[LEDE-DEV] [PATCH] base-files: seed /dev/urandom
Etienne Champetier
champetier.etienne at gmail.com
Tue Jun 14 01:13:02 PDT 2016
2016-06-14 9:08 GMT+02:00 Felix Fietkau <nbd at nbd.name>:
> On 2016-06-13 22:10, Etienne Champetier wrote:
>> Hi John, Felix,
>>
>> 2016-06-13 13:55 GMT+02:00 John Crispin <john at phrozen.org>:
>>>
>>>
>>> On 13/06/2016 00:56, Etienne Champetier wrote:
>>>> Hi Felix,
>>>>
>>>> 2016-06-12 12:45 GMT+02:00 Felix Fietkau <nbd at nbd.name>:
>>>>> On 2016-06-11 08:37, Etienne CHAMPETIER wrote:
>>>>>> This commit:
>>>>>> 1) seed /dev/urandom with a saved seed as early as possible
>>>>>> (using /lib/preinit/81_urandom_seed)
>>>>>> 2) save a new seed using getrandom() so we are sure /dev/urandom
>>>>>> pool is initialized (using /etc/init.d/urandom_seed)
>>>>>>
>>>>>> seed size is 512 bytes (ie /proc/sys/kernel/random/poolsize / 8)
>>>>>> it's the same size as in ubuntu 14.04 and all systemd systems
>>>>>>
>>>>>> seed file is /etc/urandom.seed (need a writable path)
>>>>>>
>>>>>> seeding /dev/urandom doesn't change entropy estimation, so we still have
>>>>>> "random: ubus urandom read with 4 bits of entropy available"
>>>>>> messages in the logs, but we can now ignore them
>>>>>>
>>>>>> We could also add an urandom.seed at build time to improve first boot
>>>>> I'm not sure writing to flash on every single boot on every device is a
>>>>> good default behavior.
>>>>>
>>>>
>>>> Just saw your comment, it endend up in spam ...
>>>>
>>>> Reusing the same seed multiple time is not really recommended, as it
>>>> means all boot with same seed are in the same state.
>>>> What would be an acceptable behaviour for you?
>>>> I could wait for ntp and then check if seed is older than X, but
>>>> that's way less robust.
>>>>
>>>> BTW, we are already writing at every boot for dnsmasq/dnssec (/etc/dnsmasq.time)
>>>>
>>>
>>> lets add a system.system.write_state_to_flash_on_boot=0/1 uci option and
>>> lock this and the dnssec time stuff with it and default it to 0
>>
>> Security can't be opt in !
>> When you see "random: ubus urandom read with 4 bits of entropy
>> available" let's hope it's not security sensitive, because 2^4 will
>> not take a lot of time to bruteforce...
> First of all, the kernel entropy estimation is *really* pessimistic, so
> there will be a lot more random bits at this point than just 4.
>
>> Before we try to minimize writes, how much writes are we talking about?
>> my openwrt routers have multiple months of uptime, and even if we get
>> down to 1 week, that gets us to 53 writes a year.
>> How much writes can a flash handle these days?
> I'm more concerned about the worst case than the average case here.
> There are people that do a forced reboot every day (as a stability
> workaround), or only power up their devices during specific times of the
> day (multiple reboots per day). This can easily add up to bigger numbers.
>
> Also, adding something like this makes other people want to add even
> more stuff that writes to flash on every boot, as you've so clearly
> demonstrated by pointing out that this behavior are already done for
> dnssec/dnsmasq.
Ok, let's find a middle ground :)
What about saving a seed if there is none (on boot), and then using an
ntp hotplug (stratum event) and save a new seed if older than say 1
week?
Etienne
>
> - Felix
More information about the Lede-dev
mailing list