Last edited 9 months ago

How to control a RNG in userspace: Difference between revisions

Visual
deleted>Lme00487
mNo edit summary
 
Registered User
 
(9 intermediate revisions by 5 users not shown)
Line 1: Line 1:
<noinclude>
<noinclude>{{ApplicableFor
{{ArticleMainWriter | LionelD}}
|MPUs list=STM32MP13x, STM32MP15x, STM32MP21x, STM32MP23x, STM32MP25x
{{ArticleApprovedVersion | LionelD | JeromeB(Passed, 7Jan'19) | No previous approved version | AlainF - 15Jan'19 - 10272 | 13Dec'18}}
|MPUs checklist=STM32MP13x, STM32MP15x, STM32MP21x, STM32MP23x, STM32MP25x
[[Category:Security]]
}}</noinclude>
</noinclude>


==Purpose==
==Purpose==
[[Hardware_random_overview|Hardware random framework]] offers the interface to control RNG devices from userspace. <br>
[[Hardware_random_overview|Hardware random framework]] offers the interface to control RNG devices from userspace. <br>
This article shows two ways to control a RNG in userspace:
This article shows three ways to control a RNG in userspace:
*using /dev/random command to generate a random number
*using /dev/random command to generate a random number
*using /dev/hwrng command to generate a random number
*using rng-tools to validate the RNG
*using rng-tools to validate the RNG


==RNG control through /dev/random ==
==RNG control through /dev/random ==
/dev/random is a special file that can be used to generate random numbers. It uses noise collected from device drivers and hardware random sources to generate data.
/dev/random is a special file that can be used to generate random numbers based on a pseudo-random generator that runs on the Linux Kernel entropy pool. When a hardware random number generator device is available, the pool is periodically supplied with data generated by this device. Else, it is entirely software generated.
od (octal dump) command is used to extract the number of bytes and display the decimal number.<br>
od (octal dump) command is used to extract the number of bytes and display the decimal number.<br>
Ex:  
E.g:  
- Random number (0 - 255):
- Random number (0 - 255):
  {{Board$}} od -An -N1 -i /dev/random
  {{Board$}}od -An -N1 -i /dev/random
         172
         172
- Random number (0 - 65535):
- Random number (0 - 65535):
  {{Board$}} od -An -N2 -i /dev/random
  {{Board$}}od -An -N2 -i /dev/random
         20041
         20041
==RNG control through /dev/hwrng==
/dev/hwrng is a special file that can be used to generate random numbers based on a hardware random number generator.
E.g
- Random number (0 - 65535):
{{Board$}}od -An -N2 -i /dev/hwrng
        5719


==RNG control through rng-tools==
==RNG control through rng-tools==
rng_tools<ref name="rngtools">https://git.kernel.org/pub/scm/utils/kernel/rng-tools/rng-tools.git/</ref> is a set of tools related to random number generation.<br>
rng-tools<ref name="rngtools">https://git.kernel.org/pub/scm/utils/kernel/rng-tools/rng-tools.git/</ref> is a set of tools related to random number generation.<br>
rng-tools will connect to the hardware random number generator through /dev/hwrng.
rngtest is a basic test that checks data using FIPS 140-2 tests<ref>https://en.wikipedia.org/wiki/FIPS_140-2</ref> which is a security requirement test for cryptographic module compliance.
rngtest is a basic test that checks data using FIPS 140-2 tests<ref>https://en.wikipedia.org/wiki/FIPS_140-2</ref> which is a security requirement test for cryptographic module compliance.


  {{Board$}} rngtest -c 100 </dev/hwrng                                                                                                                                           
  {{Board$}}rngtest -c 100 </dev/hwrng                                                                                                                                           
  rngtest 5
  rngtest 5
  Copyright (c) 2004 by Henrique de Moraes Holschuh
  Copyright (c) 2004 by Henrique de Moraes Holschuh
Line 44: Line 53:
  rngtest: Program run time: 58114432 microseconds
  rngtest: Program run time: 58114432 microseconds


It is normal for any random generator to fail in small number of tests, but failures must not exceed around 10.
It is normal for any random generator to fail in small number of tests, but failures must not exceed a reasonable proportion on a large sample (<= 0.5%).


==References==
==References==
<references/>


<references/>
<noinclude>
[[Category:Security]]
{{PublicationRequestId | 10272 | 2019-01-15 | AlainF}}
</noinclude>

Latest revision as of 10:21, 29 October 2024

Applicable for STM32MP13x lines, STM32MP15x lines, STM32MP21x lines, STM32MP23x lines, STM32MP25x lines

1. Purpose[edit | edit source]

Hardware random framework offers the interface to control RNG devices from userspace.
This article shows three ways to control a RNG in userspace:

  • using /dev/random command to generate a random number
  • using /dev/hwrng command to generate a random number
  • using rng-tools to validate the RNG

2. RNG control through /dev/random[edit | edit source]

/dev/random is a special file that can be used to generate random numbers based on a pseudo-random generator that runs on the Linux Kernel entropy pool. When a hardware random number generator device is available, the pool is periodically supplied with data generated by this device. Else, it is entirely software generated. od (octal dump) command is used to extract the number of bytes and display the decimal number.
E.g: - Random number (0 - 255): 

Template:Board$od -An -N1 -i /dev/random
        172

- Random number (0 - 65535): 

Template:Board$od -An -N2 -i /dev/random
        20041

3. RNG control through /dev/hwrng[edit | edit source]

/dev/hwrng is a special file that can be used to generate random numbers based on a hardware random number generator.

E.g - Random number (0 - 65535): 

Template:Board$od -An -N2 -i /dev/hwrng
        5719

4. RNG control through rng-tools[edit | edit source]

rng-tools[1] is a set of tools related to random number generation.
rng-tools will connect to the hardware random number generator through /dev/hwrng. rngtest is a basic test that checks data using FIPS 140-2 tests[2] which is a security requirement test for cryptographic module compliance. 

Template:Board$rngtest -c 100 </dev/hwrng                                                                                                                                           
rngtest 5
Copyright (c) 2004 by Henrique de Moraes Holschuh
This is free software; see the source for copying conditions.  There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

rngtest: starting FIPS tests...
rngtest: bits received from input: 2000032
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=33.154; avg=33.656; max=34.217) Kibits/s
rngtest: FIPS tests speed: (min=21.193; avg=23.180; max=23.403) Mibits/s
rngtest: Program run time: 58114432 microseconds

It is normal for any random generator to fail in small number of tests, but failures must not exceed a reasonable proportion on a large sample (<= 0.5%).

5. References[edit | edit source]

  1. https://git.kernel.org/pub/scm/utils/kernel/rng-tools/rng-tools.git/
  2. https://en.wikipedia.org/wiki/FIPS_140-2


Random number generator

Linux® is a registered trademark of Linus Torvalds.

Retrieved from "https://wiki.st.com/stm32mpu/index.php?title=How_to_control_a_RNG_in_userspace&oldid=110470"