On Wed, Sep 27, 2017 at 12:36 AM, Rasmus Villemoes
<rasmus.villem...@prevas.dk> wrote:
> On 2017-09-26 18:20, Jorge Almeida wrote:
>> This is what I do at stage 1, regarding entropy gathering:
>

>
>> - start haveged service soon
>> - in background,
>>         - read 512 bytes from /dev/random and write them to /dev/urandom
>>         - write something to a pipe entropy_pipe
>>
>> -meanwhile, do other stuff (filesystem checking, etc)
>>
>> -in background,
>>          -read from entropy_pipe (blocks until ready)
>>          - start services that require /dev/urandom in a sane state
>
> The two processes with an entropy_pipe between them seems overkill, why
> not just have one process do getrandom(,,0)?

The purpose of the pipe is to allow doing other stuff while gathering
entropy (IOW, parallelism; besides, fsck'ing adds to entropy). The
processes that require /dev/urandom may have their own established
code that I wouldn't dream to touch (e.g. sshd). Launching such
processes after a successful reading from the pipe ensures that
/dev/urandom is sane. (Doing getrandom() after copying to /dev/random
is not an option unless the  scripting language supports it. Besides,
dealing with an anonymous pipe is simple enough).

What I'm not sure is wheather the /dev/random -> /dev/urandom copying
idea is sound, and wheather using haveged is this context is safe (I
know it accelerates things, I _hope_  it does it right).

Jorge

Reply via email to