kern/106275: Hifn 7955 on Soekris Engineering vpn1401 returning "bad randomness"?

[Patrick M. Hausen]

>Number:         106275
>Category:       kern
>Synopsis:       Hifn 7955 on Soekris Engineering vpn1401 returning "bad randomness"?
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Dec 03 19:10:16 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Patrick M. Hausen
>Release:        FreeBSD 6.2-RC1 i386
>Organization:
punkt.de GmbH
>Environment:
System: FreeBSD ardbeg.hausen.com 6.2-RC1 FreeBSD 6.2-RC1 #0: Thu Nov 30 22:06:40 CET 2006 root at talisker.hausen.com:/usr/obj/nanobsd.net4801/usr/src/sys/NET4801 i386

Kernel-Config:

options         FAST_IPSEC              #new IPsec (cannot define w/ IPSEC)
device          crypto                  # core crypto support
device          cryptodev               # /dev/crypto for access to h/w
device          hifn                    # Hifn 7951, 7781, etc.

Dmesg:

hifn0 mem 0xa0003000-0xa0003fff,0xa0004000-0xa0005fff,0xa0008000-0xa000ffff irq 11 at device 10.0 on pci0
hifn0: Hifn 7955, rev 0, 32KB dram, pll=0x800<pci clk, 4x mult>

>Description:

	I do have an add on crypto card in my Soekris Net4801 box.
	Despite the hardware random generator I'm getting this message
	a couple of hours (read: a couple of MB IPsec traffic) after
	every reboot.

	WARNING: pseudo-random number generator used for IPsec processing

>How-To-Repeat:

	Difficult - get your hands on the same hardware ;-)
	I'll provide any debug output necessary and possibly even
	shell access to the box.

	If you need precise IPsec and ISAKMP config, I can provide
	that as well.

	Maybe PHK has some insight. AFAIK he's using quite a bit
	of Soekris hardware.

>Fix:

	I don't have the slightest idea ;-)
>Release-Note:
>Audit-Trail:
>Unformatted: