On Fri, Sep 07, 2012 at 11:51:57AM +1000, Peter Jeremy wrote:
> I've done some experiments on a couple of systems to look at gzip and
> sha256 speed. On one box, "sysctl -an" returns 109989 bytes (though
> it has been up for a while) which gzip's to 12511 bytes (still too
> large for a single write to /dev/random). The following is the
> wallclock time to run sha256 or gzip on that input (based on multiple
> runs of 100 loops).
> sha256 gzip -6 CPU
> 3.3ms 5.9ms 2.5GHz amd64 (Athlon 4850e)
> 6.8ms 13.3ms 1.6GHz i386 (Atom N270)
> 85 ms 34 ms 700MHz ARMv6 (Raspberry PI, running Linux)
> These times are all in the noise compared to overall startup time.
I got my slowest times on a CAVIUM OCTEON 52XX CPU Rev. 0.8 with no FPU.
This is the source of my performance concerns. I agree your times are
"in the noise" and thus feel this diff deals with most of the concerns.
* Updates the comment about blocking -- it hasn't been true for 8 years.
* Document the natural limitations of the harvesting subsystem due to
it having finite resources (space & time).
* Apply above documentation and don't write over 100k to /dev/random
thinking it is all processed. [or even the reduced 50k of output
from using more selective commands]
* Apply Bruce Schneier's advice WRT not reusing seed material to
the 'better_than_nothing' seed material and only use it on first
post-installation boot.
Index: initrandom
===================================================================
--- initrandom (revision 239610)
+++ initrandom (working copy)
@@ -18,18 +18,40 @@ feed_dev_random()
{
if [ -f "${1}" -a -r "${1}" -a -s "${1}" ]; then
cat "${1}" | dd of=/dev/random bs=8k 2>/dev/null
+ else
+ return 1
fi
}
better_than_nothing()
{
- # XXX temporary until we can improve the entropy
- # harvesting rate.
# Entropy below is not great, but better than nothing.
- # This unblocks the generator at startup
- ( ps -fauxww; sysctl -a; date; df -ib; dmesg; ps -fauxww ) \
+
+ # Entropy below is not great, but better than nothing.
+ # Overwhelming the internal entropy seeding buffers is a NOP.
+ # Once the internal buffers are filled, additional input is
+ # dropped on the floor until the buffers are processed.
+ # For FreeBSD's current yarrow implementation that means
+ # there is little need to seed with more than 4k of input.
+ # In order to reduce the size of the seed input we hash it.
+
+ # The output of a cryptographic hash function whose input
+ # contained 'n' bits of entropy will have 'm' bits of entropy,
+ # where 'm' is either 'n' or slightly less due to collisions.
+ # So we operate under the premise that there is essentially
+ # no loss of entropy in hashing these inputs.
+
+ /sbin/sha256 -q `sysctl -n kern.bootfile` \
| dd of=/dev/random bs=8k 2>/dev/null
- cat /bin/ls | dd of=/dev/random bs=8k 2>/dev/null
+
+ # Note: commands are ordered based on least changing across reboots
+ # to most:
+ ( dmesg; kenv; df -ib; \
+ ps -fauxrH -o nwchan,nivcsw,nvcsw,time,re,sl; \
+ sysctl -n kern.cp_times kern.geom kern.lastpid kern.timecounter \
+ kern.tty_nout kern.tty_nin vm vfs debug dev.cpu; \
+ date ) \
+ | /sbin/sha256 -q | dd of=/dev/random bs=8k 2>/dev/null
}
initrandom_start()
@@ -67,16 +89,16 @@ initrandom_start()
#
case ${entropy_file} in
[Nn][Oo] | '')
+ better_than_nothing
;;
*)
if [ -w /dev/random ]; then
- feed_dev_random "${entropy_file}"
+ feed_dev_random "${entropy_file}" \
+ || better_than_nothing
fi
;;
esac
- better_than_nothing
-
echo -n ' kickstart'
fi
--
-- David ([email protected])
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-rc
To unsubscribe, send any mail to "[email protected]"
