Entropy Source and DRNG Manager

... or /dev/random in user space

The Entropy Source and DRNG Manager (ESDM) manages a set of deterministic random number generators (DRNG) and ensures their proper seeding and reseeding. To seed the DRNGs, a set of entropy sources are managed by the ESDM. The cryptographic strength of the entire ESDM is always 256 bits. All entropy processing is designed to maintain this strength.

Besides other services, it provides an API and ABI compliant drop-in replacement for the Linux `/dev/random` and `/dev/urandom` devices as well as the `getrandom` system call. This means it not only supports common users requesting random numbers, but also services using the IOCTLs documented in `random(4)` or using `select(2)` / `poll(2)` on the device files.

In addition to the Linux interface support, the ESDM provides a daemon managing the entropy sources and DRNG instances that can be accessed with a wrapper library. The ESDM requires only POSIX support along with `protobuf-c` and thus is intended to be executable on different operating systems.

It is extensible as follows:

Additional entropy sources can easily be added, existing entropy sources can be deselected during compile time or its entropy rate altered during startup time.
The cryptographic primitives can be altered by simply providing a new backend for hash algorithms or DRNG algorithms. See the `drng_chacha20` configuration option replacing the SP800-90A DRBG with a ChaCha20-based DRNG, or the `hash_sha3_512` configuration option replacing the SHA2-512 conditioning hash with SHA3-512.
Different DRNG Seeding strategies can be defined, by modifying one location in the code that governs the initial and reseeding operation of the DRNGs.

The (re)seeding operation of the DRNG implements design ideas of the following specifications:

SP800-90B: The entropy source of the Jitter RNG provides an SP800-90B compliant entropy source. In addition, the Intel RDSEED instruction is claimed to provide an SP800-90B entropy source. Also, when using the scheduler-based entropy source - which is only implemented for the Linux kernel using the code in `addon/linux_esdm_es`, a separate SP800-90B entropy source is provided.
SP800-90C: The specification provides guidelines how to combine a DRNG and entropy sources.

The Entropy Source and DRNG Manager is an API and ABI compatible drop-in replacement to the legacy /dev/random implementation in the Linux kernel but fully in user space.

GitHub Link

A public git repository is found at github.com/smuellerDD/esdm.

Documentation

A PDF presentation is also available providing the gist of the ESDM documentation.

Source Code

The following source code contains the implementation of the Entropy Source and DRNG Manager.

Link	Changes
Initial Release (Signature of source code)	Initial release
0.3.0 (Signature of source code)	Replace protobuf-c-rpc with built-in RPC mechanism reducing amount of mallocs, performing proper zeroization and being fully thread-aware Testing: disable /dev/random fallbacks for verifying RPC operation RNDGETENTCNT returns the seed state of the auxiliary entropy pool only. This makes it 100% ABI compliant to random.c Add ChaCha20 DRNG to regular code base Add SHA-3 conditioning hash to regular code base Add /proc/sys/kernel/random files handler along with SELinux policy, tested with: rng-tools, jitterentropy-rngd, haveged SP800-90A/B/C compliant
0.4.0 (Signature of source code)	Start CUSE daemons independently from ESDM server add support for invoking DRNG with prediction resistance when opening /dev/random with O_SYNC or using the esdm_get_random_bytes_pr API. This reestablishes the NTG.1 property as well as well as supports using the DRBG as a conditioning component pursuent to SP800-90C and FIPS 140 IG 7.19 / D.K. initialize the DRNG immediately with 256 bits (disregarding 32/128 bits) add interrupt entropy source modify collection in scheduler ES: maintain a hash state per CPU as a per-CPU entropy pool add proper interrupt/signal handling code to the ESDM RPC client library privilege level change in CUSE is now limited to caller only add support to allow ld.so.preload to be used to refer to libesdm-getrandom.so for a system-wide replacement of getrandom/getentropy system call. SP800-90A/B/C compliant AIS20/31 compliant FIPS IG 7.19 / D.K compliant - use of DRBG as conditioning component for chaining DRBGs
0.5.0 (Signature of source code)	Linux kernel entropy feeder is now always enabled Add Linux /dev/hwrng entropy source FIPS IG 7.19/D.K / BSI NTG.1: use a new DRNG instance executed with PR Handle communication errors between client and server gracefully ES monitor now runs for lifetime of the ESDM add interface to access entropy sources - esdm_get_seed including making it accessible via getrandom(2) fix of deadlocks during shutdown SP800-90A/B/C compliant AIS20/31 compliant FIPS IG 7.19 / D.K compliant - use of DRBG as conditioning component for chaining DRBGs
0.6.0 (Signature of source code)	Move ESDM apps into separate namespaces to limit their privilege even further (e.g. no possibility to create network connections) Add German AIS 20/31 (draft 2022) NTG.1 compliance support the blocking property of an interface is implemented in the client - the server reports -EAGAIN for a blocking behavior add "emergency seeding" when entropy sources cannot collectively deliver 256 bits of entropy, pull data repeatedly until 256 bits are received export esdm_rpc_client.h with all depending header files to allow external clients to be developed update IRQ/Scheduler ES health test to match LRNG bug fix: correctly calculate memory offsets enhancement: Sched/IRQ ES code in ESDM can handle if kernel-parts have different data structure size for sending entropy to user space IRQ/Sched ES: Switch to /dev/esdm_es character devices a user space interfaces fix of deadlocks during shutdown SP800-90A/B/C compliant AIS20/31 2011 compliant AIS20/31 draft 2022 compliant FIPS IG 7.19 / D.K compliant - use of DRBG as conditioning component for chaining DRBGs
1.0.0 (Signature of source code)	IRQ/Sched ES: add support to retry accessing the kernel with -i and -s flags enhancement: Jitter RNG ES generates data asynchronously enhancement: add kernel Jitter RNG ES enhancement: add leancrypto, OpenSSL and Botan crypto provider backends enhancement: add OpenSSL, Botan seed provider (leancrypto ESDM seed provider is found in leancrypto source code) fix: ESDM server - systemd unit executes server in current mount namespace editorial: apply clang-format fix: CUSE daemons may hang during shutdown due to busy mounts fix: resynchronize CUSE daemons and ESDM server upon ESDM server restart enhancement: ESDM server status splits up FIPS 140 and SP800-90C compliance rename compile time option “oversample_es” to “sp80090c” which is now disabled by default considering that with its enabling, the oversampling is applied unconditionally during startup SP800-90A/B/C compliant AIS20/31 2011 compliant AIS20/31 draft 2022 compliant FIPS IG 7.19 / D.K compliant - use of DRBG as conditioning component for chaining DRBGs
1.0.1 (Signature of source code)	enhancement/fix: add support for multiple ESDM RPC client connection initializations fix: If a process select/poll on a CUSE file, the system now goes properly to sleep fix: If there is high load on the CUSE daemons - make sure they properly shut down on reboot SP800-90A/B/C compliant AIS20/31 2011 compliant AIS20/31 draft 2022 compliant FIPS IG 7.19 / D.K compliant - use of DRBG as conditioning component for chaining DRBGs

2023-11-24 smueller at chronox.de