On 04/29/2014 09:30 PM, Tom Gundersen wrote:
You can easily start the sockets early, but make the daemon itself wait for the key generation to finish.
Thanks. Can you provide an example? (I don't want to change the daemon code.)
The only thing you then have to make sure is that the key generation blocks until the non-blocking pool is initialized (I assume that is what's being used?). For that I suppose you just need to make the kernel block /dev/urandom until that's the case, I have seen this being discussed, but don't know the status of those patches.
Would it be possible to do the blocking in a separate service? This way, it would be more visible in diagnostic tools, and it's not necessary to change all key generation code (including programs which just generation session keys).
I don't know if we can change /dev/urandom to block because that doesn't look very backwards-compatible to me.
-- Florian Weimer / Red Hat Product Security Team _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
