Hi Kostas, In general you should always add lede-dev so that more people can answer and/or benefit from the answer
2017-02-18 13:38 GMT-08:00 Kostas Papadopoulos <kpapa...@travelguide.gr>: > > > Etienne/John, I'd like to say that I very much appreciate your contributions > to OpenWrt/LEDE on improving its security, but I have a question about the > relatively new LEDE feature that saves entropy once into /etc/urandom.seed > (default) and then re-seeds the pool at every boot. This default of saving a seed only once was chosen to not write too often to the flash and damage the user router without the user consent, but it still help to have all same model routers (with same firmware) to not share the same state (after the second boot) > > My other systems (Debian, Ubuntu) re-save entropy at every shutdown and > re-seed the pool at every boot. > > If I enable (by configuring a path to the file /etc/urandom.seed) entropy > re-saving in LEDE, it re-saves entropy only a few seconds after every > reboot. But it's hardly enough time for new entropy to accumulate, isn't it? We are using the getrandom syscall which gives this promise http://man7.org/linux/man-pages/man2/getrandom.2.html "getrandom() will block until the entropy pool has been initialized" So my answer is: it's enough according to the kernel devs (and if it's not enough it's a bug on the kernel side that need to be fixed) > > Is there a new solution in the works that does preserves entropy between > shutdowns, as the other Linux distros do? We save the seed on startup because you can't rely on clean shutdown/reboot in the embedded world (people often unplug/replug the power to reboot) Also saving on startup or shutdown doesn't make any difference as long as the entropy pool has been initialized (that's getrandom promise) So for me, by setting 'urandom_seed' config to a file (/etc/urandom.seed) you "preserve enough entropy" between restart, and it's equivalent to what other distro do (save a seed / restore it) Small disclaimer, I'm not a security expert and this is only my understanding on the subject Regards Etienne > > Thank you in advance for your consideration, > > KP _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
