RSS Bot Posted January 14 Share Posted January 14 Description There is an orbiting patch that adds True Random Number Generator (TRNG) completing the rockchip mainline crypto driver. This PR introduces the patch (which is in RFC condition, thus passible of changes) with these benefits: provides better entropy (see below) removes the memory region claim error in dmesg is almost in mainline Some caveats: the existing driver covers rk3288 (32 bit, not applicable in this context), rk3328 and rk3399, but only rk3399 seems to have working hardware. For the other two chips, the TRNG is just disabled. How Has This Been Tested? [x] Current 6.6 kernel packages built and installed on live system (rk3399) [x] Edge 6.7 kernel packages built and installed on live system (rk3399) dmesg can be used to verify if TRNG is enabled: [ 8.091984] rk3288-crypto ff8b0000.crypto: will run requests pump with realtime priority [ 8.092031] rk3288-crypto ff8b0000.crypto: Register ecb(aes) as ecb-aes-rk [ 8.092077] rk3288-crypto ff8b0000.crypto: Register cbc(aes) as cbc-aes-rk [ 8.092087] rk3288-crypto ff8b0000.crypto: Register ecb(des) as ecb-des-rk [ 8.092098] rk3288-crypto ff8b0000.crypto: Register cbc(des) as cbc-des-rk [ 8.092107] rk3288-crypto ff8b0000.crypto: Register ecb(des3_ede) as ecb-des3-ede-rk [ 8.092116] rk3288-crypto ff8b0000.crypto: Register cbc(des3_ede) as cbc-des3-ede-rk [ 8.092126] rk3288-crypto ff8b0000.crypto: Register sha1 as rk-sha1 [ 8.092137] rk3288-crypto ff8b0000.crypto: Register sha256 as rk-sha256 [ 8.092146] rk3288-crypto ff8b0000.crypto: Register md5 as rk-md5 [ 8.092156] rk3288-crypto ff8b0000.crypto: Register TRNG with sample=1200 The mail in the kernel mailing list provides some insight and instruction on how to prove effectiveness of the RNG. Testing existing driver provided by vendor kernel looks quite ineffective in providing decent randomness: root@orangepi4-lts:~# cat /sys/devices/virtual/misc/hw_random/rng_current rockchip root@orangepi4-lts:~# dd if=/dev/hwrng count=100 bs=2048 | rngtest rngtest 2.2 Copyright (c) 2004 by Henrique de Moraes Holschuh This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. rngtest: starting FIPS tests... rngtest: entropy source exhausted! rngtest: bits received from input: 1638400 100+0 records in 100+0 records out rngtest: FIPS 140-2 successes: 0 rngtest: FIPS 140-2 failures: 81 rngtest: FIPS 140-2(2001-10-10) Monobit: 3 rngtest: FIPS 140-2(2001-10-10) Poker: 81 rngtest: FIPS 140-2(2001-10-10) Runs: 81 rngtest: FIPS 140-2(2001-10-10) Long run: 0 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 rngtest: input channel speed: (min=528.429; avg=1086.773; max=1379.618)Kibits/s rngtest: FIPS tests speed: (min=14.341; avg=47.788; max=59.051)Mibits/s 204800 bytes (205 kB, 200 KiB) copied, 1.52111 s, 135 kB/srngtest: Program run time: 1522960 microseconds While the mainline patch adjusts the number of samples and, albeit being slower and not high quality, seems to be better: root@orangepi4-lts:~# dd if=/dev/hwrng count=100 bs=2048 | rngtest rngtest 2.2 Copyright (c) 2004 by Henrique de Moraes Holschuh This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. rngtest: starting FIPS tests... rngtest: entropy source exhausted! rngtest: bits received from input: 1638400 100+0 records in 100+0 records out rngtest: FIPS 140-2 successes: 28 rngtest: FIPS 140-2 failures: 53 rngtest: FIPS 140-2(2001-10-10) Monobit: 52 rngtest: FIPS 140-2(2001-10-10) Poker: 13 rngtest: FIPS 140-2(2001-10-10) Runs: 3 rngtest: FIPS 140-2(2001-10-10) Long run: 0 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 204800 bytes (205 kB, 200 KiB) copied, 7.31521 s, 28.0 kB/s rngtest: input channel speed: (min=131.364; avg=222.220; max=278.743)Kibits/s rngtest: FIPS tests speed: (min=17.628; avg=30.777; max=76.600)Mibits/s rngtest: Program run time: 7316184 microseconds Since the original driver from vendor kernel looks like quite useless, I would like to remove this and this soon from the patch archives, and perhaps adapt the mainline driver to provide RNG for rk3308 too, although it is probably useless since the hardware seems to be ineffective on rk3328 (see patch comments) and probably rk3308 is in the same league. @brentr what do you think about? Checklist: [x] My code follows the style guidelines of this project [x] I have performed a self-review of my own code [x] I have commented my code, particularly in hard-to-understand areas [x] I have made corresponding changes to the documentation [x] My changes generate no new warnings [x] Any dependent changes have been merged and published in downstream modules View the full article Link to comment Share on other sites More sharing options...
Recommended Posts