Hardware RNGs in chipsets and CPUs
Posted May 11, 2006 14:48 UTC (Thu) by hmh
In reply to: Intel i8x0
Parent article: On the safety of Linux random numbers
It is more complicated than this. Intel placed the HRNG inside its FWH (firmware hub). I.e, inside a FLASH memory device that is supposed to host the BIOS. Were it inside the MCH (the north bridge), all machines would have it and this story could be very different indeed.
The Intel FWH HRNG is very slow, but it appears to be of very high quality... Unfortunately, the FWH was quickly made an *optional* component of the chipset for whichever reason, and that effectively killed the whole idea. Sometime after that, Intel declared the whole "more secure computers by using an Intel chipset with a HRNG" idea a bust and stopped even caring about producing FWHs with HRNGs.
After that blow, often not even Intel itself would uses their FWH. Take a Intel D875PBZ motherboard for example. I have one, and direct access to three others. Two of them have Intel FWHs, of which one has a working HRNG and the other does not (the HRNG is disabled on silicon). The two other boards use compatible FWHs from other chip manufacturers, that don't have a HRNG either.
Add to it that (AFAIK at least) MS Windows does not have a common interface to get the random numbers from (Unix is easy, provide them through /dev/u?random and everybody uses it), and nobody was really paying much attention to the Intel device driver required to get the data from the FWH...
Now, VIA did things almost right. They placed an *extremely* fast HRNG inside their Nehemia CPU cores (but last time I checked, you'd have to talk directly to them if you wanted to make sure a batch of Nehemia CPUs would come with enabled cores: they disabled the HRNGs when they failed the factory test, instead of scrapping the CPU), added a good hardware crypto engine, and made a major marketing party out of it. Not happy with just one, the newest VIA cores have two HRNGs in different areas of the chip... so you get double the bandwidth, and somewhat less correlation on the output stream.
A heavily modifed version of rng-tools got about 2Mbit/s of random bits from such a Nehemiah CPU (at its highest quality mode, at lowest quality, it is probably on the 12 Mbit/s range in a dual HRNG CPU). This work was sponsored by mekensleep.com, and is available in Debian experimental under the GPL license. One can also use Martin Peck's modified hw_random linux module if they prefer a kernelspace solution.
to post comments)