Module Name: src
Committed By: riastradh
Date: Fri Jun 30 21:42:29 UTC 2023
Modified Files:
src/etc: security
Log Message:
security(5): Check kern.entropy.needed for confident entropy.
Don't test whether a non-blocking read from /dev/random would return
data.
For the sake of availability, /dev/random will unblock based on sources
like timer interrupts, which we can't confidently assert anything about
the actual unpredictability of.
Here, the goal is to highlight systems that have neither obtained
entropy from an HWRNG with a confident entropy assessment, nor been
seeded from a source the operator knows about.
XXX pullup-10
To generate a diff of this commit:
cvs rdiff -u -r1.129 -r1.130 src/etc/security
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/etc/security
diff -u src/etc/security:1.129 src/etc/security:1.130
--- src/etc/security:1.129 Thu Nov 4 12:40:00 2021
+++ src/etc/security Fri Jun 30 21:42:29 2023
@@ -1,6 +1,6 @@
#!/bin/sh -
#
-# $NetBSD: security,v 1.129 2021/11/04 12:40:00 nia Exp $
+# $NetBSD: security,v 1.130 2023/06/30 21:42:29 riastradh Exp $
# from: @(#)security 8.1 (Berkeley) 6/9/93
#
@@ -195,8 +195,7 @@ done | mtree -CM -k all > $SPECIALSPEC |
# Check for enough entropy.
#
if checkyesno check_entropy; then
- if ! dd if=/dev/random iflag=nonblock of=/dev/null bs=1 count=1 \
- msgfmt=quiet 2>/dev/null; then
+ if [ "$(sysctl -nq kern.entropy.needed)" != 0 ]; then
printf '\n'
printf 'Entropy:\n'
printf 'System may need more entropy for cryptography.\n'
