The CPU Jitter Random Number Generator provides a non-physical true random number generator that works equally in kernel and user land. The only prerequisite is the availability of a high-resolution timer that is available in modern CPUs.
A public git repository of the Jitter-RNG core is found at smuellerDD/jitterentropy-library.
A public git repository of an RNGd based on the Jitter-RNG usable for Linux is found at smuellerDD/jitterentropy-rngd.
A PDF documentation is also available. The pictures and graphs are better to read in the PDF version.
The PDF documentation for the Jitter RNG 2.2.0 is applicable for the current versions of the Linux kernel.
I am looking for CPUs that are not listed in appendix F of the documentation. If you happen to have such a CPU with a Unix-ish operating system and you want to help me to gather more evidence on the appropriateness of the CPU Jitter random number generator, please perform the following:
The following source code contains the implementation of the CPU Random Number Generator.
| Link | Changes |
|---|---|
| 20130508 | Initial version |
| 20130516 |
Small enhancement of Kernel DRNG support -- making the reseeding and rekeying implementation more robust for edge conditions Compile the CPU Jitter RNG as stand-alone shared library Addition of OpenSSL engine support |
| 20130521 |
Moving of code parts relevant to different consumer into sub directories OpenSSL: add jitterentropy-drng and jitterentropy-strong engines |
| 20130617 |
Adding test to assess entropy of timer over folding loop -- test results in section 5.1 and appendix F added to documentation Update jent_entropy_init to check for coarse timers Add patch to integrate CPU Jitter RNG as entropy of last resort into /dev/random and /dev/urandom -- see appendix B.3 |
| 20130621 |
Adding more test to assess entropy of timer over folding loop -- test results in appendix F added to documentation Bug fix in jent_entropy_init Add code in arch/ and android/ directories for non-Linux environments |
| 20130626 |
Adding more test to assess entropy of timer over folding loop -- test results in appendix F added to documentation Bug fix in jent_entropy_init |
| 20130724 |
Adding more test to assess entropy of timer over folding loop -- test results in appendix F added to documentation (there are now 197 different tests) Remove statistical tests in jent_entropy_init that cause ambiguous results Add support for MacOS and AIX in jent_get_nstime |
| 20130806 |
Addition of z/OS test code and description in arch/zOS |
| 20130818 |
Added missing -O0 to /dev/random patch Fix bug in output of random data: mixed bit and byte representation |
| 20130910 |
Adding of jitterentropy-rngd -- an entropy feeder daemon to add entropy to /dev/random's input_pool from user space (see appendix E) Use of Linux kernel clocksource if get_cycles return zero Documentation: adding section 4.5 to discuss Von Neumann De-Skew |
| 20130912 |
Replace varying entropy loop counter with Von Neumann unbias operating. This implies that the analysis of the entropy loop counter statistics in chapter 4 are removed. The impact of the Von Neumann unbias operation on the entropy is discussed in chapter 5. |
| 20130930 |
Allow caller of jent_entropy_collector_alloc to specify an oversampling rate. That rate determines whether the folding loop is executed in multiple instances to implement an oversampling of the individual bits. Add test results for microkernels. Add analysis of change of CPU execution jitter over time in section 5.1.1. Add analysis of the impact of disabling certain system characteristics on CPU execution jitter in appendix F.43. |
| 20131020 |
Addition of non-cryptographic whitening function that can be enabled during allocation time. Addition of tests on Windows 7 |
| 20131028 |
Add add_jent_randomness call to initialization of entropy pools in random.c. Update structure of Linux kernel Makefile to allow seamless integration into kernel Addition of tests on Samsung Galaxy S4 |
| 20131113 |
Add JENT_DISABLE_UNBIAS flag to allocation function to disable Von-Neumann unbias. Add test to verify presence of CPU execution time jitter on bare metal (test_baremetal/) Document baremetal testing by adding new chapter 6 Add folding test result for Intel Core i7 IvyBridge |
| 20140131 |
Addition of new noise source: memory access which adds significant additional entropy Rewrite of bare metal test to include memory access testing and more CPU execution jitter testing Chapter 6 of the documentation completely rewritten to cover an in-depth analysis of the noise sources, including a rationale of the theory of root cause of memory access variations Update Linux kernel patch for 3.13 and to feed the input_pool only |
| 20140219 |
