TPMs (Trusted Platform Modules) have long been avoided on Linux, given that their primary use cases have historically been around licensing and Digital Rights Management, concepts which are mostly foreign to Free and Open Source software. However, as new use cases, such as “trusted boot” have emerged, developers have added TPM device drivers to the Linux kernel to enable these uses. One often-overlooked feature of the TPM is that it has a hardware pseudo-random number generator.
A while back, Jeff Garzik and others were discussing this on the linux-kernel mailing list (summarized on LWN.net), where it was suggested that the TPM could be used to feed the rngd (random number gathering daemon) tool, just as it reads from other hardware random number generators. The rngd program reads from hardware-based random number generators and feeds entropy into the kernel’s entropy pool. Easy in concept, but lacking in TPM implementation.
As it happens, quite a few Dell systems include a TPM chip, including the PowerEdge 11G servers such as the R610 and R710. So, I asked Dell’s crack team of Linux developers to see what they could do. The result: a patch to rngd which adds the TPM as another source of random numbers for feeding the kernel’s entropy pool.
We’re working with Jeff to get this patch applied to the rng-tools upstream sources, and from there into the various distributions as their schedules permit.
So, should you find yourself running out of entropy on your servers, and not having a keyboard or mouse attached as ways to feed the entropy pool, you can run enable the TPM in BIOS SETUP, run rngd, and never lack for randomness again.