October 12, 2015

Random number generators for Linux on z Systems


For Linux on z Systems there are multiple kernel interfaces to get to (pseudo) random data. First there are the two standard Linux interfaces.
  • /dev/random : blocking interface used for really good random numbers
  • /dev/urandom : nonblocking interface used for everything else
Those interfaces work the same on z Systems as they do on other platforms. However in highly virtualized environments there are really idle servers where nothing is happening. This means that there isn't a lot of entropy generated and therefore /dev/random will block.

On top for z Systems there are two additional interfaces:
  • /dev/prandom : this is a hardware assisted pseudo random number generator using the System z CPACF instructions. To enable it do a modprobe prng. Further details can be found in the "Device Drivers, Features, and Commands" book for upstream, SUSE and Red Hat. In those books search for prng. 
  • /dev/hwrng : this is a true random number generator using the CryptoExpress CCA co-processor function. For this to work, you need the hardware card installed and configured to your Linux. Then a modprobe z90crypt starts it. 
As expected prandom is faster than urandom. But the additional card with the real random number generator is even faster and doesn't use CPU. Obviously when you share the card the throughput will be split between the Linux images.

If your application is written against /dev/random and there isn't enouh entropy in the system, you can refill it by using the rngd daemon. To start it use then command rngd -r /dev/hwrng. Of course you need to install the rng-tools package first. Caveat: you may need to change the service configuration file to point to /dev/hwrng. Or you create the /dev/hwrandom (which is the default for rngd) device node by linking to /dev/hwrng.

No comments:

Post a Comment