free
/
freedombone
Observar 1
Favorito 0
Fork 0
Código Issues 0 Pull Requests 0 Versões 0 Wiki Atividade
Ver código fonte

Kernel update and hardware random numbers

Bob Mottram 11 anos atrás
pai
09803d8ceb
commit
6287776f82
1 arquivos alterados com 92 adições e 2 exclusões
Visão dividida Mostrar estatísticas do Diff
  1. 92
    2
      beaglebone.txt

+ 92
- 2
beaglebone.txt Ver arquivo 

@@ -327,6 +327,48 @@ apt-get update
327 327 
 apt-get dist-upgrade
328 328 
 #+END_SRC
329 329
330 
+** Configure for your location
331 
+
332 
+#+BEGIN_SRC: bash
333 
+dpkg-reconfigure locales
334 
+#+END_SRC
335 
+
336 
+And to verify the change.
337 
+
338 
+#+BEGIN_SRC: bash
339 
+locale -a
340 
+#+END_SRC
341 
+
342 
+** Upgrade the kernel
343 
+Using a more recent kernel should improve stability of the system and also allow it to make use of hardware random number generation, which improves the overall security.  Please note that this kernel is specific to the BBB, so if you're using a Raspberry Pi, Cubieboard or other SBC then look elsewhere on the web for information about upgrading the kernel.
344 
+
345 
+#+BEGIN_SRC: bash
346 
+cd /tmp
347 
+wget http://freedombone.uk.to/kernel-3.13.tar.gz
348 
+#+END_SRC
349 
+
350 
+Verify it.
351 
+
352 
+#+BEGIN_SRC: bash
353 
+sha256sum kernel-3.13.tar.gz
354 
+88f7c5d1a26b844371137a5e849b376284267452ee8ddbfe7792da9254b86473
355 
+#+END_SRC
356 
+
357 
+Then extract and install it.
358 
+
359 
+#+BEGIN_SRC: bash
360 
+tar -xzvf kernel-3.13.tar.gz
361 
+cd kernel-3.13
362 
+sh install-me.sh
363 
+reboot
364 
+#+END_SRC
365 
+
366 
+After the system has rebooted you can ssh back unto it and log in as the root user.  You can check that the kernel version has changed with the command:
367 
+
368 
+#+BEGIN_SRC: bash
369 
+uname -mrs
370 
+#+END_SRC
371 
+
330 372 
 ** Random number generation
331 373
332 374 
 #+BEGIN_VERSE
 
@@ -338,14 +380,62 @@ apt-get dist-upgrade
338 380
339 381 
 The security of encryption depends upon the randomness of the random source used on your system.  If it isn't very random then it may be far more vulnerable to cryptanalysis, and it's known that in the past some dubious agencies have encouraged the use of flawed random number generators to assist with their prurient activities.  Randomness - typically referred to as /entropy/ - is often gathered from factors such as the timing of key presses or mouse movements, but since the BBB won't have such devices plugged into it this reduces the amount of entropy available.
340 382
341 
-To improve entropy generation there are two options.  One is to install a kernel module which enables the hardware crypto available on the BBB, but that's a bit complicated and might have some stability implications.  The other option is to install [[http://www.issihosts.com/haveged/][havegd]].  While not as good as a true hardware random number generator, havegd is better than the default pseudo-random number generation within the Linux kernel.  To install it:
383 
+*** On the Beaglebone Black
384 
+If you are using a Beaglebone and have updated the kernel then install:
385 
+
386 
+#+BEGIN_SRC: bash
387 
+apt-get install rng-tools
388 
+emacs /etc/default/rng-tools
389 
+#+END_SRC
390 
+
391 
+Uncomment *HRNGDEVICE=/dev/hwrng*, save and exit then restart the daemon.
392 
+
393 
+#+BEGIN_SRC: bash
394 
+service rng-tools restart
395 
+#+END_SRC
396 
+
397 
+Your BBB will now use hardware to generate random numbers.
398 
+
399 
+*** On other Single Board Comuters
400 
+If you are not using a Beaglebone (a Cubieboard for example), or if you didn't update the kernel, then you can still improve the random number generation by installing:
342 401
343 402 
 #+BEGIN_SRC: bash
344 403 
 apt-get install haveged
345 404 
 #+END_SRC
346 405
347 
-At the time of writing there is also some hardware called [[http://beagleboard.org/project/CryptoCape/][cryptocape]] being developed, with the intention of adding extra random number generation capabilities to the BBB.
406 
+*** Verifying random number quality
407 
+You can check how much randomness (entropy) is available with:
348 408
409 
+#+BEGIN_SRC: bash
410 
+cat /proc/sys/kernel/random/entropy_avail
411 
+#+END_SRC
412 
+
413 
+Ideally it should be in the range 1000-4096.  If it is persistently below 500 then there may be a problem with your system which could make it less secure.
414 
+
415 
+To verify that random number generation is good on the BBB run:
416 
+
417 
+#+BEGIN_SRC: bash
418 
+cat /dev/hwrng | rngtest -c 1000
419 
+#+END_SRC
420 
+
421 
+You should see something like this, with zero or a small number of failures:
422 
+
423 
+#+BEGIN_SRC: bash
424 
+rngtest: starting FIPS tests...
425 
+rngtest: bits received from input: 20000032
426 
+rngtest: FIPS 140-2 successes: 1000
427 
+rngtest: FIPS 140-2 failures: 0
428 
+rngtest: FIPS 140-2(2001-10-10) Monobit: 0
429 
+rngtest: FIPS 140-2(2001-10-10) Poker: 0
430 
+rngtest: FIPS 140-2(2001-10-10) Runs: 0
431 
+rngtest: FIPS 140-2(2001-10-10) Long run: 0
432 
+rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
433 
+rngtest: input channel speed: (min=3.104; avg=26.015; max=18.626)Gibits/s
434 
+rngtest: FIPS tests speed: (min=160.281; avg=165.696; max=168.792)Mibits/s
435 
+rngtest: Program run time: 115987 microseconds
436 
+#+END_SRC
437 
+*** Additional addons
438 
+At the time of writing there is also some hardware called [[http://beagleboard.org/project/CryptoCape/][cryptocape]] being developed, with the intention of adding extra random number generation capabilities to the BBB.
349 439 
 ** Alter ssh configuration
350 440
351 441 
 Altering the ssh configuration will make it a little more secure than the standard Debian settings.