Hi Etienne,
I like this approach, fine with me now.
On 06/27/2016 05:53 PM, Etienne CHAMPETIER wrote:
> This commit:
> 1) seed /dev/urandom with the saved seeds as early as possible
> (see /lib/preinit/81_urandom_seed)
> 2) save a seed at /etc/urandom.seed if it doesn't exists
> 3) save a new seed each boot at "system.@system[0].urandom_seed"
> (see /etc/init.d/urandom_seed)
>
> We use getrandom() so we are sure /dev/urandom pool is initialized
>
> Seed size is 512 bytes (ie /proc/sys/kernel/random/poolsize / 8)
> it's the same size as in ubuntu 14.04 and all systemd systems
>
> Seeding /dev/urandom doesn't change entropy estimation, so we still have
> "random: ubus urandom read with 4 bits of entropy available"
> messages in the logs, but we can now ignore them if
> after "urandom-seed: Seeding with ..." message
>
> Saving a new seed on each boot is disabled by default to avoid too much
> writes without user consent
>
> v2: log preinit messages to /dev/kmsg
> v3: use non generic function name for logging, as /lib/preinit/ files
> are all sourced together in /etc/preinit
> v4: after a lot of discussion on the ML, use a uci config param
> v5: config param is now the path of the seed
>
> Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com>
Acked-by: Jo-Philipp Wich <j...@mein.io>
> ---
> package/base-files/files/bin/config_generate | 1 +
> package/base-files/files/etc/init.d/urandom_seed | 29
> ++++++++++++++++++++++
> .../base-files/files/lib/preinit/81_urandom_seed | 24 ++++++++++++++++++
> 3 files changed, 54 insertions(+)
> create mode 100755 package/base-files/files/etc/init.d/urandom_seed
> create mode 100644 package/base-files/files/lib/preinit/81_urandom_seed
>
> diff --git a/package/base-files/files/bin/config_generate
> b/package/base-files/files/bin/config_generate
> index 8002bc4..c0ba0fb 100755
> --- a/package/base-files/files/bin/config_generate
> +++ b/package/base-files/files/bin/config_generate
> @@ -230,6 +230,7 @@ generate_static_system() {
> set system.@system[-1].timezone='UTC'
> set system.@system[-1].ttylogin='0'
> set system.@system[-1].log_size='64'
> + set system.@system[-1].urandom_seed='0'
>
> delete system.ntp
> set system.ntp='timeserver'
> diff --git a/package/base-files/files/etc/init.d/urandom_seed
> b/package/base-files/files/etc/init.d/urandom_seed
> new file mode 100755
> index 0000000..cb2eb44
> --- /dev/null
> +++ b/package/base-files/files/etc/init.d/urandom_seed
> @@ -0,0 +1,29 @@
> +#!/bin/sh /etc/rc.common
> +
> +START=99
> +
> +EXTRA_COMMANDS="save"
> +
> +_log() {
> + logger -t urandom_seed "$1"
> +}
> +
> +_save() {
> + touch $1.tmp || { _log "touch $1 failed"; return; }
> + chown root:root $1.tmp || { _log "chown $1 failed"; return; }
> + chmod 600 $1.tmp || { _log "chmod $1 failed"; return; }
> + getrandom 512 > $1.tmp || { _log "getrandom failed"; return; }
> + mv $1.tmp $1 || { _log "mv $1 failed"; return; }
> +}
> +
> +save() {
> + SEED="$(uci -q get system.@system[0].urandom_seed)"
> + [ "${SEED:0:1}" == "/" ] && _save "$SEED" && _log "Seed saved ($SEED)"
> +
> + SEED=/etc/urandom.seed
> + [ ! -f $SEED ] && _save "$SEED" && _log "Seed saved ($SEED)"
> +}
> +
> +boot() {
> + save
> +}
> diff --git a/package/base-files/files/lib/preinit/81_urandom_seed
> b/package/base-files/files/lib/preinit/81_urandom_seed
> new file mode 100644
> index 0000000..10878f3
> --- /dev/null
> +++ b/package/base-files/files/lib/preinit/81_urandom_seed
> @@ -0,0 +1,24 @@
> +#!/bin/sh
> +
> +log_urandom_seed() {
> + echo "urandom-seed: $1" > /dev/kmsg
> +}
> +
> +_do_urandom_seed() {
> + [ -f "$1" ] || { log_urandom_seed "Seed file not found ($1)"; return; }
> + [ -O "$1" -a -G "$1" -a ! -x "$1" ] || { log_urandom_seed "Wrong owner /
> permissions for $1"; return; }
> +
> + log_urandom_seed "Seeding with $1"
> + cat "$1" > /dev/urandom
> +}
> +
> +do_urandom_seed() {
> + [ -c /dev/urandom ] || { log_urandom_seed "Something is wrong with
> /dev/urandom"; return; }
> +
> + _do_urandom_seed "/etc/urandom.seed"
> +
> + SEED="$(uci -q get system.@system[0].urandom_seed)"
> + [ "${SEED:0:1}" == "/" -a "$SEED" != "/etc/urandom.seed" ] &&
> _do_urandom_seed "$SEED"
> +}
> +
> +boot_hook_add preinit_main do_urandom_seed
>
_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev
