On Sun, Nov 03, 2013 at 08:33:12AM -0500, Theodore Ts'o wrote: > Some investigation from FreeBSD shows that there is entropy available > from measuring the device attach times: > > http://lists.randombit.net/pipermail/cryptography/2013-October/005689.html > > This will hopefully help us more quickly initialize the entropy pools > while the system is booting (which is one of the times when we really > badly need more entropy, especially in the case of the first boot > after an consumer electronics device is taken out of the box). > > Measurements indicate this makes a huge improvement in the security of > /dev/urandom during the boot sequence, so I'm cc'ing this to the > stable kernel series. Especially for embedded systems, which use > flash and which don't necessarily have the network enabled when they > first generate ssh or x.509 keys (sigh), this can be a big deal. > > Signed-off-by: "Theodore Ts'o" <tytso@xxxxxxx> > Cc: stable@xxxxxxxxxxxxxxx Self-NAK. After doing some more measurements, I'm not convinced the entropy estimator is working well given how we are collecting the device attach times. Instead, we need to measure the delta between the start and the end of the device probe, which in turn will only work if we have a valid cycle counter. (random_get_entropy() is not going to cut it.) So with some changes, this approach will improve things on x86, but on architectures like ARM, which generally don't have a cycle counter, the jiffies counter is not going to have enough resolution to do something useful --- and it was on platforms such as ARM and MIPS where I was hoping this would be most useful. Grumble. Why can't ARM and MIPS have decent cycle counters? <Shakes fist> - Ted -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html