On Fri, Jan 17, 2020 at 02:32:22PM -0500, Noah Meyerhans wrote: > On Thu, Jan 09, 2020 at 05:22:17PM -0500, Noah Meyerhans wrote: > > I've confirmed that 4.19.87 with changes cherry-picked from 50ee7529ec45 > > claims to have entropy at boot: > > > > admin@ip-172-31-49-239:~$ cloud-init analyze blame > > -- Boot Record 01 -- > > 02.88900s (init-network/config-ssh) > > ... > > > > The change applies cleanly to our kernel tree, so this would appear to > > be a possible solution. > > > > I've opened https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948519 > > against the kernel discuss the entropy issue in general, and will follow > > up there with a proposal for getting this change backported. > > The kernel team would prefer that any backport of 50ee7529ec45 to stable > branches happen upstream, which is sensible. I'll follow up with the > stable kernel maintainers to see about making this happen, if they're > willing. > > In the mean time, regardless of where the backport happens, there's no > possibility of getting this kernel change into 10.3. So, I'd like to > revisit my original proposal of adding haveged to the arm64 EC2 image > configuration. Haveged is used in debian-installer for buster (but not > bullseye+, see below), so there is precident for its use within Debian. > IMO, this is the best option available in the short term. It results in > a far better user experience on the instances in question, and is a > fairly unintrusive change to make. > > Background on haveged in d-i: > Haveged was added to d-i in commit c47000192 ("Add haveged-udeb [linux] > to the pkg-lists/base") in response to bug #923675 and is used in > buster. More recently, with the addition of the in-kernel entropy > collection mechanisms we've been discussing here, the removal of haveged > has been proposed for bullseye. > https://lists.debian.org/debian-boot/2019/11/msg00077.html It has not > yet been removed, though. > > Similarly, I would expect that we would remove haveged from the > generated buster images once the kernel's entropy jitter-entropy > collector is available for buster.
Thank you for the legwork on this. I agree that haveged is the way to proceed at this point. -- Luca Filipozzi
