Leveraging Intel Ivy Bridge’s hardware RNG

Intel Ivy Bridge CPUs such as the i7-3770K that I own ship with a hardware random number generator that can be polled through the RdRand instruction.
This feature is advertised in /proc/cpuinfo with the rdrand flag.

This hardware RNG can be leveraged to increase the entropy bits available to Linux’s random character devices /dev/random and /dev/urandom.

First, some configuration items may (or may not) need to be enabled in the kernel: namely, CONFIG_HW_RANDOM and CONFIG_HW_RANDOM_INTEL. I enabled the latter only because it has “Intel” in the name, but I’m not sure it’s actually required (the docs mention Intel i8xx motherboards) and I’m too lazy to test.
You may also take a look at the Documentation/hw_random.txt file in the kernel sources for some more background info on HWRNGs and the kernel.
Note this file mentions sysfs‘s /sys/class/misc/hw_random/rng_{available,current} which on my machine are empty, for reasons unknown – well, rng_available is empty, rng_current contains none.

A userspace daemon is also required to poll the hardware RNG: rngd (available in the sys-apps/rng-tools package on Gentoo).
Note to Gentoo users: the init script installed for rngd tries to autodetect the actual name of the hardware RNG device in /dev, but fails in my case since I have two nodes for the device (both /dev/hw_random and /dev/hwrng). I had to manually set the hardware RNG device in /etc/conf.d/rngd (both nodes are the same device, so pick either one).

First a test without rngd running:

$ cat /dev/random           # don't use /dev/urandom, it's non-blocking
a few lines of garbage
Ctrl-C

Then with rngd:

$ rc-service rngd start
 * Starting rngd ...                                                  [ ok ]
read error

read error
                                                                      [ ok ]
# I don't know what these "read errors" are.
# They don't seem to hinder anything afterwards.
$ cat /dev/random
a solid stream of garbage
Ctrl-C            # this may not work, I usually need to kill the terminal

Voilà. :)

Leave a Reply

Your email address will not be published. Required fields are marked *