2

It is mentioned in the kernel source in random.c that get_random_int is “Similar to urandom but with the goal of minimal entropy pool depletion”. However, where (and how) does get_random_int interact with the entropy pool?

Now, urandom actually calls extract_entropy_user, but I don't see anything similar to that in get_random_int. It seems that get_random_int uses its own sources of entropy (unrelated to keyboard, mouse and disk activity):

hash[0] += current->pid + jiffies + get_cycles();

and does not care about (nor update) the state of the entropy available to the system in general?

How does get_random_int deplete the entropy pool? Where does this get updated? I know I'm missing something or reading the source wrong, because when I execute a program I can see how it depletes the entropy pool just by executing cat on entropy_avail.

I've looked through http://xorl.wordpress.com/2011/01/16/linux-kernel-aslr-implementation/ but it doesn't seem to mention how this works.

Gilles 'SO- stop being evil'
  • 104,111
  • 38
  • 209
  • 254
csstudent2233
  • 659
  • 10
  • 17

2 Answers2

1

As far as I can tell, it doesn't directly deplete the entropy pools. It simply returns a low(er) quality random number. It depends on the secret hash used by ISN seq generation (refreshed periodically), its own per-cpu state, and the pid/time/cycles.

It is similar to urandom mostly in that it doesn't block when entropy is low.

Hasturkun
  • 35,395
  • 6
  • 71
  • 104
  • Interesting, then why do I observe a decreasing entropy_avail when I repeatedly cat the file? – csstudent2233 Mar 07 '13 at 14:52
  • If I had to guess, I'd say it's because of `rekey_seq_generator()`, which is called periodically (and sets the aforementioned hash), which uses `get_random_bytes()`, which does use the entropy pool. – Hasturkun Mar 07 '13 at 15:14
  • On second thought, that would seem to be a bad guess, as the rekey interval is `(300 * HZ)`. In any case, I don't see anything there directly depleting the entropy – Hasturkun Mar 07 '13 at 15:21
  • Can you reproduce the behavior where I observe the entropy getting depleted just by catting entropy_avail? I kill most running processes, do a find to make sure the entropy is high, then I cat /proc/sys/kernel/entropy_avail and see that this number decreases for each execution of cat. – csstudent2233 Mar 07 '13 at 15:58
0

The hash[0] is also mixed with a hash called random_int_secret which is generated only once early at boot by the function random_int_secret_init(). It's generated using get_random_bytes(), which does deplete the entropy estimate.

From drivers/char/random.c, a function is defined which will generate this one-time hash which is re-used each time a random int is requested:

static u32 random_int_secret[MD5_MESSAGE_BYTES / 4];
int random_int_secret_init(void)
{
    get_random_bytes(random_int_secret, sizeof(random_int_secret)); /* XXX */
    return 0;
}

In the function get_random_int(), random_int_secret is mixed with hash, before hash[0] is returned as the random int being requested.

static DEFINE_PER_CPU(__u32 [MD5_DIGEST_WORDS], get_random_int_hash);
unsigned int get_random_int(void)
{
    __u32 *hash;
    unsigned int ret;

    if (arch_get_random_int(&ret))
        return ret;

    hash = get_cpu_var(get_random_int_hash);

    hash[0] += current->pid + jiffies + random_get_entropy();
    md5_transform(hash, random_int_secret); /* XXX */
    ret = hash[0];
    put_cpu_var(get_random_int_hash);

    return ret;
}
EXPORT_SYMBOL(get_random_int);

Right at the beginning of the boot process, in init/main.c, this seed is generated:

static void __init do_basic_setup(void)
{
    cpuset_init_smp();
    shmem_init();
    driver_init();
    init_irq_proc();
    do_ctors();
    usermodehelper_enable();
    do_initcalls();
    random_int_secret_init(); /* XXX */
}

Regarding cat depleting the pool, I use to remember why it does that, but I do not anymore. However I'm pretty sure it's not ASLR, because on systems with RDRAND, get_random_int() gives ints only from the instruction, and nothing else. My system has RDRAND, and I also see the entropy count go down when spawning processes.

cassab
  • 1