| .\" Copyright (C) 2014, Theodore Ts'o <tytso@mit.edu> |
| .\" Copyright (C) 2014,2015 Heinrich Schuchardt <xypron.glpk@gmx.de> |
| .\" Copyright (C) 2015, Michael Kerrisk <mtk.manpages@gmail.com> |
| .\" |
| .\" %%%LICENSE_START(VERBATIM) |
| .\" Permission is granted to make and distribute verbatim copies of this |
| .\" manual provided the copyright notice and this permission notice are |
| .\" preserved on all copies. |
| .\" |
| .\" Permission is granted to copy and distribute modified versions of |
| .\" this manual under the conditions for verbatim copying, provided that |
| .\" the entire resulting derived work is distributed under the terms of |
| .\" a permission notice identical to this one. |
| .\" |
| .\" Since the Linux kernel and libraries are constantly changing, this |
| .\" manual page may be incorrect or out-of-date. The author(s) assume. |
| .\" no responsibility for errors or omissions, or for damages resulting. |
| .\" from the use of the information contained herein. The author(s) may. |
| .\" not have taken the same level of care in the production of this. |
| .\" manual, which is licensed free of charge, as they might when working. |
| .\" professionally. |
| .\" |
| .\" Formatted or processed versions of this manual, if unaccompanied by |
| .\" the source, must acknowledge the copyright and authors of this work. |
| .\" %%%LICENSE_END |
| .\" |
| .TH GETRANDOM 2 2015-01-22 "Linux" "Linux Programmer's Manual" |
| .SH NAME |
| getrandom \- obtain a series of random bytes |
| .SH SYNOPSIS |
| .B #include <linux/random.h> |
| .sp |
| .BI "int getrandom(void *"buf ", size_t " buflen ", unsigned int " flags ); |
| .SH DESCRIPTION |
| The |
| .BR getrandom () |
| system call fills the buffer pointed to by |
| .I buf |
| with up to |
| .I buflen |
| random bytes. |
| These bytes can be used to seed user-space random number generators |
| or for cryptographic purposes. |
| .PP |
| .BR getrandom () |
| relies on entropy gathered from device drivers and other sources of |
| environmental noise. |
| Unnecessarily reading large quantities of data will have a negative impact |
| on other users of the |
| .I /dev/random |
| and |
| .I /dev/urandom |
| devices. |
| Therefore, |
| .BR getrandom () |
| should not be used for Monte Carlo simulations or other |
| programs/algorithms which are doing probabilistic sampling. |
| |
| By default, |
| .BR getrandom () |
| draws entropy from the |
| .IR /dev/urandom |
| pool. |
| This behavior can be changed via the |
| .I flags |
| argument. |
| If the |
| .IR /dev/urandom |
| pool has been initialized, |
| reads of up to 256 bytes will always return as many bytes as |
| requested and will not be interrupted by signals. |
| No such guarantees apply for larger buffer sizes. |
| For example, if the call is interrupted by a signal handler, |
| it may return a partially filled buffer, or fail with the error |
| .BR EINTR . |
| If the pool has not yet been initialized, then the call blocks, unless |
| .B GRND_NONBLOCK |
| is specified in |
| .IR flags . |
| |
| The |
| .I flags |
| argument is a bit mask that can contain zero or more of the following values |
| ORed together: |
| .TP |
| .B GRND_RANDOM |
| If this bit is set, then random bytes are drawn from the |
| .I /dev/random |
| pool instead of the |
| .I /dev/urandom |
| pool. |
| The |
| .I /dev/random |
| pool is limited based on the entropy that can be obtained from environmental |
| noise. |
| If the number of available bytes in |
| .I /dev/random |
| is less than requested in |
| .IR buflen , |
| the call returns just the available random bytes. |
| If no random bytes are available, the behavior depends on the presence of |
| .B GRND_NONBLOCK |
| in the |
| .I flags |
| argument. |
| .TP |
| .B GRND_NONBLOCK |
| By default, when reading from |
| .IR /dev/random , |
| .BR getrandom () |
| blocks if no random bytes are available, |
| and when reading from |
| .IR /dev/urandom , |
| it blocks if the entropy pool has not yet been initialized. |
| If the |
| .B GRND_NONBLOCK |
| flag is set, then |
| .BR getrandom () |
| does not block in these cases, but instead immediately returns \-1 with |
| .I errno |
| set to |
| .BR EAGAIN . |
| .SH RETURN VALUE |
| On success, |
| .BR getrandom () |
| returns the number of bytes that were copied to the buffer |
| .IR buf . |
| This may be less than the number of bytes requested via |
| .I buflen |
| if |
| .BR GRND_RANDOM |
| was specified in |
| .IR flags |
| and insufficient entropy was present in the |
| .IR /dev/random |
| pool, or if the system call was interrupted by a signal. |
| .PP |
| On error, \-1 is returned, and |
| .I errno |
| is set appropriately. |
| .SH ERRORS |
| .TP |
| .B EINVAL |
| An invalid flag was specified in |
| .IR flags . |
| .TP |
| .B EFAULT |
| The address referred to by |
| .I buf |
| is outside the accessible address space. |
| .TP |
| .B EAGAIN |
| The requested entropy was not available, and |
