LWN: Comments on "Problems emerge for a unified /dev/*random" https://lwn.net/Articles/889452/ This is a special feed containing comments posted to the individual LWN article titled "Problems emerge for a unified /dev/*random". en-us Mon, 06 Oct 2025 15:38:11 +0000 Mon, 06 Oct 2025 15:38:11 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net Problems emerge for a unified /dev/*random https://lwn.net/Articles/890961/ https://lwn.net/Articles/890961/ flussence <div class="FormattedComment"> Surprised to find out you&#x27;re right. I assumed those device nodes would be only writable by root for this exact reason.<br> </div> Mon, 11 Apr 2022 14:53:56 +0000 Problems emerge for a unified /dev/*random https://lwn.net/Articles/890664/ https://lwn.net/Articles/890664/ cypherpunks2 <div class="FormattedComment"> <font class="QuotedText">&gt; A more insidious problem, perhaps, is that a seed written to the RNG before it initializes will not actually be used until after the pool is initialized properly; &quot;you might write in a perfectly good seed to /dev/urandom, but what you read out for the subsequent seed may be complete deterministic crap&quot;</font><br> <p> This has been noticed on StackExchange it seems <a rel="nofollow" href="https://security.stackexchange.com/questions/183506/random-seed-not-propagating-to-the-entropy-pools-in-a-timely-manner">https://security.stackexchange.com/questions/183506/rando...</a><br> </div> Thu, 07 Apr 2022 23:55:20 +0000 Problems emerge for a unified /dev/*random https://lwn.net/Articles/889962/ https://lwn.net/Articles/889962/ wtarreau <div class="FormattedComment"> Yes U-Boot definitely is the best place here, since it often embeds the SPL code that&#x27;s used to train the DDR memory. Typically the training is a good way to produce entropy since it tries timings for reliable transfers.<br> <p> For the PC world, grub might be too late due to the BIOS often doing most of the cleanup. However on PCs there&#x27;s often a video card whose memory is not reset and which contains garbage. I think it already happened to all of us to power-cycle a PC, then discover a fantom image of previous session for a fraction of a second when typing &quot;startx&quot; because that memory wasn&#x27;t completely lost yet. And most PCs have hardware RNGs and jitter entropy anyway ;-)<br> <p> </div> Fri, 01 Apr 2022 12:07:02 +0000 Problems emerge for a unified /dev/*random https://lwn.net/Articles/889959/ https://lwn.net/Articles/889959/ nickleverton <div class="FormattedComment"> U-Boot, which I would guess is probably used by most embedded devices that boot into Linux, is GPL2.0+. It&#x27;s ideally placed to extract the early boot hardware-based randomness that Willy Tarreau mentions, running after any SoC ROM loader but before the Linux kernel. I am sure Grub could do similar things for bigger SoCs that boot from disk.<br> </div> Fri, 01 Apr 2022 10:06:23 +0000 Problems emerge for a unified /dev/*random https://lwn.net/Articles/889955/ https://lwn.net/Articles/889955/ wsy <div class="FormattedComment"> I would never trust a boot loader unless it&#x27;s open source. And I don&#x27;t think SOC vendors will do that.<br> </div> Fri, 01 Apr 2022 09:07:52 +0000 Problems emerge for a unified /dev/*random https://lwn.net/Articles/889939/ https://lwn.net/Articles/889939/ wtarreau <div class="FormattedComment"> I remember having discussed this problem with Jason a few years ago, saying that until we instrument boot loaders to feed entropy on embedded devices, it&#x27;s a dead end. Indeed, the only source of entropy you can have on small devices are:<br> - pre-init device contents (uninitialized RAM usually contains noise, except in VMs);<br> output GPIOs may also read noise before they&#x27;re configured as outputs. UARTs<br> often read a first crappy byte. Many chips also include a &quot;reset cause&quot; register<br> that indicates power-on, reset, exception, etc<br> <p> - device reset timings (slow devices such as UARTs do not always take an integral<br> number of cycles to reset; RTC&#x27;s second transition also solely depends on when<br> the device was booted, relative to the current second.<br> <p> - the device&#x27;s configuration: very often you&#x27;ll find a MAC or some device-specific<br> WiFi calibration data stored in a special area on the flash, that may differ from<br> device to device. When running in a VM, some arguments may come from other<br> means.