[Whonix-devel] EGD used with a modern Kernel
procmem at riseup.net
procmem at riseup.net
Fri Jan 31 22:33:33 CET 2020
On 1/31/20 9:27 PM, Brian Warner wrote:
> On 1/31/20 4:03 PM, procmem at riseup.net wrote:
>> Hi Brian. Whonix dev here (privacy distro based on Tor). We are looking
>> to add as many entropy sources as we can get our hands on, I was
>> wondering what you think of EGD at this point in time given the current
>> state of the Linux RNG?
>>
>> Is EGD relevant in a moedern context? Does it use sources that the
>> kernel doesn't at this point?
> Heya. Nope, I'd recommend against EGD.. a modern kernel has access to
> much better sources (and to sources that are less visible to a potential
> attacker, specifically one running in userspace on the same machine)
> than my ancient perl script could see. Also, omg that thing is ugly, I'm
> kinda embarrassed about it by now :).
>
> At a distro level, I'd recommend making sure the CPU-provided hardware
> RNG sources are enabled (I *think* that means installing the rng-tools
> package, but there might be a kernel config switch, look around for
> "RDRAND" or "/dev/hwrng" or something).
>
> The ideal situation is to be using RDRAND data, plus having the kernel
> fold in interrupt timing as sort of a backup (some people are paranoid
> and don't want to use RDRAND, but I think it's fine, and that their
> concerns are addressed by mixing both RDRAND data and other sources).
>
> The biggest thing to pay attention to is when the kernel's entropy pools
> get seeded during the boot process, and to make sure that key generation
> is deferred until after that point. I'm sure you've run into this before
> :). SSH keygen in a new debian/ubuntu image at boot time is the part
> that I'm always worried about, but I'd bet you've got Tor node keys and
> a host of other tools which do the same.
>
> Whonix is cool stuff, thanks for working on it!
>
> cheers,
> -Brian
Noted and thanks for your kind words. We love the magic-wormhole and
have it in our arsenal for some time now :) At the moment I am working
on I2P integration and will hopefully include Tahoe-LAFS once that's done.
More information about the Whonix-devel
mailing list