Re: Randomness

[Havard Eidnes <he%netbsd.org@localhost>]

> On Jan 15, 2014, at 10:21 , Justin Cormack 
> <justin%specialbusservice.com@localhost> wrote:
>> On Wed, Jan 15, 2014 at 8:47 AM, Fredrik Pettai <pettai%nordu.net@localhost> 
>> wrote:
>>> 
>>> While at the topic randomness, would be good if NetBSD could
>>> implement an ioctl like Linux RNDADDENTROPY?
>>> This helps to increase the randomness by importing &
>>> inserting from other random sources, like the YubiHSM etc.
>> 
>> It does, RNDADDDATA. However you might want to write a driver, as the
>> ioctl does not add to the entropy count (because userspace is
>> untrusted).
> 
> Or perhaps a simpler idea would be to add a sysctl option that
> gives you a choice whether it should accept entropy from
> userspace or not?

If I'm not terribly mistaken, it is there already, and is called
kern.securelevel. :)  The kernel adds an entropy estimation if

        estimate_ok = !kauth_authorize_device(cred,
            KAUTH_DEVICE_RND_ADDDATA_ESTIMATE, NULL, NULL, NULL, NULL);

I beleive this got turned into "is securelevel > 0", but forgot
how to go about finding the appropriate code in the kauth code.

But ... it's probably not a very good idea to lower securelevel
(if your system runs with non-default securelevel) just to get
"better" entropy.

Regards,

- Håvard