Date: Mon, 28 Feb 2005 04:58:02 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Loren M. Lang" <lorenl@alzatex.com> Cc: Kris Kennaway <kris@obsecurity.org> Subject: RE: /dev/io , /dev/mem : only used by Xorg? Message-ID: <LOBBIFDAGNMAMLGJJCKNEEJDFAAA.tedm@toybox.placo.com> In-Reply-To: <20050228124023.GH1672@alzatex.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: Loren M. Lang [mailto:lorenl@alzatex.com] > Sent: Monday, February 28, 2005 4:40 AM > To: Ted Mittelstaedt > Cc: Kris Kennaway; Rob; FreeBSD questions > Subject: Re: /dev/io , /dev/mem : only used by Xorg? > > > On Mon, Feb 28, 2005 at 04:11:24AM -0800, Ted Mittelstaedt wrote: > > > > > > > -----Original Message----- > > > From: Kris Kennaway [mailto:kris@obsecurity.org] > > > Sent: Monday, February 28, 2005 2:58 AM > > > To: Ted Mittelstaedt > > > Cc: Rob; FreeBSD questions > > > Subject: Re: /dev/io , /dev/mem : only used by Xorg? > > > > > > > > > On Mon, Feb 28, 2005 at 01:32:26AM -0800, Ted Mittelstaedt wrote: > > > > > > > Instead, they are part of the kernel itself. > > > > > > > > All the /dev files are, /dev/random, /dev/ad0 and so on, > are simple > > > > files that take up only a few bytes of space. They are > convenient > > > > "hook points" to use to get to these devices. That is, when > > > a program > > > > accesses /dev/random, it isn't actually opening that > file. Instead, > > > > the kernel intercepts that call and supplies the program opening > > > > that device with the output of the actual device. > > > > > > > > This is why these device files are created with the > mknod utility, > > > > rather than just copying a file to /dev/random - since > doing that is > > > > accessing the device, not creating the device file. > > > > > > > > So, deleting these /dev devices saves you practically no space at > > > > all, and does not in fact delete the devices - it only > deletes the > > > > access point to them. The devices are still there in the kernel. > > > > > > No, in 5.x the device nodes are created automatically by devfs and > > > only appear in /dev by default if support is enabled in the kernel. > > > > Ah, yes I wasn't paying attention, he did say 5. I stopped paying > > attention > > after reading that he was wanting to remove /dev/random. > > > > > As the original poster discussed, /dev/io, /dev/mem and /dev/random > > > are optional components of the 5.x kernel, although as I > replied, the > > > situations in which one would not want to include them are limited. > > > > > > > Actually, recompiling openssl to use a prng daemon instead > of the random > > device > > will probably improve your ssh security - unless they have greatly > > improved the entropy generation in the random device in 5.X > > Is the /dev/random on FreeBSD really this bad? Yes - there's some random testing suites on the Internet, find a few and compile them. (ENT for example) Run them repeatedly and see what happens. Part of the problem is that BY DEFAULT the random device DOES NOT look at interrupts. See the man page for rndcontrol. Presumably the system admin of the system knows this and looks at his dmesg output to see which irq's are assigned to network cards and hard disks (which are fairly good sources of randomness) and sets the random device to use these. In practice this isn't something mentioned in the install docs so it is very unlikely many people know. Another strange thing is that /dev/random should block when it runs out of entropy - it doesen't seem to do so, however. And the device doesen't seem to gain entropy that quickly. > I thought it should be > better since it can gather entropy from all over the kernel like > interrupts. I'm pretty sure I read that linuxes /dev/random was far > supieror to prng and I'd expect FreeBSD to be the same unless someone > was lazy in implementing it or there is some major security hole in it. > The FreeBSD random device is a port of the same Linux code. Interestingly enough, Sun's Solaris x86 random driver sucks too in the same way, runs out of entropy quickly and doesen't recharge that rapidly. There's a couple people who have written prngs which they claim are far superior to the random devices. Do a search and you will run across them. An excellent random device would be a portable fm radio tuned to in between stations and feeding the mic input of a soundcard. That's what you use when you don't want NSA's supercomputers breaking your keys. ;-) But of course if you pulled entropy out of that too fast, you would run into the speed limitations of the D/A converter in the soundcard input. Ted
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNEEJDFAAA.tedm>