[Pkg-sysvinit-devel] /etc/init.d/urandom

Henrique de Moraes Holschuh hmh at debian.org
Sat Jul 2 00:45:22 UTC 2011 

On Fri, 01 Jul 2011, Thorsten Glaser wrote:
>      49         # Hm, why is the saved pool re-created at boot? [pere 2009-09-03]
> 
> After talking to pere in IRC he suggested I mail the answer here:

We've had a thread about this sometime ago, and I did some asking on LKML
about it.  It is in the ML archives and the BTS.  I don't have a link handy,
though.

>      39                 set -- $(LC_ALL=C ls -l "$SAVEDFILE")
>      40                 SAVEDSIZE="$5"
>      41                 if [ "$SAVEDSIZE" -gt "$POOLSIZE" ]
>      42                 then
>      43                         [ -w /proc/sys/kernel/random/poolsize ] && echo $POOLSIZE > /proc/sys/kernel/random/poolsize
>      44                         POOLSIZE=$SAVEDSIZE
>      45                 fi
> 
> Is there any place POOLSIZE can be configured, other than
> these two?

We can just drop poolsize entirely.  None of the kernels we support allow
changing the poolsize in the first place, not even at compile time AFAIK.
As long as we store at least 512 bytes, it is good enough.  More wouldn't
hurt.

And Linux doesn't care much for the size, it credits NO entropy to write
operations (you need an ioctl to credit entropy), so you can toss any junk
you want in there, at any size, and it will shuffle the pool but not add any
entropy credit.

I very much doubt freebsd will do anything usafe, but someone that knows
their kernel guys better could ask and report back.

> I’d be willing to clean up the init script a bit (also, add
> reading the seedfile at shutdown before writing it, in case
> someone wrote stuff there during the system runtime), if you
> want. My qualification is that I worked on the random subsy-
> stem in MirBSD (which contains of a kernel device by tytso,
> similar to Linux’, plus start/shutdown scripts, plus an aRC4
> based additional pool, plus (in MirBSD) another pool where
> non-root processes can contribute entropy) for a few years
> and have read quite a bit on the topic.

Well, the devil is in the details: failure modes, read-only /, and tricks to
help idiotic setups with near-zero entropy and _zero_ variation among
several boxes.

Any help is appreciated.  But do try to locate that thread and read it
first.  If I manage to find it in my archives, I will post a link to the
archives as a reply.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

More information about the Pkg-sysvinit-devel mailing list