Usage v2.1.1¶
Recommendations for kernel_reseed options¶
reseed_amount¶
Quantinuum recommends selecting a reseed_amount size that matches the value of the /proc/sys/kernel/random/poolsize system value.
This is the maximum entropy pool size; as such, no benefit is provided in exceeding the entropy pool size.
The /proc/sys/kernel/random/poolsize is represented in bits whereas the reseed_amount variable is represented in bytes.
Care must be taken to correctly convert between the two.
For example:
/proc/sys/kernel/random/poolsize = 256 bits
reseed_amount= 32 bytes
reseed_time¶
Quantinuum recommends setting the reseed_time at 60 seconds, depending on the quantity of randomness that is consumed by the system.
This is the default reseed time for the Linux kernel at version 5.19 and later.
Some, but not all, distributions have opted to backport this change into their existing version.
Users can verify the default reseed time on their system by referencing the /proc/sys/kernel/random/urandom_min_reseed_secs value.
force_reseed¶
The force_reseed variable will use the kernel’s RNDRESEEDCRNG ioctl to manually trigger an update of the kernel’s PRNG internal state.
This will be triggered immediately after entropy is inserted into the kernel’s entropy pool.
Ordinarily, this process is handled automatically by the Linux kernel as defined by /proc/sys/kernel/random/urandom_min_reseed_secs.
The randomness generated by the system will not be updated until the kernel’s PRNG state is updated. It is important to enable force_reseed if your reseed_time is less than the value defined at /proc/sys/kernel/random/urandom_min_reseed_secs.
The Linux kernel requires elevated capabilities to use the RNDRESEEDCRNG ioctl.
When the force_reseed variable is set to true, the process will elevate its capabilities (CAP_SYS_ADMIN and CAP_SETPCAP) when needed to trigger the RNDRESEEDCRNG ioctl.
If this is not desired, set the force_reseed variable to false.
Viewing system logs¶
If the service has been configured to log to the operating systems syslog, the generated logs can be viewed, with the following command, to verify the service is operating properly.
$ sudo journalctl -u qo-kernel-reseed.service
$ sudo journalctl -u qo-kernel-reseed.service
We recommend that any logging is added to your SIEM monitoring tool. If syslog is already monitored then please ensure these new lines are detected by the SIEM