<div dir="ltr">I read over the bug, and I have a few thoughts here<div><br></div><div>First, regarding the rng-tools version looks rather out of date. From what I see, the latest version in the debian archives is 5-1, which is horribly old (circa 2004). The latest version is 6.10, and is almost a complete re-write, containing a useable systemd unit file, and also should work with sysv-init. It also contains several entropy sources, including a jitter source entropy generator to fall back on should other sources not be available for whatever reason. I'd strongly suggest updating to the latest version to avoid some of the problems described in the bug</div><div><br></div><div>As for the question regarding starting rngd on multiple cores, I can't recommend that. rngd automatically detects the number of cores and starts threads on each for certain entropy sources, affining the cpus properly to generate maximum entropy without disrupting the system</div><div><br></div><div>As for having trouble with ordering (i.e. if /dev/hwrng isn't ready when rngd starts), I'd use udev rules to trigger on the addition of an entropy source to just restart the rngd service, that shouldn't be too hard. That said though, if you use the included rngd.service, its blocked on WantedBy multi-user.target, so on a general boot it shouldn't start until all the hardware drivers are loaded and initalized. If you need it earlier than that, you can use dracut to start it in the initramfs, and shut it down on switch-root to get early entropy from the jitter source.</div><div><br></div><div>Let me know if you have other questions</div><div><br></div><div>Best</div><div>Neil</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Nov 10, 2020 at 3:09 PM Henrique de Moraes Holschuh <<a href="mailto:hmh@debian.org">hmh@debian.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
On Tue, Nov 10, 2020, at 16:05, Thorsten Glaser wrote:<br>
> So we additionally have the case where the character device<br>
> exists but is not usable… oh my.<br>
<br>
This was common enough that rngd should know about it and bail out with an error if it doesn't gey proper random numbers from its input during startup. At least I vaguely recall adding that logic, including a timeout.<br>
<br>
And it won't feed the entropy pool with obvious crap no matter what, although you can easily fool it of you want, a typical device malfunction (all zeroes, patterns with too much bias, all ones...) Won't get past it's simplistic fitness testing (the old fips one).<br>
<br>
So you'd start it and it will bail up sometime later because the entropy source is unfit for use. On systemd you should watch that and don't restart it aggressively or you'll waste one cpu core worth of busywork in the worst case. Best case it sleeps.<br>
<br>
-- <br>
Henrique de Moraes Holschuh <<a href="mailto:hmh@debian.org" target="_blank">hmh@debian.org</a>><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr">/***************************************************<br> *Neil Horman<br> *<a href="mailto:nhorman@gmail.com" target="_blank">nhorman@gmail.com</a><br> *gpg keyid: 1024D / 0x92A74FA1<br> *<a href="http://pgp.mit.edu" target="_blank">http://pgp.mit.edu</a><br> ***************************************************/</div></div>