[LEDE-DEV] [PATCH v5] base-files: seed /dev/urandom

John Crispin john at phrozen.org
Tue Jun 28 01:44:23 PDT 2016 


On 28/06/2016 10:28, Jo-Philipp Wich wrote:
> Hi Etienne,
> 
> I like this approach, fine with me now.
> 

same here, we could not also consider adding a uci-defaults script that
check if rootfs is on a mtd or real lbock device and change the default
during firstboot, but i guess that would be a new patch. i have just
pulled this into my staging tree

	John


> On 06/27/2016 05:53 PM, Etienne CHAMPETIER wrote:
>> This commit:
>> 1) seed /dev/urandom with the saved seeds as early as possible
>>    (see /lib/preinit/81_urandom_seed)
>> 2) save a seed at /etc/urandom.seed if it doesn't exists
>> 3) save a new seed each boot at "system. at system[0].urandom_seed"
>>    (see /etc/init.d/urandom_seed)
>>
>> We use getrandom() so we are sure /dev/urandom pool is initialized
>>
>> Seed size is 512 bytes (ie /proc/sys/kernel/random/poolsize / 8)
>> it's the same size as in ubuntu 14.04 and all systemd systems
>>
>> Seeding /dev/urandom doesn't change entropy estimation, so we still have
>> "random: ubus urandom read with 4 bits of entropy available"
>> messages in the logs, but we can now ignore them if
>> after "urandom-seed: Seeding with ..." message
>>
>> Saving a new seed on each boot is disabled by default to avoid too much
>> writes without user consent
>>
>> v2: log preinit messages to /dev/kmsg
>> v3: use non generic function name for logging, as /lib/preinit/ files
>>     are all sourced together in /etc/preinit
>> v4: after a lot of discussion on the ML, use a uci config param
>> v5: config param is now the path of the seed
>>
>> Signed-off-by: Etienne CHAMPETIER <champetier.etienne at gmail.com>
> Acked-by: Jo-Philipp Wich <jo at mein.io>
>> ---
>>  package/base-files/files/bin/config_generate       |  1 +
>>  package/base-files/files/etc/init.d/urandom_seed   | 29 ++++++++++++++++++++++
>>  .../base-files/files/lib/preinit/81_urandom_seed   | 24 ++++++++++++++++++
>>  3 files changed, 54 insertions(+)
>>  create mode 100755 package/base-files/files/etc/init.d/urandom_seed
>>  create mode 100644 package/base-files/files/lib/preinit/81_urandom_seed
>>
>> diff --git a/package/base-files/files/bin/config_generate b/package/base-files/files/bin/config_generate
>> index 8002bc4..c0ba0fb 100755
>> --- a/package/base-files/files/bin/config_generate
>> +++ b/package/base-files/files/bin/config_generate
>> @@ -230,6 +230,7 @@ generate_static_system() {
>>  		set system. at system[-1].timezone='UTC'
>>  		set system. at system[-1].ttylogin='0'
>>  		set system. at system[-1].log_size='64'
>> +		set system. at system[-1].urandom_seed='0'
>>  
>>  		delete system.ntp
>>  		set system.ntp='timeserver'
>> diff --git a/package/base-files/files/etc/init.d/urandom_seed b/package/base-files/files/etc/init.d/urandom_seed
>> new file mode 100755
>> index 0000000..cb2eb44
>> --- /dev/null
>> +++ b/package/base-files/files/etc/init.d/urandom_seed
>> @@ -0,0 +1,29 @@
>> +#!/bin/sh /etc/rc.common
>> +
>> +START=99
>> +
>> +EXTRA_COMMANDS="save"
>> +
>> +_log() {
>> +    logger -t urandom_seed "$1"
>> +}
>> +
>> +_save() {
>> +    touch $1.tmp || { _log "touch $1 failed"; return; }
>> +    chown root:root $1.tmp || { _log "chown $1 failed"; return; }
>> +    chmod 600 $1.tmp || { _log "chmod $1 failed"; return; }
>> +    getrandom 512 > $1.tmp || { _log "getrandom failed"; return; }
>> +    mv $1.tmp $1 || { _log "mv $1 failed"; return; }
>> +}
>> +
>> +save() {
>> +    SEED="$(uci -q get system. at system[0].urandom_seed)"
>> +    [ "${SEED:0:1}" == "/" ] && _save "$SEED" && _log "Seed saved ($SEED)"
>> +
>> +    SEED=/etc/urandom.seed
>> +    [ ! -f $SEED ] && _save "$SEED" && _log "Seed saved ($SEED)"
>> +}
>> +
>> +boot() {
>> +    save
>> +}
>> diff --git a/package/base-files/files/lib/preinit/81_urandom_seed b/package/base-files/files/lib/preinit/81_urandom_seed
>> new file mode 100644
>> index 0000000..10878f3
>> --- /dev/null
>> +++ b/package/base-files/files/lib/preinit/81_urandom_seed
>> @@ -0,0 +1,24 @@
>> +#!/bin/sh
>> +
>> +log_urandom_seed() {
>> +    echo "urandom-seed: $1" > /dev/kmsg
>> +}
>> +
>> +_do_urandom_seed() {
>> +    [ -f "$1" ] || { log_urandom_seed "Seed file not found ($1)"; return; }
>> +    [ -O "$1" -a -G "$1" -a ! -x "$1" ] || { log_urandom_seed "Wrong owner / permissions for $1"; return; }
>> +
>> +    log_urandom_seed "Seeding with $1"
>> +    cat "$1" > /dev/urandom
>> +}
>> +
>> +do_urandom_seed() {
>> +    [ -c /dev/urandom ] || { log_urandom_seed "Something is wrong with /dev/urandom"; return; }
>> +
>> +    _do_urandom_seed "/etc/urandom.seed"
>> +
>> +    SEED="$(uci -q get system. at system[0].urandom_seed)"
>> +    [ "${SEED:0:1}" == "/" -a "$SEED" != "/etc/urandom.seed" ] && _do_urandom_seed "$SEED"
>> +}
>> +
>> +boot_hook_add preinit_main do_urandom_seed
>>
> 
> 
> _______________________________________________
> Lede-dev mailing list
> Lede-dev at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/lede-dev
>

More information about the Lede-dev mailing list