| .BR getrandom () |
| would have blocked if the |
| .B GRND_NONBLOCK |
| flag was not set. |
| .TP |
| .B EINTR |
| The call was interrupted by a signal |
| handler; see the description of how interrupted |
| .BR read (2) |
| calls on "slow" devices are handled with and without the |
| .B SA_RESTART |
| flag in the |
| .BR signal (7) |
| man page. |
| .SH VERSIONS |
| .BR getrandom () |
| was introduced in version 3.17 of the Linux kernel. |
| .SH CONFORMING TO |
| This system call is Linux-specific. |
| .SH NOTES |
| .SS Maximum number of bytes returned |
| As of Linux 3.19 the following limits apply: |
| .IP * 3 |
| When reading from |
| .IR /dev/urandom , |
| a maximum of 33554431 bytes is returned by a single call to |
| .BR getrandom () |
| on a system where |
| .I int |
| has a size of 32 bits. |
| .IP * |
| When reading from |
| .IR /dev/random , |
| a maximum of 512 bytes is returned. |
| .SS Initialization of the entropy pool |
| The kernel collects bits of entropy from environment. |
| When a sufficient number of random bits has been collected, the |
| .I /dev/urandom |
| entropy pool is considered to be initialized. |
| This state is normally reached early in the system bootstrap phase. |
| .SS Interruption by a signal handler |
| When reading from |
| .I /dev/urandom |
| .RB ( GRND_RANDOM |
| is not set), |
| .BR getrandom () |
| will block until the entropy pool has been initialized |
| (unless the |
| .BR GRND_NONBLOCK |
| flag was specified). |
| If a request is made to read a large number (more than 256) of bytes, |
| .BR getrandom () |
| will block until those bytes have been generated and transferred |
| from kernel memory to |
| .IR buf . |
| When reading from |
| .I /dev/random |
| .RB ( GRND_RANDOM |
| is set), |
| .BR getrandom () |
| will block until some random bytes become available |
| (unless the |
| .BR GRND_NONBLOCK |
| flag was specified). |
| |
| The behavior when a call to |
| .BR getrandom () |
| that is blocked while reading from |
| .I /dev/urandom |
| is interrupted by a signal handler |
| depends on the initialization state of the entropy buffer |
| and on the request size, |
| .IR buflen . |
| If the entropy is not yet initialized, then the call will fail with the |
| .B EINTR |
| error. |
| If the entropy pool has been initialized |
| and the request size is large |
| .RI ( buflen "\ >\ 256)," |
| the call either succeeds, returning a partially filled buffer, |
| or fails with the error |
| .BR EINTR. |
| If the entropy pool has been initialized and the request size is small |
| .RI ( buflen "\ <=\ 256)," |
| then |
| .BR getrandom () |
| will not fail with |
| .BR EINTR . |
| Instead, it will return all of the bytes that have been requested. |
| |
| When reading from |
| .IR /dev/random , |
| blocking requests of any size can be interrupted by a signal |
| (the call fails with the error |
| .BR EINTR ). |
| |
| Calling |
| .BR getrandom () |
| to read |
| .I /dev/urandom |
| for small values (<=\ 256) of |
| .I buflen |
| is the preferred mode of usage. |
| .PP |
| The special treatment of small values of |
| .I buflen |
| was designed for compatibility with |
| OpenBSD's |
| .BR getentropy () |
| system call. |
| .PP |
| The user of |
| .BR getrandom () |
| .I must |
| always check the return value, |
| to determine whether either an error occurred |
| or fewer bytes than requested were returned. |
| In the case where |
| .B GRND_RANDOM |
| is not specified and |
| .I buflen |
| is less than or equal to 256, |
| a return of fewer bytes than requested should never happen, |
| but the careful programmer will check for this anyway! |
| .SS Choice of random device |
| Unless you are doing long-term key generation (and perhaps not even |
| then), you probably shouldn't be using |
| .B GRND_RANDOM. |
| The cryptographic algorithms used for |
| .I /dev/urandom |
| are quite conservative, and so should be sufficient for all purposes. |
| The disadvantage of |
| .B GRND_RANDOM |
| is that it can block. |
| Furthermore, dealing with the partially fulfilled |
| .BR getrandom () |
| requests that can occur when using |
| .B GRND_RANDOM |
| increases code complexity. |
| .SS Emulating OpenBSD's getentropy() |
| The |
| .BR getentropy () |
| system call in OpenBSD can be emulated using the following |
| function: |
| |
| .in +4n |
| .nf |
| int |
| getentropy(void *buf, size_t buflen) |
| { |
| int ret; |
| |
| if (buflen > 256) |
| goto failure; |
| ret = getrandom(buf, buflen, 0); |
| if (ret < 0) |
| return ret; |
| if (ret == buflen) |
| return 0; |
| failure: |
| errno = EIO; |
| return \-1; |
| } |
| .fi |
| .in |
| .SH BUGS |
| As of Linux 3.19, the following bug exists: |
| .\" FIXME patch proposed https://lkml.org/lkml/2014/11/29/16 |
| .IP * 3 |
| Depending on CPU load, |
| .BR getrandom () |
| does not react to interrupts before reading all bytes requested. |
| .SH SEE ALSO |
| .BR random (4), |
| .BR urandom (4), |
| .BR signal (7) |