<br> <p> - other external persistent info (e.g. any RTC time value that varies between boots)<br> <p> But often all these data are lost after the boot loader finishes initialization and transfers execution to the kernel. We&#x27;ll *need* to standardize a solution for this, that boot loaders will have to use for future kernels if we want to improve the situation for such embedded devices. Otherwise they&#x27;re too deterministic. I do remember that the SSH key I used to have on my old NSLU2 existed on at least 89 other devices connected to the net... This definitely shows that without early entropy there&#x27;s little hope to collect more later and whatever we&#x27;ll try to do can result in frustration. And while VMs are terrible for this, at least they can benefit from entropy being spoon-fed at boot by the hypervisor.<br> <p> </div> Fri, 01 Apr 2022 04:14:28 +0000 Problems emerge for a unified /dev/*random https://lwn.net/Articles/889930/ https://lwn.net/Articles/889930/ zx2c4 From <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=38addce8b600ca335dc86fa3d48c890f1c6fa1f4">this commit message</a>: <blockquote> Additionally, the plugin can pre-initialize arrays with build-time random contents, so that two different kernel builds running on identical hardware will not have the same starting values. </blockquote> Fri, 01 Apr 2022 00:50:33 +0000 Problems emerge for a unified /dev/*random https://lwn.net/Articles/889923/ https://lwn.net/Articles/889923/ gerdesj <div class="FormattedComment"> I love the idea of random == urandom but the snags all seem to be about the boot process. Does this not indicate that there still a need for (at least) two randoms. Another one could be random_boot or brandom or whatever.<br> <p> A booting system is obviously not in the same state as it will be when it&#x27;s fully initialised and running, so why insist on pseudo devices like random being a &quot;one size fits all&quot;?<br> <p> VPNs and webservers for example are huge consumers of randomness and can happily wait until the system is up and running and firing on all four. They could really benefit from a relatively simple random that &quot;knows&quot; that suitable sources of entropy are available and cryptographic researchers aren&#x27;t going to get sarcastic! They tend to be bloody complicated and any simplification would be a good thing: eg an assumption about the quality of random.<br> <p> The things that need early random can use brandom and accept its limitations and work with them and then switch to random when it&#x27;s available if they need to.<br> <p> Another option might be to have one random device that describes how useful it thinks it is and leave the consumer to take action based on that. &quot;Hi I&#x27;m Mike and here&#x27;s a stream of gibberish-ish(3)&quot;. The road to Hell is paved with odd interfaces ... <br> </div> Thu, 31 Mar 2022 23:05:12 +0000 Problems emerge for a unified /dev/*random https://lwn.net/Articles/889898/ https://lwn.net/Articles/889898/ jhhaller <div class="FormattedComment"> My random issue was a number of years back, when I would build new systems frequently. The login would take forever to accept a connection. Eventually, I discovered that it was openssh building the host key and it required random numbers, and there was no source of entropy other than network packets, and not many of them. It may have gotten changed, I rarely build new machines anymore.<br> </div> Thu, 31 Mar 2022 20:14:49 +0000 Problems emerge for a unified /dev/*random https://lwn.net/Articles/889872/ https://lwn.net/Articles/889872/ mathstuf <div class="FormattedComment"> That sounds dangerous as long as the `nobody` user can perform `&lt;/dev/zero &gt;/dev/random`.<br> </div> Thu, 31 Mar 2022 15:48:57 +0000 Problems emerge for a unified /dev/*random https://lwn.net/Articles/889801/ https://lwn.net/Articles/889801/ pj <div class="FormattedComment"> Maybe have writes to /dev/random credit the entropy pool but writes to /dev/urandom do not? It&#x27;s approximately symmetrical to their read semantics.<br> </div> Thu, 31 Mar 2022 13:39:43 +0000 Problems emerge for a unified /dev/*random https://lwn.net/Articles/889795/ https://lwn.net/Articles/889795/ nix <div class="FormattedComment"> ... and the whole problem here is that on some platforms there *is* no varying &quot;MAC, whatever&quot; to mix in, and those are the same platforms which are having trouble now. So this would add complexity to... not solve the problem at all :)<br> </div> Thu, 31 Mar 2022 10:51:52 +0000 Problems emerge for a unified /dev/*random https://lwn.net/Articles/889757/ https://lwn.net/Articles/889757/ mb <div class="FormattedComment"> Except that it would be the same on every early boot.<br> And it would even be the same for every distro kernel (minus the mac, whatever mixing).