This package: 1) seed /dev/urandom with a saved seed as early as possible (using /lib/preinit/81_urandom_seed) 2) save a new seed using getrandom() so we are sure /dev/urandom pool is initialized (using /etc/init.d/urandom_seed)
seed size is 512 bytes (ie /proc/sys/kernel/random/poolsize / 8) it's the same size as in ubuntu 14.04 and all systemd systems seed file is /etc/urandom.seed (need a writable path) seeding /dev/urandom doesn't change entropy estimation, so we still have "random: ubus urandom read with 4 bits of entropy available" messages in the logs, but we can now ignore them Once tested on enough configuration (jffs2/ext4/ubifs/...) this package should be added to DEFAULT_PACKAGES We could also add an urandom.seed at build time to improve first boot Signed-off-by: Etienne CHAMPETIER <champetier.etie...@gmail.com> --- package/utils/urandom-seed/Makefile | 53 ++++++++++++++++++++ .../urandom-seed/files/81_urandom_seed.preinit | 15 ++++++ package/utils/urandom-seed/files/getrandom.c | 58 ++++++++++++++++++++++ package/utils/urandom-seed/files/urandom_seed.init | 19 +++++++ 4 files changed, 145 insertions(+) create mode 100644 package/utils/urandom-seed/Makefile create mode 100644 package/utils/urandom-seed/files/81_urandom_seed.preinit create mode 100644 package/utils/urandom-seed/files/getrandom.c create mode 100644 package/utils/urandom-seed/files/urandom_seed.init diff --git a/package/utils/urandom-seed/Makefile b/package/utils/urandom-seed/Makefile new file mode 100644 index 0000000..ac58bfc --- /dev/null +++ b/package/utils/urandom-seed/Makefile @@ -0,0 +1,53 @@ +# +# Copyright (C) 2016 Etienne CHAMPETIER <champetier.etie...@gmail.com> +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=urandom-seed +PKG_RELEASE:=1 +PKG_LICENSE:=GPL-2.0 +PKG_LICENSE_FILES:=COPYING +PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)_$(PKG_RELEASE) +PKG_FLAGS:=nonshared + +include $(INCLUDE_DIR)/package.mk + +define Package/urandom-seed + SECTION:=utils + CATEGORY:=Base system + TITLE:=Seed /dev/urandom on startup + MAINTAINER:=Etienne CHAMPETIER <champetier.etie...@gmail.com> +endef + +define Package/urandom-seed/description +This package takes care of loading a previously saved seed into /dev/urandom, +and save a new seed from getrandom() +endef + +define Build/Prepare + mkdir -p $(PKG_BUILD_DIR) +endef + +define Build/Configure +endef + +define Build/Compile + $(TARGET_CC) $(TARGET_CFLAGS) ./files/getrandom.c -o $(PKG_BUILD_DIR)/getrandom +endef + +define Package/urandom-seed/install + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/getrandom $(1)/usr/bin/ + + $(INSTALL_DIR) $(1)/lib/preinit + $(INSTALL_DATA) ./files/81_urandom_seed.preinit $(1)/lib/preinit/81_urandom_seed + + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/urandom_seed.init $(1)/etc/init.d/urandom_seed +endef + +$(eval $(call BuildPackage,urandom-seed)) diff --git a/package/utils/urandom-seed/files/81_urandom_seed.preinit b/package/utils/urandom-seed/files/81_urandom_seed.preinit new file mode 100644 index 0000000..27ff587 --- /dev/null +++ b/package/utils/urandom-seed/files/81_urandom_seed.preinit @@ -0,0 +1,15 @@ +#!/bin/sh + +do_urandom_seed() { + S=/etc/urandom.seed + U=/dev/urandom + + [ -c $U ] || { echo "Something is wrong with $U"; return; } + [ -f $S ] || { echo "Seed file not found: $S"; return; } + [ -O $S -a -G $S -a ! -x $S ] || { echo "Wrong owner / permissions for $S"; return; } + + echo "Seeding $U with $S" + cat $S > $U +} + +boot_hook_add preinit_main do_urandom_seed diff --git a/package/utils/urandom-seed/files/getrandom.c b/package/utils/urandom-seed/files/getrandom.c new file mode 100644 index 0000000..2093ef8 --- /dev/null +++ b/package/utils/urandom-seed/files/getrandom.c @@ -0,0 +1,58 @@ +/* + * Copyright (C) 2016 Etienne Champetier <champetier.etie...@gmail.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ +#define _GNU_SOURCE +#include <errno.h> +#include <linux/random.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/syscall.h> +#include <unistd.h> + +#define ERROR_EXIT(fmt, ...) do { \ + fprintf(stderr, fmt, ## __VA_ARGS__); \ + return EXIT_FAILURE; \ + } while (0) + +int usage(char *name) +{ + fprintf(stderr, "Usage: %s <nb>\n", name); + fprintf(stderr, " => return <nb> bytes from getrandom()\n"); + return EXIT_FAILURE; +} + +int main(int argc, char *argv[]) +{ + if (argc != 2) + return usage(argv[0]); + + if (isatty(STDOUT_FILENO)) + ERROR_EXIT("Not outputting random to a tty\n"); + + int nbtot = atoi(argv[1]); + if (nbtot < 1) + ERROR_EXIT("Invalid <nb> param (must be > 0)\n"); + + char buf[256]; + int len = sizeof(buf); + while (nbtot > 0) { + if (nbtot <= sizeof(buf)) + len = nbtot; + if (syscall(SYS_getrandom, buf, len, 0) == -1) + ERROR_EXIT("getrandom() failed: %s\n", strerror(errno)); + if (write(STDOUT_FILENO, buf, len) != len) + ERROR_EXIT("write() failed: %s\n", strerror(errno)); + nbtot -= sizeof(buf); + } +} diff --git a/package/utils/urandom-seed/files/urandom_seed.init b/package/utils/urandom-seed/files/urandom_seed.init new file mode 100644 index 0000000..b2aba28 --- /dev/null +++ b/package/utils/urandom-seed/files/urandom_seed.init @@ -0,0 +1,19 @@ +#!/bin/sh /etc/rc.common + +START=99 + +SEED=/etc/urandom.seed + +save_seed() { + touch $SEED.tmp + chown root:root $SEED.tmp + chmod 600 $SEED.tmp + getrandom 512 > $SEED.tmp + + logger "Saving urandom seed to $SEED" + mv $SEED.tmp $SEED +} + +boot() { + save_seed +} -- 1.9.1 _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev