Re: Changes to make /dev/*random better sooner

[Taylor R Campbell <campbell+netbsd-tech-kern%mumble.net@localhost>]

   Date: Tue, 8 Apr 2014 00:25:32 -0400
   From: Thor Lancelot Simon <tls%panix.com@localhost>

   Attached are the changes from the tls-earlyentropy branch, which tries
   to make the output of /dev/random less predictable -- particularly for
   an attacker outside the box -- earlier.

   I intend to merge these soon.  Comment would be much appreciated.

I haven't found time to take a close look at these, but my first three
quick reactions are:

1. Getting entropy into newly installed systems should be a priority
far higher than spending effort trying to estimate newly gathered
entropy, and perhaps ought to me discussed and merged separately.
(See, e.g., <http://blog.cr.yp.to/20140205-entropy.html>.)

2. I'm inclined to say entropy estimation is something we ought to do
*off-line* for every kind of source, and we ought to statically write
down an upper bound on the amount of entropy per sample from sources,
rather than trying to estimate entropy on-line, with the option of
letting the system administrator control it with rndctl (e.g., to say:
`I'm about to bang on the keyboard like a monkey, please take that as
1 bit per sample rather than 0 bits per sample').

3. If you really want to use lzf as a dynamic entropy estimator, we'll
need to move it into src/sys/external -- kernel sources aren't allowed
to rely on anything outside src/sys and src/common (and nothing new is
allowed in src/common, I believe).