[LEDE-DEV] [PATCH] base-files: seed /dev/urandom
John Crispin
john at phrozen.org
Mon Jun 13 04:55:49 PDT 2016
On 13/06/2016 00:56, Etienne Champetier wrote:
> Hi Felix,
>
> 2016-06-12 12:45 GMT+02:00 Felix Fietkau <nbd at nbd.name>:
>> On 2016-06-11 08:37, Etienne CHAMPETIER wrote:
>>> This commit:
>>> 1) seed /dev/urandom with a saved seed as early as possible
>>> (using /lib/preinit/81_urandom_seed)
>>> 2) save a new seed using getrandom() so we are sure /dev/urandom
>>> pool is initialized (using /etc/init.d/urandom_seed)
>>>
>>> seed size is 512 bytes (ie /proc/sys/kernel/random/poolsize / 8)
>>> it's the same size as in ubuntu 14.04 and all systemd systems
>>>
>>> seed file is /etc/urandom.seed (need a writable path)
>>>
>>> seeding /dev/urandom doesn't change entropy estimation, so we still have
>>> "random: ubus urandom read with 4 bits of entropy available"
>>> messages in the logs, but we can now ignore them
>>>
>>> We could also add an urandom.seed at build time to improve first boot
>> I'm not sure writing to flash on every single boot on every device is a
>> good default behavior.
>>
>
> Just saw your comment, it endend up in spam ...
>
> Reusing the same seed multiple time is not really recommended, as it
> means all boot with same seed are in the same state.
> What would be an acceptable behaviour for you?
> I could wait for ntp and then check if seed is older than X, but
> that's way less robust.
>
> BTW, we are already writing at every boot for dnsmasq/dnssec (/etc/dnsmasq.time)
>
lets add a system.system.write_state_to_flash_on_boot=0/1 uci option and
lock this and the dnssec time stuff with it and default it to 0
ideas what a short/descriptive name for the option would be ?
John
> Etienne
>
>> - Felix
>
> _______________________________________________
> Lede-dev mailing list
> Lede-dev at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/lede-dev
>
More information about the Lede-dev
mailing list