Call for disabling libgcrypt libjitterentropy of rng-tool

Lei YU mine260309 at gmail.com
Fri Jul 5 16:21:25 AEST 2019 

This email is to call for disabling libgcrypt and libjitterentropy of rngd.

The jitter entropy of rngd has two problems:
1. It has a bug to consume all CPU in idle:
   https://github.com/openbmc/openbmc/issues/3574
2. During the start of rngd, the code in thread_entropy_task() consumes a lot
   of CPU, until it read 16535 bytes from jent_read_entropy().

The bug in 1 could be fixed, and the issue in 2 is mitigated by lower niceness
of rngd [1].

However, why not just disable jitter entropy?

Pros:
1. There will be no more high CPU consumption by rngd;
2. The hwrng (hardware random number generator) is the default entropy source
   of rngd, and it is enough.
3. The performance of /dev/random is a bit better than with jitter entropy
   (tested by rngtest, see below details)

Cons:
1. There is only one entropy source from hwrng, the quality of the random
   number may be questionable if one does not trust the hwrng.

What do you think?


TL;DR

Here are the details about the performance.
1. With the above bug 1 fixed, and after jitter entropy is filled (otherwise
the high CPU usage impacts the performance):

rngtest: starting FIPS tests...
rngtest: bits received from input: 200032
rngtest: FIPS 140-2 successes: 10
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=46.411; avg=63.397; max=101.982)Kibits/s
rngtest: FIPS tests speed: (min=24.359; avg=26.624; max=27.804)Mibits/s
rngtest: Program run time: 3101853 microseconds

The `avg` speed is about 60~64 Kibits/s.

2. Built with libjitterentropy disabled:

rngtest: starting FIPS tests...
rngtest: bits received from input: 200032
rngtest: FIPS 140-2 successes: 10
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=55.128; avg=72.556; max=90.751)Kibits/s
rngtest: FIPS tests speed: (min=24.236; avg=26.762; max=27.723)Mibits/s
rngtest: Program run time: 2713602 microseconds

The `avg` speed is about 69~73 Kibits/s.

[1]: https://github.com/openbmc/openbmc/commit/1987be716cba85cdc1f210ceddc957a87b03be27

More information about the openbmc mailing list