How to correctly use a hardware random number generator (hwrng, trng) on Linux 5+ (Debian 12+)

README.md

How to correctly use a hardware random number generator (hwrng, trng) on Linux 5+ (Debian 12+)

Problem

1. Linux entropy pool doesn't know about external, non-default, non-driver entropy sources.
2. Modern Linux usually reports 256 for cat /proc/sys/kernel/random/entropy_avail. This has to do with the entropy pool rewrite sometime ago that prevented blocking of /dev/random.
3. There is presently no userland entropy pool seeding "pull" mechanism.

Solution

When a high quality entropy source is available, push bits into the kernel's entropy pool very frequently.

Implementations

For TrueRNG

./truerng-setup.sh && ./hwrng-setup.sh /dev/TrueRNG0

For Raspberry Pi

./hwrng-setup.sh /dev/hwrng

For others

./hwrng-setup.sh /dev/path-to-your-entropy-device

hwrng-setup.sh

#!/usr/bin/env bash
set -euo pipefail
if [ $UID != 0 ]; then
  exec /usr/bin/sudo "$0" "$@"
fi
HWRNG_DEV="${1?hw rng argument needed}"
set -x

/usr/bin/dpkg -P rng-tools5 haveged || true

/usr/bin/apt-get install -y rng-tools-debian

/usr/bin/mkdir -p /etc/systemd/system/rng-tools-debian.service.d/

# Note: [Unit] ConditionPathExists= and ConditionPathIsSymbolicLink= puts the service into a dead state, whereas [Service] ExecStartPre= does not
/usr/bin/cat > /etc/systemd/system/rng-tools-debian.service.d/override.conf <<'OVERRIDE'
[Service]
Type=simple
EnvironmentFile=/etc/default/rng-tools-debian
RemainAfterExit=no
Restart=always
RestartSec=15s
ExecStartPre=/usr/bin/test -e $HRNGDEVICE
ExecStart=
ExecStart=/usr/sbin/rngd -f -r $HRNGDEVICE $RNGDOPTIONS
ExecStop=
OVERRIDE

/usr/bin/cat > /etc/default/rng-tools-debian <<CONF
# -*- mode: sh -*-
#-
# Configuration for the rng-tools-debian initscript

# Set to the input source for random data, leave undefined
# for the initscript to attempt auto-detection.  Set to /dev/null
# for the viapadlock driver.
HRNGDEVICE=$HWRNG_DEV

RNGDOPTIONS='--feed-interval 1 --fill-watermark 100% --rng-quality high --rng-buffers 50 --random-step 2500 --rng-timeout 60'
CONF

/usr/bin/systemctl daemon-reload

/usr/bin/systemctl restart rng-tools-debian.service

truerng-setup.sh

#!/usr/bin/env bash
set -euo pipefail
if [ $UID != 0 ]; then
  exec /usr/bin/sudo "$0" "$@"
fi
set -x

/usr/bin/cat > /etc/udev/rules.d/TrueRNG.rules <<'RULES'
# From: https://raw.githubusercontent.com/euler357/TrueRNG/master/udev_rules/99-TrueRNG.rules

# Rule for TrueRNG V1/V2/V3
SUBSYSTEM=="tty", ATTRS{product}=="TrueRNG", SYMLINK+="TrueRNG%n", RUN+="/bin/stty raw -echo -ixoff -F /dev/%k speed 3000000"
ATTRS{idVendor}=="04d8", ATTRS{idProduct}=="f5fe", ENV{ID_MM_DEVICE_IGNORE}="1", MODE="0666"
# fix for reattaching with an incorrect and different number
# ACTION="remove", ATTRS{idVendor}=="04d8", ATTRS{idProduct}=="f5f3", RUN+="rm /dev/TrueRNG%n"

# Rule for TrueRNGpro
SUBSYSTEM=="tty", ATTRS{product}=="TrueRNGpro", SYMLINK+="TrueRNG%n", RUN+="/bin/stty raw -echo -ixoff -F /dev/%k speed 3000000"
ATTRS{idVendor}=="16d0", ATTRS{idProduct}=="0aa0", ENV{ID_MM_DEVICE_IGNORE}="1", MODE="0666"
# fix for reattaching with an incorrect and different number
# ACTION="remove", ATTRS{idVendor}=="16d0", ATTRS{idProduct}=="0aa0", RUN+="rm /dev/TrueRNG%n"

# Rule for TrueRNGpro V2
SUBSYSTEM=="tty", ATTRS{product}=="TrueRNGpro V2", SYMLINK+="TrueRNG%n", RUN+="/bin/stty raw -echo -ixoff -F /dev/%k speed 3000000"
ATTRS{idVendor}=="04d8", ATTRS{idProduct}=="ebb5", ENV{ID_MM_DEVICE_IGNORE}="1", MODE="0666"
# fix for reattaching with an incorrect and different number
# ACTION="remove", ATTRS{idVendor}=="04d8", ATTRS{idProduct}=="ebb5", RUN+="rm /dev/TrueRNG%n"
RULES

/usr/bin/udevadm control --reload