:~$ /usr/sbin/rngd --help
Usage: rngd [OPTION...]
Check and feed random data from hardware device to kernel entropy pool.
-b, --background Become a daemon (default)
-d, --no-drng=1|0 Do not use drng as a source of random number input
(default: 0)
-f, --foreground Do not fork and become a daemon
-n, --no-tpm=1|0 Do not use tpm as a source of random number input
(default: 0)
-o, --random-device=file Kernel device used for random number output
(default: /dev/random)
-p, --pid-file=file File used for recording daemon PID, and multiple
exclusion (default: /var/run/rngd.pid)
-q, --quiet Suppress error messages
-r, --rng-device=file Kernel device used for random number input
(default: /dev/hwrng)
-s, --random-step=nnn Number of bytes written to random-device at a time
(default: 64)
-v, --verbose Report available entropy sources
-W, --fill-watermark=n Do not stop feeding entropy to random-device until
at least n bits of entropy are available in the
pool (default: 2048), 0 <= n <= 4096
-?, --help Give this help list
--usage Give a short usage message
-V, --version Print program version
Mandatory or optional arguments to long options are also mandatory or optional
for any corresponding short options.
Report bugs to Jeff Garzik <jgarzik@pobox.com>.
:~$ cat /etc/init.d/rng-tools
#! /bin/sh
#
# rng-tools initscript for the rng-tools package
# Copr. 2003 by Henrique de Moraes Holschuh <hmh@debian.org>
# Copr. 2002 by Viral Shah <viral@debian.org>
#
### BEGIN INIT INFO
# Provides: rng-tools
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
### END INIT INFO
#
#
# $Id: rng-tools.init,v 1.6.2.10 2008-06-10 19:51:37 hmh Exp $
PATH=/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/rngd
NAME=rngd
DESC="Hardware RNG entropy gatherer daemon"
PIDFILE=/var/run/rngd.pid
DEVICELIST="hwrng hw_random hwrandom intel_rng i810_rng"
HRNGDEVICE=/dev/hwrng
RNGDOPTIONS=
[ -r /etc/default/rng-tools ] && . /etc/default/rng-tools
test -f ${DAEMON} || exit 0
set -e
finddevice () {
[ -c "${HRNGDEVICE}" ] && return 0
for i in ${DEVICELIST} ; do
if [ -c "/dev/$i" ] ; then
HRNGDEVICE="/dev/$i"
return 0
fi
if [ -c "/dev/misc/$i" ] ; then
HRNGDEVICE="/dev/misc/$i"
return 0
fi
done
if grep -q rdrand /proc/cpuinfo ; then
return 0
fi
echo "(Hardware RNG device inode not found)"
echo "$0: Cannot find a hardware RNG device to use." >&2
exit 1
}
START="--start --quiet --pidfile ${PIDFILE} --startas ${DAEMON} --name ${NAME}"
case "$1" in
start)
echo -n "Starting $DESC: "
finddevice
START="${START} -- -r ${HRNGDEVICE} ${RNGDOPTIONS}"
if start-stop-daemon ${START} >/dev/null 2>&1 ; then
echo "${NAME}."
else
if start-stop-daemon --test ${START} >/dev/null 2>&1; then
echo "(failed)."
exit 1
else
echo "${DAEMON} already running."
exit 0
fi
fi
;;
stop)
echo -n "Stopping $DESC: "
if start-stop-daemon --stop --quiet --pidfile ${PIDFILE} \
--startas ${DAEMON} --retry 10 --name ${NAME} \
>/dev/null 2>&1 ; then
echo "${NAME}."
else
if start-stop-daemon --test ${START} >/dev/null 2>&1; then
echo "(not running)."
exit 0
else
echo "(failed)."
exit 1
fi
fi
;;
restart|force-reload)
$0 stop
exec $0 start
;;
*)
echo "Usage: $0 {start|stop|restart|force-reload}" 1>&2
exit 1
;;
esac
exit 0
:~$ rngtest --help
Usage: rngtest [OPTION...]
Check the randomness of data using FIPS 140-2 RNG tests.
-b, --blockstats=n Dump statistics every n blocks (default: 0)
-c, --blockcount=n Exit after processing n blocks (default: 0)
-p, --pipe Enable pipe mode: work silently, and echo to
stdout all good blocks
-t, --timedstats=n Dump statistics every n secods (default: 0)
-?, --help Give this help list
--usage Give a short usage message
-V, --version Print program version
Mandatory or optional arguments to long options are also mandatory or optional
for any corresponding short options.
FIPS tests operate on 20000-bit blocks. Data is read from stdin. Statistics
and messages are sent to stderr.
If no errors happen nor any blocks fail the FIPS tests, the program will return
exit status 0. If any blocks fail the tests, the exit status will be 1.
Report bugs to Jeff Garzik <jgarzik@pobox.com>.
查看熵池大小 cat /proc/sys/kernel/random/poolsize 查看当前熵可用数 cat /proc/sys/kernel/random/entropy_avail
安装 rng-tools haveged
systemctl enable rng-tools.service systemctl enable haveged.service
/dev/random /dev/urandom
查看cpu是否支持rdrand指令 cat /proc/cpuinfo | grep rdrand
消耗随机数 cat /dev/random > /dev/null head -c 1024 /dev/random
观察熵可用数 watch -n 1 cat /proc/sys/kernel/random/entropy_avail
测试随机数质量 rngtest -c 1000 < /dev/random
https://github.com/imthenachoman/How-To-Secure-A-Linux-Server#more-secure-random-entropy-pool-wip
https://www.2uo.de/myths-about-urandom/
https://hackaday.com/2017/11/02/what-is-entropy-and-how-do-i-get-more-of-it/
https://wiki.archlinux.org/index.php/Rng-tools