On Wed, 21 Apr 2004 12:49, Colin Walters <walters@xxxxxxxxxx> wrote: > I presume by the way there's a reason access to random_device_t is was > originally denied - it prevents users from draining your good entropy by > generating a ton of keys. On the other hand, if you have GPG installed Actually when I gave different types to /dev/random and /dev/urandom we just sorted out which access each program seemed to need. At the time GPG didn't seem to want /dev/random access. If it wants it then it should get it. > Maybe the right way is a resource constraint framework. Anyways, do > people think this is worth being made into a tunable or something? I think that a resource constraint framework for entropy would be useful. However there are other ways of attacking the problem. It seems that every desktop, laptop, and PDA shipped in the last few years has sound hardware. The microphone that's built in to many machines can be used as a source of entropy, and even an unconnected line-in if sampled at 16bit will do reasonably well. There is already policy for /usr/sbin/audio-entropyd to use this, if we get this packaged then maybe it would be the best solution to the problem? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
