On Wed, Sep 27, 2017 at 12:36 AM, Rasmus Villemoes <[email protected]> wrote: > On 2017-09-26 18:20, Jorge Almeida wrote: >> This is what I do at stage 1, regarding entropy gathering: >
> >> - start haveged service soon >> - in background, >> - read 512 bytes from /dev/random and write them to /dev/urandom >> - write something to a pipe entropy_pipe >> >> -meanwhile, do other stuff (filesystem checking, etc) >> >> -in background, >> -read from entropy_pipe (blocks until ready) >> - start services that require /dev/urandom in a sane state > > The two processes with an entropy_pipe between them seems overkill, why > not just have one process do getrandom(,,0)? The purpose of the pipe is to allow doing other stuff while gathering entropy (IOW, parallelism; besides, fsck'ing adds to entropy). The processes that require /dev/urandom may have their own established code that I wouldn't dream to touch (e.g. sshd). Launching such processes after a successful reading from the pipe ensures that /dev/urandom is sane. (Doing getrandom() after copying to /dev/random is not an option unless the scripting language supports it. Besides, dealing with an anonymous pipe is simple enough). What I'm not sure is wheather the /dev/random -> /dev/urandom copying idea is sound, and wheather using haveged is this context is safe (I know it accelerates things, I _hope_ it does it right). Jorge
