[OpenWrt-Devel] [PATCH 4/4] build: add urandom-seed and urngd to default packages set
ynezz at true.cz
Tue May 28 22:21:58 PDT 2019
Yousong Zhou <yszhou4tech at gmail.com> [2019-05-29 10:25:52]:
> On Tue, 28 May 2019 at 05:30, Petr Štetiar <ynezz at true.cz> wrote:
> > urandom-seed content was split from base-files into separate package so
> > in order to preserve the current functionality and to provide some
> > fallback mechanism in case jent-rng initialization fails in urngd we
> > need to add it back.
> > urngd is OpenWrt's micro non-physical true random number generator based
> > on timing jitter.
> If I understand the patch correctly it seems the urandom-seed will run
> along side with urngd, not a fallback.
along side with urngd, not as a fallback, just to keep the current state. It's
not a fallback as urandom-seed doesn't provide input which is trusted by
kernel as urandom-seed is just feeding urandom.seed file to kernel through
/dev/urandom file, and this input is never trusted by kernel so it's just
being added to the entropy pool, without any credibility.
> Is urandom-seed a must, or only serve as a precaution just in case?
it's not a must, 4.14 kernel (didn't checked 4.9) can collect good enough
entropy by itself. urandom-seed is just adding some kind of 512 byte noise
(which we collect only on the first boot) to the kernel entropy pool, which is
then being mixed with other kernel sources in order to provide usable noise to
> If urngd can solve the problem what urandom-seed is for, I would
> suggest we make urandom-seed an opt-in option, not included by
That was my plan in RFC series, but as we don't know yet where urngd works,
I've kept it for now. We can then probably remove urandom-seed in those
platforms, where we're sure, that urngd works and if we find out, that it's
just mt7620 having issues, then we can make it opt-in by default (remove
urandom-seed from the global default packages) and add urandom-seed just to
the mt7620 default package set.
More information about the openwrt-devel