finish-install: save entropy for target system

Fri, 11 Jan 2013 10:06:44 -0800 

I've just committed this change to finish-install.git, inspired by
comments in https://factorable.net/weakkeys12.extended.pdf.  (At least
for systems using sysvinit, this is the only change that I can readily
see needs to be made to Debian based on that paper.)  I can't
immediately point to a vulnerability caused by not having enough entropy
at first boot, but entropy is a scarce resource in general on many
systems and it seems worth going to some effort to preserve as much of
it as possible.

If you install your system once and then clone it, this change does mean
that all the clones will start out with the same random seed.  However,
this is no worse than them starting out with no random seed at all; it
just perturbs all their entropy pools in the same way.

I think we should include this change in wheezy.  Any comments?

commit ff70cfbd2a6e93b23903c7f16dfdac0b79b46b98
Author: Colin Watson <cjwat...@debian.org>
Date:   Fri Jan 11 18:05:30 2013 +0000

    Save a random seed to the installed system so that it has better entropy on 
first boot (LP: #1098299).

diff --git a/debian/changelog b/debian/changelog
index 27f18f7..3481dfd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+finish-install (2.42) UNRELEASED; urgency=low
+
+  * Save a random seed to the installed system so that it has better entropy
+    on first boot (LP: #1098299).
+
+ -- Colin Watson <cjwat...@debian.org>  Fri, 11 Jan 2013 16:32:28 +0000
+
 finish-install (2.41) unstable; urgency=low
 
   * Make sure to run update-initramfs if both cryptsetup and console-setup
diff --git a/finish-install.d/94random-seed b/finish-install.d/94random-seed
new file mode 100755
index 0000000..b00aae1
--- /dev/null
+++ b/finish-install.d/94random-seed
@@ -0,0 +1,17 @@
+#! /bin/sh
+set -e
+
+# If possible, save a random seed so that the installed system has better
+# entropy on first boot.  Based on /etc/init.d/urandom in initscripts.
+if [ -c /dev/urandom ] && [ -d /target/var/lib/urandom ]; then
+       if ! POOLBYTES=$((
+               ($(cat /proc/sys/kernel/random/poolsize 2>/dev/null) + 7) / 8
+       )); then
+               POOLBYTES=512
+       fi
+       umask 077
+       dd if=/dev/urandom of=/target/var/lib/urandom/random-seed \
+               bs="$POOLBYTES" count=1 >/dev/null 2>&1
+fi
+
+exit 0

Thanks,

-- 
Colin Watson                                       [cjwat...@debian.org]


-- 
To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20130111180607.gb5...@riva.dynamic.greenend.org.uk

Reply via email to