Entropy Gathering Enhancements

At vBSDCon 2017, W. Dean Freeman and John-Mark Gurney gave a presentation entitled "A Deep Dive into FreeBSD's Kernel RNG." In the course of preparing for the presentation, a number of bugs and non-optimizations were discovered. These included:

  • The fact that after the code refactoring to make room for Fortuna, the code path for mixing entropy gathered from so-called "PURE" sources, such as the RDRND instruction on Intel chips, was broken due to a new check on the bit value in the harvest mask and the fact that the bit could not actually be set.
  • In the random_harvest_queue code path, followed by the majority of entropy sources, entire "harvest_event" structures were being hashed, causing very low min-entropy measurement values when following the non-IID track for entropy source evaluation described in NIST SP800-90B Draft 2.

Working with the HardenedBSD team, these issues have been addressed by W. Dean Freeman and reviewed by John-Mark Gurney in 12-CURRENT. Patches will be made available upstream so that FreeBSD can benefit from both the bug fixes related to pure entropy sources as well as a boost in min-entropy. Additionally, a BSD-licensed userland daemon similar to that found the in GPLv2 licensed rng-tools package has been developed, which allows crypto officers to easily use USB-attached TRNGs to increase entropy fed into the kernel PRNG.

Future work related to this will include importing the NIST_CTR_DRBG module from NetBSD into HardenedBSD and performing a FIPS 140-2 gap analysis against available kernel cryptographic modules to see what additional work needs to be done in order to provide a BSD-based alternative to Linux in the government sphere.