<br> </div> Wed, 30 Mar 2022 21:46:54 +0000 Problems emerge for a unified /dev/*random https://lwn.net/Articles/889755/ https://lwn.net/Articles/889755/ istenrot <div class="FormattedComment"> Why don&#x27;t we generate during a kernel build a sufficiently large kernel embedded binary blob to be used as good quality pre-boot stage random seed? Then mixed with hardware unique identifiers like network interface MAC addresses, SMBIOS data, hardware sensors, RTC time, etc we should have quite nice pre-boot random source. Right?<br> </div> Wed, 30 Mar 2022 21:22:31 +0000 Problems emerge for a unified /dev/*random https://lwn.net/Articles/889742/ https://lwn.net/Articles/889742/ willmo <div class="FormattedComment"> Maybe bananas idea, and maybe this is what jhoblitt is suggesting above, but what about making a new character device like &quot;/dev/entropypool&quot; whose writes are always credited as entropy?<br> </div> Wed, 30 Mar 2022 19:34:43 +0000 Problems emerge for a unified /dev/*random https://lwn.net/Articles/889714/ https://lwn.net/Articles/889714/ jhoblitt <div class="FormattedComment"> An interface consisting of writing to a procfs file and then having to call an ioctl on it makes me reach for my unix barf bag. <br> <p> Is there any hope of a sane reboot under sysfs?<br> </div> Wed, 30 Mar 2022 17:35:25 +0000 Problems emerge for a unified /dev/*random https://lwn.net/Articles/889635/ https://lwn.net/Articles/889635/ Hello71 <div class="FormattedComment"> Ah, you&#x27;re right.<br> </div> Wed, 30 Mar 2022 13:41:46 +0000 Problems emerge for a unified /dev/*random https://lwn.net/Articles/889630/ https://lwn.net/Articles/889630/ ncm <div class="FormattedComment"> Nowadays most devices come with a hardware random number generating device attached, typically a camera, radio, or microphone. The low bits of analog-to-digital converters provide a copious supply of entropy that the upper bits, howsoever predictable, cannot steal away. <br> <p> Such devices might be more trustworthy than the &quot;hardware RNG&quot; instructions provided on processor cores, which we have seen demonstrated (in a recent AMD erratum) may be reliably turned off from microcode, and, we may presume, from an appropriate not-publicly-documented instruction sequence. Whether to try to defend against such an attack depends on your threat model, of course; if so, an unreliable source of random numbers might be the least of your problems. But defense in depth has rarely been a mistake.<br> </div> Wed, 30 Mar 2022 12:39:11 +0000 Problems emerge for a unified /dev/*random https://lwn.net/Articles/889618/ https://lwn.net/Articles/889618/ jake <div class="FormattedComment"> <font class="QuotedText">&gt; the correct method to add entropy is to use the RNDADDENTROPY ioctl.</font><br> <p> the article doesn&#x27;t ignore that, but it perhaps takes a while to get there; it talks about it starting around here:<br> <p> <font class="QuotedText">&gt; The RNDADDENTROPY command combines the write and the credit in the same call, which </font><br> <font class="QuotedText">&gt; allows the kernel to make a better decision on what do with it, he said. </font><br> <p> jake<br> </div> Wed, 30 Mar 2022 01:54:20 +0000 Problems emerge for a unified /dev/*random https://lwn.net/Articles/889612/ https://lwn.net/Articles/889612/ Hello71 <div class="FormattedComment"> The article&#x27;s claim that RNDADDTOENTCNT must be used to add entropy is incorrect, or at least incomplete. As explained in the mailing list thread, use of RNDADDTOENTCNT is highly discouraged, and the correct method to add entropy is to use the RNDADDENTROPY ioctl.<br> </div> Tue, 29 Mar 2022 23:50:09 +0000 Problems emerge for a unified /dev/*random https://lwn.net/Articles/889608/ https://lwn.net/Articles/889608/ jepler <div class="FormattedComment"> Ages ago I made a random number generating device and a daemon for adding its entropy into the system. So I had to check out today how I did it back then (circa 2013): <a href="https://emergent.unpythonic.net/01257868826">https://emergent.unpythonic.net/01257868826</a><br> <p> It appears that I (A) asked the kernel how much entropy was available via /proc/sys/kernel/random/entropy_avail, (B) if it was at least 3072, slept (max entropy was/is 4096?) (C) otherwise, read enough data from my device, wrote it to /dev/random (not urandom!), and credited it with ioctl RNDADDTOENTCNT<br> <p> So in this case, it looks like big gulps of data were added by my random daemon. Hooray for good luck in a long ago decision.<br> <p> In any case, I don&#x27;t use the device anymore.<br> </div> Tue, 29 Mar 2022 22:02:45 +0000