From ceccfc6bc7912b64fce4d4cd929eaf9346d00d53 Mon Sep 17 00:00:00 2001 From: Alex Hornung Date: Mon, 14 Jul 2014 12:43:40 +0100 Subject: [PATCH] rc.d/random: bring back rc.conf defaults, minor fixes * Saving the entropy across reboots is good practice to avoid having a lack of entropy after restarting the machine. For some reason, it has been disabled by default for ages now. * This commit brings back the defaults in rc.conf to enable saving entropy across reboots. * Minor fixes to rc.d/random, such as not assuming /var/db/entropy is a good place to put the entropy file, last but not least because: - that location is not checked on the start part of the script, so it won't ever be used. - /var/db/entropy is most of the time a directory, for the cron-based entropy collection. --- etc/defaults/rc.conf | 2 ++ etc/rc.d/random | 18 +++++++----------- share/man/man5/rc.conf.5 | 10 ++++++++++ 3 files changed, 19 insertions(+), 11 deletions(-) diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index 87ba6c42f1..8e9e60172a 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -375,6 +375,8 @@ start_vinum="NO" # set to YES to start vinum udevd_enable="NO" # Run udevd(8) daemon. udevd_early="NO" # Run udevd(8) daemon early in boot (for lvm). lvm_enable="NO" # Run LVM volume discovery. +entropy_file="/entropy" # Set to NO to disable caching entropy through reboots. +entropy_save_sz="16384" # Size of the entropy cache files (in bytes) rand_irqs="NO" # Stir the entropy pool (like "5 11" or NO). dmesg_enable="YES" # Save dmesg(8) to /var/run/dmesg.boot newsyslog_enable="NO" # Run newsyslog at startup. diff --git a/etc/rc.d/random b/etc/rc.d/random index 28b05dcdd3..0353829469 100644 --- a/etc/rc.d/random +++ b/etc/rc.d/random @@ -19,7 +19,10 @@ feed_dev_random() { if [ -f "${1}" -a -r "${1}" -a -s "${1}" ]; then sysctl kern.seedenable=1 >/dev/null - cat "${1}" | dd of=/dev/random bs=8k 2>/dev/null + # Feed using a small block size so that a pool-based CSPRNG + # is more likely to distribute the entropy over several + # pools + cat "${1}" | dd of=/dev/random bs=512 2>/dev/null sysctl kern.seedenable=0 >/dev/null fi } @@ -28,7 +31,7 @@ random_start() { # Reseed /dev/random with previously stored entropy. case ${entropy_dir} in - [Nn][Oo]) + [Nn][Oo] | '') ;; *) entropy_dir=${entropy_dir:-/var/db/entropy} @@ -68,22 +71,15 @@ random_stop() umask 077 if touch ${entropy_file}; then entropy_file_confirmed="${entropy_file}" - else - # Try this as a reasonable alternative for read-only - # roots, diskless workstations, etc. - rm -f /var/db/entropy - if touch /var/db/entropy; then - entropy_file_confirmed=/var/db/entropy - fi fi case ${entropy_file_confirmed} in '') - err 1 '${entropy_file_confirmed}:' \ + err 1 '${entropy_file}:' \ ' entropy file write failed.' ;; *) dd if=/dev/random of=${entropy_file_confirmed} \ - bs=4096 count=1 2> /dev/null + bs=${entropy_save_sz} count=1 2> /dev/null echo '.' ;; esac diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 index 56a3637b8d..43c14636d4 100644 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -2522,6 +2522,16 @@ Otherwise set to the filename used to store cached entropy through reboots. This file should be located on the root file system to seed the .Xr random 4 device as early as possible in the boot process. +.It Va entropy_save_sz +.Pq Vt int +Determines the size of the entropy cache files used for entropy cached +through reboots and also entropy cached via +.Xr cron 8 . +The entropy is fed to the system in blocks of 512 bytes, so this number +should be large enough to fill as many of the entropy pools in the kernel +CSPRNG as possible. +By default, it is set to 16384, which should be able to seed all 32 entropy +pools in the Fortuna CSPRNG. .It Va ipsec_enable .Pq Vt bool Set to -- 2.41.0