The project delivers a comprehensive redesign of the Linux kernel’s random number generation subsystem, focusing on entropy collection, estimation, and compliance with German federal security standards. The core technical contribution is the implementation of a new entropy pool that uses the Blake2s hash function as its state transition mechanism. The pool is initialized with the standard Blake2s IV vectors and a 0x01010000 parameter block, ensuring a secure unkeyed hash state. A spinlock protects concurrent updates, while an init_bits counter tracks the first 256 bits of entropy inserted during boot. Subsequent entropy is not counted, simplifying the state management while maintaining high security.

Entropy is gathered from multiple hardware and software sources. Interrupt noise, block device activity, human‑interface device (HID) events, and scheduler‑based timing variations are all fed into the pool via a simple Blake2s update call. The project provides detailed min‑entropy estimates for each source according to NIST SP800‑90B, covering worst‑case scenarios, normal use cases, and early‑boot conditions in both virtual and native environments. Tables summarise column‑wise and row‑wise estimates, demonstrating that even the lowest‑entropy sources contribute sufficient unpredictability for the pool’s requirements. A dedicated test series of raw entropy samples validates the theoretical estimates and confirms that the combined pool consistently exceeds the 256‑bit threshold needed for the ChaCha20 deterministic random number generator (DRNG).

The ChaCha20 DRNG itself is fully compliant with BSI’s NTG.1 and DRG.3 specifications. The implementation follows the BSI‑approved design, providing a 256‑bit output state and a 128‑bit nonce. The project documents that the DRNG satisfies all sub‑requirements of DRG.3, including entropy source selection, state initialization, and output quality. The entropy pool’s design ensures that the DRNG receives a high‑quality seed, thereby guaranteeing cryptographic strength for all downstream applications.

Hardware random number generators are integrated through a new kernel framework that abstracts CPU‑based RNGs. The framework exposes a uniform interface to kernel subsystems, allowing the Linux‑RNG to fall back to hardware entropy when available. This hybrid approach improves entropy availability on systems with dedicated hardware RNGs while maintaining a robust software fallback.

Security domain protection is addressed by isolating the Linux‑RNG code and data structures within a dedicated kernel security domain. This isolation prevents unauthorized access to the entropy pool and the DRNG state, mitigating potential side‑channel attacks. The project also outlines a timeline for entropy availability: during installation, the pool accumulates 256 bits of entropy; after the first reboot, the DRNG is fully operational; and during regular usage, the pool continues to receive entropy from ongoing system activity.

The project was carried out under the auspices of the Federal Office for Information Security (BSI), which provided funding and defined the compliance requirements. The development cycle involved multiple kernel releases, with the fully tested version being 6.3 and the documented version 6.7. Collaboration with other German research institutions and industry partners contributed to the design of the hardware RNG framework and the validation of entropy estimates. The resulting Linux‑RNG module represents a significant step forward in providing a secure, standards‑compliant random number generation facility for the Linux kernel, meeting both national security mandates and the needs of modern cryptographic applications.