Re: [OpenWrt-Devel] Quick hack for kernel entropy problem on MIPS
On Monday 18 November 2013 19:29:17 mancha wrote: Hauke Mehrtens hauke at hauke-m.de writes: On 10/17/2013 05:40 PM, chrono wrote: Ahoi everyone, it was requested on IRC that I send my solution to the entropy problem with the current kernel (e.g. having 0 available entropy): root at OpenWrt:/# cat /proc/sys/kernel/random/entropy_avail 0 A similar patch was applied to trunk in r38834. Hauke I provided this backport patch to #openwrt on freenode last week. I am glad it was included in trunk. Two important clarifications: 1. The original poster applies his patch to kernel 3.3.8 (it seems) yet the interface that makes use of get_cycles() in seeding the random pool wasn't introduced until 3.6. The patch on pre-3.6 kernels effectively does nothing entropy-wise. Without more comprehensive backports, there is no similar simple solution for Attitude. This seems not entirely accurate, as AA has a backport patch for the generic 3.3.8 kernel to add 'add_device_randomness', see target/linux/generic/patches-3.3/050-rng_git_backport.patch --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -125,21 +125,26 @@ * The current exported interfaces for gathering environmental noise * from the devices are: * + * void add_device_randomness(const void *buf, unsigned int size); * void add_input_randomness(unsigned int type, unsigned int code, *unsigned int value); - * void add_interrupt_randomness(int irq); + * void add_interrupt_randomness(int irq, int irq_flags); ... +/* + * Add device- or boot-specific data to the input and nonblocking + * pools to help initialize them to unique values. + * + * None of this adds any entropy, it is meant to avoid the + * problem of the nonblocking pool having similar initial state + * across largely identical devices. + */ +void add_device_randomness(const void *buf, unsigned int size) +{ + unsigned long time = get_cycles() ^ jiffies; + + mix_pool_bytes(input_pool, buf, size, NULL); ... Would there be anything else needed? 2. You aren't going to see /proc/sys/kernel/random/entropy_avail affected by this patch because the machine/boot specific seeding does not credit the entropy count. --mancha ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel Tijs ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Quick hack for kernel entropy problem on MIPS
Hauke Mehrtens hauke at hauke-m.de writes: On 10/17/2013 05:40 PM, chrono wrote: Ahoi everyone, it was requested on IRC that I send my solution to the entropy problem with the current kernel (e.g. having 0 available entropy): root at OpenWrt:/# cat /proc/sys/kernel/random/entropy_avail 0 A similar patch was applied to trunk in r38834. Hauke I provided this backport patch to #openwrt on freenode last week. I am glad it was included in trunk. Two important clarifications: 1. The original poster applies his patch to kernel 3.3.8 (it seems) yet the interface that makes use of get_cycles() in seeding the random pool wasn't introduced until 3.6. The patch on pre-3.6 kernels effectively does nothing entropy-wise. Without more comprehensive backports, there is no similar simple solution for Attitude. 2. You aren't going to see /proc/sys/kernel/random/entropy_avail affected by this patch because the machine/boot specific seeding does not credit the entropy count. --mancha ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Quick hack for kernel entropy problem on MIPS
On 10/17/2013 05:40 PM, chrono wrote: Ahoi everyone, it was requested on IRC that I send my solution to the entropy problem with the current kernel (e.g. having 0 available entropy): root@OpenWrt:/# cat /proc/sys/kernel/random/entropy_avail 0 In the build root I've patched build_dir/linux-ar71xx_nand/linux-3.3.8/arch/mips/include/asm/timex.h --- timex.h?id=refs%2Ftags%2Fv3.3.8 2013-10-17 17:23:12.0 +0200 +++ timex.h 2013-10-17 17:07:59.888938183 +0200 @@ -35,7 +35,13 @@ static inline cycles_t get_cycles(void) { - return 0; + + if (cpu_has_counter) { + return read_c0_count(); + } + else { + return 0; /* no usable counter */ + } } #endif /* __KERNEL__ */ After applying and rebuilding the kernel: root@OpenWrt:/# cat /proc/sys/kernel/random/entropy_avail 162 This was tested on mips32r2/24kc (Mikrotik Routerboard 450G) but it might work for others as well. Until this is fixed upstream and openwrt follows up with the kernel, it might be an easy fix for some people in order to have better entropy for SSL/VPN. Hopefully it will be useful to someone, chrono A similar patch was applied to trunk in r38834. Hauke ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Quick hack for kernel entropy problem on MIPS
Take a look at this ticket: https://dev.openwrt.org/ticket/9631 - Original Message - From: Weedy To: OpenWrt Development List Sent: Friday, October 18, 2013 1:02 AM Subject: Re: [OpenWrt-Devel] Quick hack for kernel entropy problem on MIPS On 17 Oct 2013 13:07, chrono chr...@open-resource.org wrote: root@OpenWrt:/# cat /proc/sys/kernel/random/entropy_avail 0 Uhh ok? root@OpenWrt:~# cat /proc/sys/kernel/random/entropy_avail 1189 What's your uptime? Entropy is added to the pool e.g. based on network activity. The issue is that the pool is empty right after boot up. Well it's not anymore (with the patch). That may be due to the fact that network is the only source of entropy left on MIPS, that is something I personally wouldn't accept as enough anymore. As I reckon there has been a lengthy discussion about it already and many people raised their concerns. ecurity/meldung/Linux-auf-MIPS-jetzt-wieder-mit-mehr-Zufall-1963604.html (sorry for german link) That patch wouldn't work with 3.3.8 due to include dependencies I wasn't willing to follow up. The attached patch will re-enable CPU interrupts as entropy source, at least for AR71xx/mips32r3 and will do so right away, which might also solve issues with hostapd/nginx that require some during init. A, I can see how that might cause issues. I have made some sysctl tweaks and my network always has something going on. So I never noticed. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Quick hack for kernel entropy problem on MIPS
On 18/10/13 07:09 AM, José Vázquez Fernández wrote: Take a look at this ticket: https://dev.openwrt.org/ticket/9631 Again, I do not personally have this issue but I can see why it would need to be fixed. $ ssh r...@openwrt.lan 'reboot';sleep 3;while ! ping -c3 openwrt.lan; do sleep 2; done; ssh r...@openwrt.lan 'while :; do cat /proc/sys/kernel/random/entropy_avail; sleep 1; done' ping: unknown host openwrt.lan snip ping: unknown host openwrt.lan PING openwrt.lan (192.168.8.1) 56(84) bytes of data. 64 bytes from OpenWrt.lan (192.168.8.1): icmp_seq=1 ttl=69 time=0.999 ms 64 bytes from OpenWrt.lan (192.168.8.1): icmp_seq=2 ttl=69 time=1.24 ms 64 bytes from OpenWrt.lan (192.168.8.1): icmp_seq=3 ttl=69 time=1.22 ms --- openwrt.lan ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 0.999/1.158/1.247/0.112 ms 135 139 145 151 snip 200 207 213 218 222 229 232 237 242 snip 363 401 440 478 9 46 87 122 166 203 snip 684 726 762 799 837 snip 1346 1381 1416 1452 1481 1513 snip 1074 1106 1161 1197 1231 1263 snip 1270 1304 1347 1385 snip 1091 1123 1156 1185 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] Quick hack for kernel entropy problem on MIPS
Ahoi everyone, it was requested on IRC that I send my solution to the entropy problem with the current kernel (e.g. having 0 available entropy): root@OpenWrt:/# cat /proc/sys/kernel/random/entropy_avail 0 In the build root I've patched build_dir/linux-ar71xx_nand/linux-3.3.8/arch/mips/include/asm/timex.h --- timex.h?id=refs%2Ftags%2Fv3.3.8 2013-10-17 17:23:12.0 +0200 +++ timex.h 2013-10-17 17:07:59.888938183 +0200 @@ -35,7 +35,13 @@ static inline cycles_t get_cycles(void) { - return 0; + + if (cpu_has_counter) { + return read_c0_count(); + } + else { + return 0; /* no usable counter */ + } } #endif /* __KERNEL__ */ After applying and rebuilding the kernel: root@OpenWrt:/# cat /proc/sys/kernel/random/entropy_avail 162 This was tested on mips32r2/24kc (Mikrotik Routerboard 450G) but it might work for others as well. Until this is fixed upstream and openwrt follows up with the kernel, it might be an easy fix for some people in order to have better entropy for SSL/VPN. Hopefully it will be useful to someone, chrono -- Apollo-NG Mobile Hackerspace https://apollo.open-resource.org/ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Quick hack for kernel entropy problem on MIPS
