On Sun, Sep 16, 2012 at 05:21:21PM +0100, Mark Murray wrote: > Hi > > Part 1 of the fix is enclosed; it involves drastically shortening the > input into /dev/random (the "kickstart") at boot time. There are time > implications that I'd like to hear any objections to. > > Part 1a is going to be tweeks to stashing entropy at restart > (and possibly during normal running). Also fixes to zero-entropy > first-startup. > > Part 2 will be a cheap shortening of files during reading so as not > to clog up the harvest queue. The harvest queue will always be a bit > intolerant of excess input via this route, so this should help a lot. > > Part 3 will be the addition of another choice of software PRNG; > Fortuna. Fortuna is MUCH more resilient to attack, at the expense > of using more kernel memory. For modern machines, this is scarcely > noticeable, but it could be bad for embedded units. > > Tweeks along the way may include reverting to the original intent of > starting the PRNG blocked, and only unblocking once reseeded. > > M > -- > Mark R V Murray > Pi: 132511160
> Index: initrandom
> ===================================================================
> --- initrandom (revision 240384)
> +++ initrandom (working copy)
> @@ -23,15 +23,12 @@
>
> better_than_nothing()
> {
> - # XXX temporary until we can improve the entropy
> - # harvesting rate.
> # Entropy below is not great, but better than nothing.
> # This unblocks the generator at startup
> # Note: commands are ordered to cause the most variance across reboots.
> - ( kenv; dmesg; df -ib; ps -fauxww; date; sysctl -a ) \
> - | dd of=/dev/random bs=8k 2>/dev/null
> - /sbin/sha256 -q `sysctl -n kern.bootfile` \
> - | dd of=/dev/random bs=8k 2>/dev/null
> + for cmd in "kenv" "dmesg" "df -ib" "ps -fauxww" "date" "sysctl -ao"
> "netstat -arn" "fstat" ; do
> + ${cmd}| sha256 > /dev/random
> + done
I'd much prefer to just use sha512 here and also add -b to sysctl.
--
Pawel Jakub Dawidek http://www.wheelsystems.com
FreeBSD committer http://www.FreeBSD.org
Am I Evil? Yes, I Am! http://tupytaj.pl
pgp3J7oaIKb3g.pgp
Description: PGP signature
