On Fri, 2015-07-24 at 07:59 +0100, Mark R V Murray wrote: > > On 24 Jul 2015, at 02:25, John-Mark Gurney <j...@funkthat.com> wrote: > > > > I would like to point out that the goal of collecting large amounts > > is starting to fall out of favor, and I happen to agree with the likes > > of djb[1] that we don't need an infinite amount of entropy collected by > > the system. If the attacker can read out our RNG state, then we are > > already screwed due to many other vulns. > > I’m working on a premise of “tools, not policy”. I’d like there to be > enough harvesting points for the box owner to get the warm fuzzies. > If they choose to use less, fine by me. > > > Many of the issues that FreeBSD sees with lack of entropy at start up > > is more of a problem on how systems are installed and provisioned. I > > don't believe that we currently store any entropy from the install > > process, yet this is one of the best places to get it, the user is > > banging on keyboard selecting options, etc. If an image is designed > > to be cloned (vm images or appliance images) we need to have a > > mechanism to ensure that before we start, we get the entropy from > > other sources, be it a hardware RNG or the console. > > Getting an initial entropy bundle for first boot is high up on my > TODO list. :-) Patches welcome! We need the usual /entropy (or > /var/db/entropy/… or whatever) and crucially we need /boot/entropy > and the correct invocation in /boot/loader.conf. >
But keep in mind that loader(8) is optional and not used at all on some non-x86 systems. -- Ian _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
