From Fedora Project Wiki
(rngd default on feature)
m (remove admin notes)
Line 1: Line 1:
{{admon/important | Comments and Explanations | The page source contains comments providing guidance to fill out each section.  They are invisible when viewing this page.  To read it, choose the "edit" link.<br/> '''Copy the source to a ''new page'' before making changes!  DO NOT EDIT THIS TEMPLATE FOR YOUR FEATURE.'''}}
{{admon/important | Set a Page Watch| Make sure you click ''watch'' on your new page so that you are notified of changes to it by others, including the Feature Wrangler}}
{{admon/note | All sections of this template are required for review by FESCo.  If any sections are empty it will not be reviewed }}

Revision as of 17:27, 6 August 2012

rngd default-on


rngd (part of the rng-tools package) should be enabled by default.


  • Email:

Current status

  • Targeted release: Fedora 18
  • Last updated: 2012-08-06
  • Percentage of completion: 95%

Detailed Description

Linux generally relies on extracting entropy from noise in the compute environment for users of random numbers. However, in several critical compute environments entropic noise is notoriously scarce: servers, embedded systems, and virtual machines.

Some platforms provide a hardware random number generator, or they have a Trusted Platform Module (TPM); in particular KVM provides the rng-virtio interface to guests. Furthermore, rngd can make direct use of an architectural random number generator (currently it supports the x86 RDRAND instruction available in newer Intel processors.)

Lack of entropy is both a performance and a security problem. In the worst case it can result in duplicate key generations, as was recently discovered on Linux systems in the field.

There has been a number of functionality problems with rngd in the past, however, these should hopefully be eliminated in the just released version 4. Furthermore, if there are functionality problems remaining they should be reported upstream so they can be fixed, rather than leaving the daemon disabled with all the security hazards that entail.

In particular:

  - rngd should be turned on by default.
  - rngd should be started as early as possible.

Note that when using TPM, rngd currently conflicts with tcsd from TrouSerS. The solution to that is a kernel module which is probably going to be merged upstream in the 3.7 kernel, as it unfortunately missed the 3.6 merge window; however, it is a small patchset and it can be trivially backported. It should be in James Morris' linux-security git tree shortly; otherwise search for Kent Yoder on LKML.

Benefit to Fedora

Kernel random number generator has plenty of entropy on servers, virtual machines and other platforms.


1. Update rng-tools to version 4 (done). 2. Get rng-tools added to core list of packages.

How To Test

Run random-intensive tests such as certificate / key generation.

User Experience

Invisible, or, better kernel random entropy.



Contingency Plan

None necessary


See above extended description.

Release Notes

Additional entropy is available for kernel random number generator users, particular for setups with low entropy such as servers or virtual machines.

Comments and Discussion