Hardware Random Number Generation

  • Dear Developers,

    Please consider adding hardware random number generation support. I am interested in this, but not fully knowledgeable about the subject. Currently, I am using pfSense on some Intel Atom CPU C2758 machines. For OpenVPN with the usual CBC-AES, I would find it desirable, if random number generation issues could be eradicated. I was thinking about the possibilities of using TrueRNG, so I wrote to the developers at ubld.it Their kind response was:

    "While nobody here has officially tested the TrueRNG with FreeBSD, I feel very confident that it should be able to access the device. As for seeding the entropy in the system, that is another matter. Typically on a Linux based system, we install rngd (from the rng-tools package) and configure it to read from the TrueRNG device, it then takes care of providing the kernel with entropy which is used throughout the system. Not being very proficient in FreeBSD I cannot comment much further." … "On Linux, pseudorandom comes from /dev/urandom, and true random comes from /dev/random, on OSX they are merged using the Yarrow method and /dev/random and /dev/urandom are the same device, (providing a mix of pseudo and non pseudo).  My research tells me that FreeBSD also does Yarrow so it should be the same as osx.  With a rngd on osx seeding /dev/random what happens is if available true rng entropy is available, it is served to the application requesting it, if the pool is low, it provides pseudorandom.  That being said, if our device was seeding the pool, the requests from an application requiring entropy would be getting true random data. All in all, I don't know enough about your particular application to comment further.  If you wanted to purchase the device and take a stab at getting it running I will be happy to try and help further it along if you get stuck, but in a nutshell once the device is enumerated over usb, it should just be a matter of compiling rngd for your system (or finding a precompiled package) and setting up the config file."

    Please take into account, if such hardware would be benficial to pfSense.


    Michael Schefczyk