the random number generator module is installed dmesg will report:

bcm2708_rng_init=df8d6000

To drop this source of random data into the kernel's pool of randomness use the rngd daemon: sudo apt-get install rng-tools.

Edit /etc/default/rng-tools to say:

HRNGDEVICE=/dev/hwrng

The default parameters for rngd are a good fit for a inadequately described hardware random generator so there is no need to bother with setting any RNGDOPTIONS.

Restart rngd with /etc/init.d/rng-tools restart.

When rngd starts it syslogs:

rngd 2-unofficial-mt.14 starting up...
entropy feed to the kernel ready

When rngd is stopped it prints the values of statistics it maintains to validate the randomness of data read from /dev/hwrng. For example:

stats: bits received from HRNG source: 140064
stats: bits sent to kernel pool: 98944
stats: entropy added to kernel pool: 98944
stats: FIPS 140-2 successes: 7
stats: FIPS 140-2 failures: 0
stats: FIPS 140-2(2001-10-10) Monobit: 0
stats: FIPS 140-2(2001-10-10) Poker: 0
stats: FIPS 140-2(2001-10-10) Runs: 0
stats: FIPS 140-2(2001-10-10) Long run: 0
stats: FIPS 140-2(2001-10-10) Continuous run: 0
stats: HRNG source speed: (min=596.574; avg=709.100; max=743.255)Kibits/s
stats: FIPS tests speed: (min=5.947; avg=6.126; max=6.191)Mibits/s
stats: Lowest ready-buffers level: 2
stats: Entropy starvations: 0
stats: Time spent starving for entropy: (min=0; avg=0.000; max=0)us
Exiting...

If you underrun the "lowest ready-buffers level" then alter RNGDOPTIONS in /etc/default/rng-tools to decrease the --feed-interval from 60 seconds to 10s or even down to 1s; also increase the --rng-buffers from 3 to 5.

If programs read from /dev/random and block and this blocking is harming performance then make the hardware random number generator carry more of the load of filling the entropy pool. When --fill-watermark is not provided the contribution of the hardware random number generation to the entropy pool to 50%, increase that to 90% with --fill-watermark=90% (the "%" is required, 90 has a different meaning entirely). Note that this places more trust in the correct operation and non-subversion of the hardware random number generator.

Addendum 2015-12-03: Regenerating SSH host keys

One reason to use the random number generator is to generate secure SSH host keys. This is difficult to do without the hardware random number generate because of the low level of entropy available on the RPi soon after boot.

Remove the existing host keys:

$ sudo rm /etc/ssh/ssh_host_*

Then generate new keys, using the key algorithms recommended by your Debian distribution:

$ sudo dpkg-reconfigure openssh-server
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Creating SSH2 ECDSA key; this may take some time ...
Restarting OpenBSD Secure Shell server: sshd.
[ ok ]
Tags: linux, raspberrypi
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 3 comments