Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
ape4 5 hours ago

Ah, I wonder what's change since then.

vbezhenar 5 hours ago | parent [-]

Here's quote from the article:

> Note from 2024: This article was published on March 16th, 2014. It is still correct in its discussion of entropy and randomness, but the Linux kernel random number generator has been reworked several times since then and does not look like this anymore. Good news: the separation between /dev/urandom and /dev/random is practically gone.

My understanding is that on modern Linux system:

At early boot phases, /dev/random can still block, because not enough entropy has been seeded yet. /dev/urandom will not block, but the random data might be of poor quality and not suitable for crypto purposes. This happens very early in the boot, so probably it's not even possible to run user stuff at this time. At least on my laptop, the message "random: crng init done" gets logged almost instantly after boot and long before even initrd starts. Might be different for exotic platforms, I guess.

Once there was enough entropy seeded, both /dev/random and /dev/urandom works identically, they don't block and they return high quality random data. So for most userspace purposes, these files can be used interchangeably, one is not better than another.

aomix 4 hours ago | parent | next [-]

It started looking a whole lot like OpenBSD’s random number system. Private entropy pool from good system entropy seeds a ChaCha20 stream with random reseeds for forward secrecy in case of compromise. I think Linux is even more paranoid in the early boot environment where even in the presence of a seed file it prefers to get system entropy mixed in before confidently saying it can do crypto activities.

mananaysiempre 5 hours ago | parent | prev [-]

> Might be different for exotic platforms, I guess.

Short-lived isolated VMs (like might be used for CI) are one place where entropy can be a problem. The relevant definition of “platform” here is less about the CPU architecture and more about the environment.

ChrisSD 5 hours ago | parent [-]

VMs should have VirtIO RNG set up so there is a high quality entropy source at boot time, provided by the host system.

mananaysiempre 4 hours ago | parent [-]

Should, yes. Will, perhaps, but better be aware of the potential problem and check.

Just yesterday I encountered people complaining about a VM not connecting to a cloud service when they neglected to put their DNS server’s address in the config for the DHCP server used by that particular host. And a dysfunctional RNG is much more difficult to detect.