Add PID file to jitterentropy-rngd -- thanks to Jan Blunck Fix wrapping logic in memaccess loop -- thanks to Jan Blunck Fix NULL pointer dereference in jent_entropy_collector_free |
| 20140220 |
Bug fix for wrap calculation in memaccess loop -- thanks to Mikko Loytynoja |
| 20140402 |
jitterentropy-rngd: compile without JENT_DISABLE_MEMORY_ACCESS to protect state in case of swap-out, crash dumps, etc FIPS mode: read /proc/sys/crypto/fips_enabled |
|
The shuffling function that selects the new number of folding loop is now more balanced jitterentropy-rngd: make a separate package |
|
|
The number of memory accesses is now shuffled the same way as the folding loop: For each memory access noise request, a time stamp determines a number between 64 and 192 for the memory accesses |
|
|
start new numbering schema update processing of bit that is deemed holding no entropy by heuristic: XOR it into pool without LFSR and bit rotation (reported and suggested by Kevin Fowler) |
|
|
mark function jentrng_versionstring static (thanks to Kevin Fowler) use errno with strerror (thanks to Kevin Fowler) compile with -pedantic and make appropriate code changes |
|
|
change jitterentropy.service: move RNGd startup up the boot ladder to allow all cryptographic services to benefit from a RNGd-updated /dev/?random |
|
|
jent_stir_pool is now a constant time function to prevent leaking timing information about the random number. Make it compile on 32 bit architectures. |
|
|
Ensure that the buffer holding entropy data is zeroized immediately after use. |
|
|
Jitterentropy: Replace the XOR folding of a time delta with an LFSR -- the use of an LFSR is mathematically more sound for the argument to maintain entropy rngd: inject only 32 bytes of entropy of entropy instead of 256 bytes rngd: apply oversampling factor -- i.e. obtain OVERSAMPLINGFACTOR bytes more from Jitter RNG than required for the 32 bytes of entropic data rngd: do not install sig_alarm handler if the LRNG is present rngd: Use Jitter RNG logic v2.0.0 |
|
|
Jitterentropy: Invcation of stuck test during initalization rngd: inject 32 bytes of entropy into /dev/random before daemonizing as suggested by Pascal de Bruijn rngd: add jitterentropy-rngd.1 man page as suggested by Pascal de Bruijn rngd: mall changes to systemd unit file suggested by Pascal de Bruijn |
|
|
Include jitterentropy core 2.0.1 Compile jitterentropy core without optimizations using GCC pragmas instead of -O0 as suggested by Paul Wouters Change CFLAGS and LDFLAGS from += to ?= to allow smooth integration with build environment as suggested by Paul Wouters Version information now can obtained as unprivileged user |
|
|
Convert all __[u|s][32|64] into [uint|int][32|64]_t Remove all code protected by #if defined(__KERNEL__) && !defined(MODULE) Add JENT_PRIVATE_COMPILE: Enable flag during compile when compiling a private copy of the Jitter RNG Remove unused statistical test code Add FIPS 140-2 continuous self test code threshold for init-time stuck test configurable with JENT_STUCK_INIT_THRES during compile time |
|
|
Fix implementation of mathematical properties. |
|
|
Include jitterentropy core 2.1.1 (note, RNGD version 1.0.7 is broken) |
|
|
Add static library compilation thanks to Neil Horman Initialize variable ec to satisfy valgrind as suggested by Steve Grubb Add cross-compilation support suggested by Lonnie Abelbeck |
|
|
Jitterentropy library 2.2.0 (Signature) Jitterentropy SP800-90B test code |
SP800-90B compliance Add full SP800-90B compliance. The documentation now contains a full SP800-90B compliance assessment. The test code includes all necessary tests for achieving SP800-90B compliance on a specific target platform. RNGD: fix race conditions around signal handling RNGD: import SP800-90B compliant Jitter RNG |
|
Jitterentropy library 3.0.0 (Signature) Jitterentropy SP800-90B test code |
SP800-90B compliance library: use RDTSC on x86 directly instead of clock_gettime library: use SHA-3 instead of LFSR library: add internal high-resolution timer support RNGD: use jitterentropy library version 3.0.0 RNGD: Due to the removal of the blocking pool in kernel 5.6, it is becoming very unlikely that the user space rngd is ever triggered by the kernel. Thus, the jitterentropy-rngd now injects entropy every 10 minutes unconditionally. RNGD: Use the RNDRESEEDCRNG ioctl after injecting entropy to guarantee that the new entropy is immediately forwarded to the ChaCha20 DRNG. Otherwise the ChaCha20 DRNG will not benefit from the new entropy up to 5 minutes after the injection of the entropy. |
|
Jitterentropy library 3.0.1 (Signature) |
SP800-90B compliance library: on older GCC versions use -fstack-protector as suggested by Warszawski, Diego library: prevent creating the internal timer thread if a high-res hardware timer is found as reported by Lonnie Abelbeck RNGD: on older GCC versions use -fstack-protector as suggested by Warszawski, Diego RNGD: prevent creating the internal timer thread if a high-res hardware timer is found as reported by Lonnie Abelbeck RNGD: disable RNDRESEEDCRNG on kernels < 4.17 as suggested by Warszawski, Diego RNGD: Use Jitter RNG library 3.0.1 |
|
SP800-90B compliance library: Small fixes suggested by Joshua Hill library: Update the invocation of SHA-3 invocation: each loop iteration defined by the loop shuffle is a self-contained SHA-3 operation. Therefore, the conditioning information is always *one* SHA-3 operation with different time duration. library: sdd JENT_CONF_DISABLE_LOOP_SHUFFLE config option allowing disabling of the shuffle operation library: Use -O0 RNGD: enhancement: Add SP800-90B compliant entropy injection RNGD: fix: proper use of the RNDRESEEDCRNG IOCTL which otherwise causes an endless loop due to kernel change 11a0b5e0ec8c13bef06f7414f9e914506140d5cb RNGD: enhancement: Catch runtime FIPS health failures RNGD: Use Jitter RNG library 3.0.2 |
|
|
SP800-90B, SP800-90C compliance library: Add link call to pthreads library as suggested by Mikhail Novosyolov library: Add ENTROPY_SAFETY_FACTOR to apply consideration of asymptotically reaching full entropy following SP800-90C suggested by Joshua Hill library: Add test for finiding more entropy by changing the memory buffer size used for the memory access loop library: Increase the memory buffer size to 512 kBytes per default based on measurements on systems with low entropy. library: Add jent_ncpu() detecting the number of existing CPUs. Only when more than one CPU is in the system, the internal timer thread is started. library: add GCD testing and analysis suggested by Joshua Hill library: add fixes to APT suggested by Joshua Hill library: add lag predictor health test suggested by Joshua Hill library: add jent_read_entropy_safe API call library: break up jitterentropy-base.c into various smaller code files RNGD: Use Jitter RNG library 3.1.0 |
|
|
SP800-90B, SP800-90C compliance library: fix: add API call jent_read_entropy_safe to header file library: enhancement: add jent_entropy_init_ex API call library: enhancement: call jent_entropy_init_ex automatically when jent_entropy_collector_alloc_internal detects that no self test has yet been performed library: test: provide jitterentropy-rng test tool allowing all options exported by the library to be invoked library: fix: re-add check of time_backwards in power-on test library: fix: silence static code analysis tool library: test: add test for GCD library: enhancement: add GCD selftest library: fix: simplify memory management for SHA-3 library: enhancement: add random memory access (JENT_RANDOM_MEMACCESS) RNGD: Use Jitter RNG library 3.2.0 |
|
|
SP800-90B, SP800-90C compliance library: add jent_get_cachesize if _SC_LEVEL1_DCACHE_SIZE is not defined library: limit the memory buffer size allocated and allow caller to provide the means to provide a limit, too library: fix: update man page library: update README explaining how to handle entropy shortfall to make it consistent with the current code base RNGD: enhancement: use Jitter RNG library 3.3.0 RNGD: enhancement: add --flags command line option to allow specifying the integer value used as flags field to allocate the Jitter RNG - see jitterentropy(3) for details RNGD: enhancement: add --osr command line option |
|
|
SP800-90B, SP800-90C compliance library: fix: bug fix in initialization logic by Vladis Dronov library: fix: use __asm__ instead of asm to suit the C11 standard RNGD: enhancement: use Jitter RNG library 3.3.1 |
|
|
SP800-90B, SP800-90C compliance library: enhancement: add API call jent_set_fips_failure_callback as requested by Daniel Ojalvo library: fix: Change the SHA-3 integration: The entropy pool is now a SHA-3 state. It is filled with the time delta containing entropy and auxiliary data that does not contain entropy using a SHA update operation. The auxiliary data is calculated by a SHA-3 hashing of some varying state data. The time delta that contains entropy is measured about the SHA-3 hasing of the auxiliary data. This is a more direct implementation as the ones described in FIPS 140-3 IG D.K resolutions 4, 6, and 8. library: enhancement: add CMake support by Andrew Hopkins RNGD: enhancement: use Jitter RNG library 3.4.0 |
|
|
SP800-90B, SP800-90C compliance library: add FIPS 140 hints to man page library: simplify the test tool to search for optimal configurations library: fix: jent_loop_shuffle: re-add setting the time that was lost with 3.4.0 library: enhancement: add ARM64 assembler code to read high-res timer RNGD: enhancement: use Jitter RNG library 3.4.1 |