Date: Fri, 07 Apr 2006 12:36:22 -0700 From: Sam Leffler <sam@errno.com> To: "Eric W. Bates" <ericx_lists@vineyard.net> Cc: freebsd-net@freebsd.org Subject: Re: hifn errors on console Message-ID: <4436BF36.4010000@errno.com> In-Reply-To: <4436A7AF.2040101@vineyard.net> References: <44313943.1060300@vineyard.net> <44314957.4020800@errno.com> <4436A7AF.2040101@vineyard.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Eric W. Bates wrote: > > Sam Leffler wrote: >> Eric W. Bates wrote: >> >>> I'm running pfsense (an embedded FreeBSD 6.1) on a wrap2C. I recently >>> added a Soekris vpn1411 and am now getting infrequent errors: >>> >>> hifn0: rndtest: ones interval 4 failed (382, 251-373) >>> hifn0: rndtest: ones interval 1 failed (2663, 2343-2657) >>> hifn0: rndtest: zeros interval 5 failed (206, 111-201) >>> hifn0: rndtest: ones interval 2 failed (1385, 1135-1365) >>> hifn0: rndtest: zeros interval 3 failed (718, 542-708) >>> hifn0: rndtest: zeros interval 4 failed (243, 251-373) >>> hifn0: rndtest: zeros interval 3 failed (717, 542-708) >>> >>> IPSec works fine. However, I do not know how to tell whether the hifn >>> is being used. >>> >>> I had no luck with Google. Can anyone enlighten me? >> >> man rndtest(4). pfSense has configured the FIPS rng testing module to >> monitor the entropy sent by the h/w to the system prng. Looks like >> >> sysctl kern.rdntest.verbose=0 >> >> will turn off console msgs. > > I guess I want to follow up on this a bit. It seems that rndtest is > unsatisfied with the degree of randomness presented by the card. > > Is that randomness used to produce /dev/random? > > Is this an indication of a fault with the card? The entropy is fed into the system PRNG where it is processed again before being supplied as data from /dev/random. So there is nothing to worry about. > > How does such a card "create"/"collect" entropy? Drivers that manage h/w entropy sources (such as those found on crypto devices) periodically collect data and feed it to the PRNG. > > Is there anything I can do to improve the situation? rndtest was done to evaluate the goodness of h/w entropy sources for various reasons that are not important. It is not intended for production use. Why pfsense includes it is unclear. > > Thanks. > > btw: adding a similar card (Soekris VPN 1410 -- PCI not mini-pci) to a > full size motherboard running 6.0-RELEASE-p6 produces the same errors. > >> Sam >> >> > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4436BF36.4010000>