This fixes some of the current urandom-seed based flaws. First, simply writing to /dev/urandom does not increase the kernel's entropy count, this casuses processes obtaining randomness to block. Particularly processes using OpenSSL's RAND_bytes() will block until the kernel emits 'random: crng init done'. This can take upwards of twenty minutes.
According to random(4) the entropy count is only increased when using the RNDADDENTROPY ioctl. Second, urandom-seed is using /etc/urandom.seed file to seed the kernel's RNG machinery upon every boot. This file is created only once during first-boot and then reused on every consecutive boot, so pretty much static. So this patch removes urandom-seed package in favor of urngd, which is micro non-physical true random number generator based on timing jitter. Using the Jitter RNG core, the urngd provides an entropy source that feeds into the Linux /dev/random device if its entropy runs low. It updates the /dev/random entropy estimator such that the newly provided entropy unblocks /dev/random. The seeding of /dev/random also ensures that /dev/urandom benefits from entropy. Especially during boot time, when the entropy of Linux is low, the Jitter RNGd provides a source of sufficient entropy. Some RNG init time numbers from qca9563 (TP-Link Archer C7 v5): [ 12.045693] random: crng init done (urngd) [ 120.043132] random: crng init done (urandom-seed) Flash space details: urngd: + 4579 b getrandom: - 1635 b urandom-seed: - 841 b ---------------------- diff + 2103 b Ref: https://patchwork.ozlabs.org/patch/1056981/ Ref: https://github.com/openwrt/openwrt/pull/2069#issue-279977445 Signed-off-by: Petr Štetiar <yn...@true.cz> Signed-off-by: Stephan Mueller <smuel...@chronox.de> [parts of the commit message] Signed-off-by: Dustin Lundquist <d.lundqu...@temperednetworks.com> [parts of the commit message] --- target/linux/ath79/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/target/linux/ath79/Makefile b/target/linux/ath79/Makefile index 0ccc0bed1ce0..840f30fb11be 100644 --- a/target/linux/ath79/Makefile +++ b/target/linux/ath79/Makefile @@ -13,8 +13,9 @@ KERNEL_TESTING_PATCHVER := 4.19 include $(INCLUDE_DIR)/target.mk +DEFAULT_PACKAGES:=$(filter-out urandom-seed,$(DEFAULT_PACKAGES)) DEFAULT_PACKAGES += \ kmod-gpio-button-hotplug swconfig \ - kmod-ath9k uboot-envtools + kmod-ath9k uboot-envtools urngd $(eval $(call BuildTarget)) -- 1.9.1 _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
