[LEDE-DEV] [PATCH] base-files: seed /dev/urandom
Etienne Champetier
champetier.etienne at gmail.com
Sun Jun 12 15:56:28 PDT 2016
Hi Felix,
2016-06-12 12:45 GMT+02:00 Felix Fietkau <nbd at nbd.name>:
> On 2016-06-11 08:37, Etienne CHAMPETIER wrote:
>> This commit:
>> 1) seed /dev/urandom with a saved seed as early as possible
>> (using /lib/preinit/81_urandom_seed)
>> 2) save a new seed using getrandom() so we are sure /dev/urandom
>> pool is initialized (using /etc/init.d/urandom_seed)
>>
>> seed size is 512 bytes (ie /proc/sys/kernel/random/poolsize / 8)
>> it's the same size as in ubuntu 14.04 and all systemd systems
>>
>> seed file is /etc/urandom.seed (need a writable path)
>>
>> seeding /dev/urandom doesn't change entropy estimation, so we still have
>> "random: ubus urandom read with 4 bits of entropy available"
>> messages in the logs, but we can now ignore them
>>
>> We could also add an urandom.seed at build time to improve first boot
> I'm not sure writing to flash on every single boot on every device is a
> good default behavior.
>
Just saw your comment, it endend up in spam ...
Reusing the same seed multiple time is not really recommended, as it
means all boot with same seed are in the same state.
What would be an acceptable behaviour for you?
I could wait for ntp and then check if seed is older than X, but
that's way less robust.
BTW, we are already writing at every boot for dnsmasq/dnssec (/etc/dnsmasq.time)
Etienne
> - Felix
More information about the Lede-dev
mailing list