Hi Daniel, On Tuesday, 16 July 2024 15:27:33 CEST Daniel Golle wrote: > On Tue, Jul 16, 2024 at 02:34:40PM +0200, Diederik de Haas wrote: > > [...] > > rngtest: starting FIPS tests... > > rngtest: bits received from input: 20000032 > > rngtest: FIPS 140-2 successes: 362 > > rngtest: FIPS 140-2 failures: 638 > > rngtest: FIPS 140-2(2001-10-10) Monobit: 634 > > rngtest: FIPS 140-2(2001-10-10) Poker: 106 > > rngtest: FIPS 140-2(2001-10-10) Runs: 43 > > rngtest: FIPS 140-2(2001-10-10) Long run: 0 > > rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 > > rngtest: input channel speed: (min=2.638; avg=139.351; > > max=9765625.000)Kibits/s rngtest: FIPS tests speed: (min=21.169; > > avg=36.158; max=68.610)Mibits/s rngtest: Program run time: 148109761 > > microseconds > > =============================================================== > > > > That's almost twice as many failures as successes ... > > That's bad news, and apparently different from Aurelien's initial > testing of the driver. > > Can you try if the result is also that bad when using his version of > the driver: > > https://patchwork.kernel.org/project/linux-arm-kernel/patch/20221128184718.1 > 963353-3-aurelien@xxxxxxxxxxx/ > > If so, we can try to increase RK_RNG_SAMPLE_CNT, and we may need > different values depending on the SoC... I had been using a rebased version (with fixed includes) of Aurelien's patch set and I switched to 'your' version somewhere in the 6.10-rcX cycle, but I didn't record exactly when. But I had a 6.9.2 kernel of which I'm confident has that rebased patch set: =========================================================== root@quartz64a:~# uname -a Linux quartz64a 6.9+unreleased-arm64 #1 SMP Debian 6.9.2-1~cknow (2024-04-24) aarch64 GNU/Linux root@quartz64a:~# dd if=/dev/hwrng bs=100000 count=1 > /dev/null 1+0 records in 1+0 records out 100000 bytes (100 kB, 98 KiB) copied, 5.6801 s, 17.6 kB/s root@quartz64a:~# cat /dev/hwrng | rngtest -c 1000 rngtest 5 Copyright (c) 2004 by Henrique de Moraes Holschuh This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. rngtest: starting FIPS tests... rngtest: bits received from input: 20000032 rngtest: FIPS 140-2 successes: 361 rngtest: FIPS 140-2 failures: 639 rngtest: FIPS 140-2(2001-10-10) Monobit: 637 rngtest: FIPS 140-2(2001-10-10) Poker: 115 rngtest: FIPS 140-2(2001-10-10) Runs: 34 rngtest: FIPS 140-2(2001-10-10) Long run: 0 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 rngtest: input channel speed: (min=2.603; avg=137.548; max=9765625.000)Kibits/s rngtest: FIPS tests speed: (min=21.479; avg=37.156; max=89.547)Mibits/s rngtest: Program run time: 149992805 microseconds =========================================================== So that's consistent(ly bad). For shits and giggles, I tried it on my PineTab2 too (also rk3566): =========================================================== root@pinetab2:~# uname -a Linux pinetab2 6.10+unreleased-arm64 #1 SMP Debian 6.10-1~cknow (2024-04-24) aarch64 GNU/Linux root@pinetab2:~# dd if=/dev/hwrng bs=100000 count=1 > /dev/null 1+0 records in 1+0 records out 100000 bytes (100 kB, 98 KiB) copied, 5,69533 s, 17,6 kB/s root@plebian-pinetab2:~# cat /dev/hwrng | rngtest -c 1000 rngtest 5 Copyright (c) 2004 by Henrique de Moraes Holschuh This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. rngtest: starting FIPS tests... rngtest: bits received from input: 20000032 rngtest: FIPS 140-2 successes: 730 rngtest: FIPS 140-2 failures: 270 rngtest: FIPS 140-2(2001-10-10) Monobit: 266 rngtest: FIPS 140-2(2001-10-10) Poker: 23 rngtest: FIPS 140-2(2001-10-10) Runs: 9 rngtest: FIPS 140-2(2001-10-10) Long run: 0 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 rngtest: input channel speed: (min=2.615; avg=137.889; max=9765625.000)Kibits/s rngtest: FIPS tests speed: (min=24.643; avg=34.518; max=68.364)Mibits/s rngtest: Program run time: 149674336 microseconds =========================================================== That's looking quite a lot better ... and I have no idea why. The Q64-A is used as headless server and the PineTab2 is not, but I connected to both over SSH and they were freshly booted into, thus I haven't actually/normally used the PT2 since boot. HTH, Diederik
Attachment:
signature.asc
Description: This is a digitally signed message part.
