User Tools

Site Tools


netrng

Setting up the Raspberry Pi as an entropy server

The Raspberry Pi has a hardware random number generator. Quick testing shows it can provide sufficient entropy to read from /dev/random at around 35kB/s.

  • Build the the bcm2708-rng kernel driver (required on at least raspbmc):
    sudo su -
    apt-get install build-essential bc gcc make
    cd /tmp
    wget http://www.mirrorservice.org/sites/raspbmc.com/downloads/bin/kernel/linux-headers-latest.deb.gz
    mkdir x
    dpkg-deb -x linux-headers-latest.deb.gz x
    mv -v x/usr/src/linux-headers-$(uname -r)/Module.symvers /usr/src
    cd /usr/src
    gKernel=$(uname -r | sed 's/[0-9]*$/y/')
    wget --no-check-certificate https://github.com/raspberrypi/linux/archive/rpi-$gKernel.tar.gz
    tar xzf rpi-*.tar.gz
    mv linux-rpi-*y rpi-linux
    cd rpi-linux/
    make mrproper
    zcat /proc/config.gz > .config
    sed -i 's/CONFIG_CROSS_COMPILE.*/CONFIG_CROSS_COMPILE=""/' .config
    apt-get install ncurses-dev
    make menuconfig
    # Enable HW_RANDOM and HW_RANDOM_BCM2708
    cp /usr/src/Module.symvers .
    make modules SUBDIRS=drivers/char/hw_random/
    modprobe hwrng_register
    insmod drivers/char/hw_random/rng-core.ko
    insmod drivers/char/hw_random/bcm2708-rng.ko
    mkdir -p /lib/modules/3.12.31/kernel/drivers/char/hw_random/
    cp drivers/char/hw_random/bcm2708-rng.ko /lib/modules/3.12.31/kernel/drivers/char/hw_random/
  • Install and start rngd to populate the local's system entropy pool from the hardware rng:
    sudo apt-get install rng-tools
    sudo bash -c 'echo "bcm2708-rng" >> /etc/modules'
    initctl start rngd
  • Install NetRNG on both clients and the server:
    sudo apt-get install git python-virtualenv python-dev
    git clone https://github.com/infincia/NetRNG.git
    sudo mv NetRNG /opt
    cd /opt/NetRNG/
    git fetch --tags origin
    git checkout -b v0.1 v0.1
    virtualenv /opt/NetRNG/env
    source /opt/NetRNG/env/bin/activate
    pip install -r /opt/NetRNG/requirements.txt
    sudo cp netrng.conf.upstart /etc/init/netrng.conf 
    sudo cp netrng.conf.sample /etc/netrng.conf 
  • Start the NetRNG server on the Raspberry Pi:
    sudo initctl start netrng

Setting up an entropy client

  • Install and run the NetRNG client on each network machine:
    sudo vim /etc/netrng.conf
    # Set mode = client, and the server IP address
    sudo initctl start netrng
  • Verify it's working:
    # Whenever the pool drops to 128 it should very quickly be refilled
    watch -n 0.1 cat /proc/sys/kernel/random/entropy_avail
    # For extra fun, try this both with and without netrng running:
    cat /dev/random | pv -bart > /dev/null
    # For me this measures 13KB/s with netrng running
    # but only small numbers of B/s rapidly dropping towards zero with netrng stopped

Systemd unit file

For systems that use systemd instead of upstart, use the following service definition:

/etc/systemd/system/netrng.service
[Unit]
Description=NetRNG Entropy Client
After=syslog.target
 
[Service]
Type=simple
ExecStart=/opt/NetRNG/env/bin/python /opt/NetRNG/netrng.py
User=root
 
[Install]
WantedBy=multi-user.target

Future Improvements?

  • Currently the random data is provided over the network in cleartext which is not ideal. Stunnel or some kind of VPN would fix that, alternatively patching the netrng source code to use an encrypted socket connection.
  • A puppet module to manage the installation and configuration of client/server parts
netrng.txt · Last modified: 2015/01/31 21:05 by ben