On Thu, Oct 17, 2013 at 11:40 AM, chrono chr...@open-resource.org wrote: Ahoi everyone, it was requested on IRC that I send my solution to the entropy problem with the current kernel (e.g. having 0 available entropy): root@OpenWrt:/# cat /proc/sys/kernel/random/entropy_avail 0 Uhh ok? root@OpenWrt:~# cat /proc/sys/kernel/random/entropy_avail 1189 This was tested on mips32r2/24kc (Mikrotik Routerboard 450G) but it might root@OpenWrt:~# cat /proc/cpuinfo system type: Atheros AR9344 rev 2 machine: TP-LINK TL-WDR3600/4300/4310 processor: 0 cpu model: MIPS 74Kc V4.12 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Quick hack for kernel entropy problem on MIPS
On Thu, Oct 17, 2013 at 6:32 PM, Weedy weedy2...@gmail.com wrote: On Thu, Oct 17, 2013 at 11:40 AM, chrono chr...@open-resource.org wrote: Ahoi everyone, it was requested on IRC that I send my solution to the entropy problem with the current kernel (e.g. having 0 available entropy): root@OpenWrt:/# cat /proc/sys/kernel/random/entropy_avail 0 Uhh ok? root@OpenWrt:~# cat /proc/sys/kernel/random/entropy_avail 1189 What's your uptime? Entropy is added to the pool e.g. based on network activity. The issue is that the pool is empty right after boot up. Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- ge...@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say programmer or something like that. -- Linus Torvalds ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Quick hack for kernel entropy problem on MIPS
root@OpenWrt:/# cat /proc/sys/kernel/random/entropy_avail 0 Uhh ok? root@OpenWrt:~# cat /proc/sys/kernel/random/entropy_avail 1189 What's your uptime? Entropy is added to the pool e.g. based on network activity. The issue is that the pool is empty right after boot up. Well it's not anymore (with the patch). That may be due to the fact that network is the only source of entropy left on MIPS, that is something I personally wouldn't accept as enough anymore. As I reckon there has been a lengthy discussion about it already and many people raised their concerns. ecurity/meldung/Linux-auf-MIPS-jetzt-wieder-mit-mehr-Zufall-1963604.html (sorry for german link) That patch wouldn't work with 3.3.8 due to include dependencies I wasn't willing to follow up. The attached patch will re-enable CPU interrupts as entropy source, at least for AR71xx/mips32r3 and will do so right away, which might also solve issues with hostapd/nginx that require some during init. chrono -- Apollo-NG Mobile Hackerspace https://apollo.open-resource.org/ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Quick hack for kernel entropy problem on MIPS
On 17 Oct 2013 13:07, chrono chr...@open-resource.org wrote: root@OpenWrt:/# cat /proc/sys/kernel/random/entropy_avail 0 Uhh ok? root@OpenWrt:~# cat /proc/sys/kernel/random/entropy_avail 1189 What's your uptime? Entropy is added to the pool e.g. based on network activity. The issue is that the pool is empty right after boot up. Well it's not anymore (with the patch). That may be due to the fact that network is the only source of entropy left on MIPS, that is something I personally wouldn't accept as enough anymore. As I reckon there has been a lengthy discussion about it already and many people raised their concerns. ecurity/meldung/Linux-auf-MIPS-jetzt-wieder-mit-mehr-Zufall-1963604.html (sorry for german link) That patch wouldn't work with 3.3.8 due to include dependencies I wasn't willing to follow up. The attached patch will re-enable CPU interrupts as entropy source, at least for AR71xx/mips32r3 and will do so right away, which might also solve issues with hostapd/nginx that require some during init. A, I can see how that might cause issues. I have made some sysctl tweaks and my network always has something going on. So I never noticed. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel