2015-06-17 23:38 GMT+08:00 Reindl Harald <h.rei...@thelounge.net>: > > > Am 17.06.2015 um 17:08 schrieb cee1: >> >> 2015-06-17 22:03 GMT+08:00 Lennart Poettering <lenn...@poettering.net>: >>> >>> On Wed, 17.06.15 20:21, cee1 (fykc...@gmail.com) wrote: >>>> >>>> >>>> What I means is: >>>> 1. Load a saved seed to /dev/urandom. >>>> 2. The service read /dev/random, which will block until kernel thinks >>>> there's enough entropy - then the Random Number should be good? >>>> 3. Save the random number returned in step 2 on disk. >>> >>> >>> Blocking at boot for this doesn't really sound like an option. But the >>> kernel does not provide us with any nice notifications about when the >>> RNG pool is complete. If we want to do this kind of polishing, then >>> that'd be great, but we'd need sane notifiers for that, blocking >>> syscalls are not an option. >> >> >> That don't mean blocking boot, but a service, let's say >> systemd-random-seed.service: >> 1. systemd-random-seed.service loads a seed from disk to /dev/urandom >> 2. systemd-random-seed.service tells systemd "I'm ready" (sd_notify()) >> 3. Instead of quitting immediately, systemd-random-seed.service tries >> to read /dev/random, and it blocks ... >> 4. systemd-random-seed.service at last gets a 'good random number', >> and saves it on disk > > > * the purpose of systemd-random-seed.service is to seed > /dev/random realy at boot so that other services like > sshd, vpn, webservers have a random source
First it seeds /dev/urandom Second, seed /dev/random will not increase the entropy without using ioctl (please see https://www.mail-archive.com/systemd-devel@lists.freedesktop.org/msg32555.html) Though, some other services may read /dev/random, and the suggested logic may exhaust the very little entropy, hence blocks "those other services"? May use getrandom(as mentioned in http://www.2uo.de/myths-about-urandom): """ This syscall does the right thing: blocking until it has gathered enough initial entropy, and never blocking after point. """ -- Regards, - cee1 _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
