[LEDE-DEV] [PATCH] urandom-seed: add initial implementation
Etienne CHAMPETIER
champetier.etienne at gmail.com
Thu Jun 2 14:21:33 PDT 2016
This package:
1) seed /dev/urandom with a saved seed as early as possible
(using /lib/preinit/81_urandom_seed)
2) save a new seed using getrandom() so we are sure /dev/urandom
pool is initialized (using /etc/init.d/urandom_seed)
seed size is 512 bytes (ie /proc/sys/kernel/random/poolsize / 8)
it's the same size as in ubuntu 14.04 and all systemd systems
seed file is /etc/urandom.seed (need a writable path)
seeding /dev/urandom doesn't change entropy estimation, so we still have
"random: ubus urandom read with 4 bits of entropy available"
messages in the logs, but we can now ignore them
Once tested on enough configuration (jffs2/ext4/ubifs/...)
this package should be added to DEFAULT_PACKAGES
We could also add an urandom.seed at build time to improve first boot
Signed-off-by: Etienne CHAMPETIER <champetier.etienne at gmail.com>
---
package/utils/urandom-seed/Makefile | 53 ++++++++++++++++++++
.../urandom-seed/files/81_urandom_seed.preinit | 15 ++++++
package/utils/urandom-seed/files/getrandom.c | 58 ++++++++++++++++++++++
package/utils/urandom-seed/files/urandom_seed.init | 19 +++++++
4 files changed, 145 insertions(+)
create mode 100644 package/utils/urandom-seed/Makefile
create mode 100644 package/utils/urandom-seed/files/81_urandom_seed.preinit
create mode 100644 package/utils/urandom-seed/files/getrandom.c
create mode 100644 package/utils/urandom-seed/files/urandom_seed.init
diff --git a/package/utils/urandom-seed/Makefile b/package/utils/urandom-seed/Makefile
new file mode 100644
index 0000000..ac58bfc
--- /dev/null
+++ b/package/utils/urandom-seed/Makefile
@@ -0,0 +1,53 @@
+#
+# Copyright (C) 2016 Etienne CHAMPETIER <champetier.etienne at gmail.com>
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=urandom-seed
+PKG_RELEASE:=1
+PKG_LICENSE:=GPL-2.0
+PKG_LICENSE_FILES:=COPYING
+PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)_$(PKG_RELEASE)
+PKG_FLAGS:=nonshared
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/urandom-seed
+ SECTION:=utils
+ CATEGORY:=Base system
+ TITLE:=Seed /dev/urandom on startup
+ MAINTAINER:=Etienne CHAMPETIER <champetier.etienne at gmail.com>
+endef
+
+define Package/urandom-seed/description
+This package takes care of loading a previously saved seed into /dev/urandom,
+and save a new seed from getrandom()
+endef
+
+define Build/Prepare
+ mkdir -p $(PKG_BUILD_DIR)
+endef
+
+define Build/Configure
+endef
+
+define Build/Compile
+ $(TARGET_CC) $(TARGET_CFLAGS) ./files/getrandom.c -o $(PKG_BUILD_DIR)/getrandom
+endef
+
+define Package/urandom-seed/install
+ $(INSTALL_DIR) $(1)/usr/bin
+ $(INSTALL_BIN) $(PKG_BUILD_DIR)/getrandom $(1)/usr/bin/
+
+ $(INSTALL_DIR) $(1)/lib/preinit
+ $(INSTALL_DATA) ./files/81_urandom_seed.preinit $(1)/lib/preinit/81_urandom_seed
+
+ $(INSTALL_DIR) $(1)/etc/init.d
+ $(INSTALL_BIN) ./files/urandom_seed.init $(1)/etc/init.d/urandom_seed
+endef
+
+$(eval $(call BuildPackage,urandom-seed))
diff --git a/package/utils/urandom-seed/files/81_urandom_seed.preinit b/package/utils/urandom-seed/files/81_urandom_seed.preinit
new file mode 100644
index 0000000..27ff587
--- /dev/null
+++ b/package/utils/urandom-seed/files/81_urandom_seed.preinit
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+do_urandom_seed() {
+ S=/etc/urandom.seed
+ U=/dev/urandom
+
+ [ -c $U ] || { echo "Something is wrong with $U"; return; }
+ [ -f $S ] || { echo "Seed file not found: $S"; return; }
+ [ -O $S -a -G $S -a ! -x $S ] || { echo "Wrong owner / permissions for $S"; return; }
+
+ echo "Seeding $U with $S"
+ cat $S > $U
+}
+
+boot_hook_add preinit_main do_urandom_seed
diff --git a/package/utils/urandom-seed/files/getrandom.c b/package/utils/urandom-seed/files/getrandom.c
new file mode 100644
index 0000000..2093ef8
--- /dev/null
+++ b/package/utils/urandom-seed/files/getrandom.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2016 Etienne Champetier <champetier.etienne at gmail.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+#define _GNU_SOURCE
+#include <errno.h>
+#include <linux/random.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+
+#define ERROR_EXIT(fmt, ...) do { \
+ fprintf(stderr, fmt, ## __VA_ARGS__); \
+ return EXIT_FAILURE; \
+ } while (0)
+
+int usage(char *name)
+{
+ fprintf(stderr, "Usage: %s <nb>\n", name);
+ fprintf(stderr, " => return <nb> bytes from getrandom()\n");
+ return EXIT_FAILURE;
+}
+
+int main(int argc, char *argv[])
+{
+ if (argc != 2)
+ return usage(argv[0]);
+
+ if (isatty(STDOUT_FILENO))
+ ERROR_EXIT("Not outputting random to a tty\n");
+
+ int nbtot = atoi(argv[1]);
+ if (nbtot < 1)
+ ERROR_EXIT("Invalid <nb> param (must be > 0)\n");
+
+ char buf[256];
+ int len = sizeof(buf);
+ while (nbtot > 0) {
+ if (nbtot <= sizeof(buf))
+ len = nbtot;
+ if (syscall(SYS_getrandom, buf, len, 0) == -1)
+ ERROR_EXIT("getrandom() failed: %s\n", strerror(errno));
+ if (write(STDOUT_FILENO, buf, len) != len)
+ ERROR_EXIT("write() failed: %s\n", strerror(errno));
+ nbtot -= sizeof(buf);
+ }
+}
diff --git a/package/utils/urandom-seed/files/urandom_seed.init b/package/utils/urandom-seed/files/urandom_seed.init
new file mode 100644
index 0000000..b2aba28
--- /dev/null
+++ b/package/utils/urandom-seed/files/urandom_seed.init
@@ -0,0 +1,19 @@
+#!/bin/sh /etc/rc.common
+
+START=99
+
+SEED=/etc/urandom.seed
+
+save_seed() {
+ touch $SEED.tmp
+ chown root:root $SEED.tmp
+ chmod 600 $SEED.tmp
+ getrandom 512 > $SEED.tmp
+
+ logger "Saving urandom seed to $SEED"
+ mv $SEED.tmp $SEED
+}
+
+boot() {
+ save_seed
+}
--
1.9.1
More information about the Lede-dev
mailing list