From owner-freebsd-security@freebsd.org Tue May 15 11:41:20 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2FD80EAFECF for ; Tue, 15 May 2018 11:41:20 +0000 (UTC) (envelope-from crees@freebsd.org) Received: from mail18c50.megamailservers.eu (mail162c50.megamailservers.eu [91.136.10.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9618172D78 for ; Tue, 15 May 2018 11:41:19 +0000 (UTC) (envelope-from crees@freebsd.org) X-Authenticated-User: bayofrum@uwclub.net Received: from pegasus.bayofrum.net (81-178-235-157.dsl.pipex.com [81.178.235.157]) (authenticated bits=0) by mail18c50.megamailservers.eu (8.14.9/8.13.1) with ESMTP id w4FBHXRh013520 for ; Tue, 15 May 2018 11:17:34 +0000 Received: from [10.16.82.55] (unknown [154.42.160.178]) by pegasus.bayofrum.net (Postfix) with ESMTPSA id B086482AC6 for ; Tue, 15 May 2018 12:17:29 +0100 (BST) To: freebsd-security@FreeBSD.org From: Chris Rees Subject: Querying entropy state Message-ID: <130fc299-7d4e-e3fe-7ba8-d4d3a677591f@FreeBSD.org> Date: Tue, 15 May 2018 12:17:28 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-bayofrum-MailScanner-Information: Please contact the ISP for more information X-bayofrum-MailScanner-ID: B086482AC6.A7FEA X-bayofrum-MailScanner: Found to be clean X-bayofrum-MailScanner-From: crees@freebsd.org X-Spam-Status: No X-CTCH-RefID: str=0001.0A0B0206.5AFAC1CE.0089, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0 X-CTCH-VOD: Unknown X-CTCH-Spam: Unknown X-CTCH-Score: 0.000 X-CTCH-Rules: X-CTCH-Flags: 0 X-CTCH-ScoreCust: 0.000 X-CSC: 0 X-CHA: v=2.2 cv=PuDjV0E3 c=1 sm=1 tr=0 a=77w7SaWwojGJqjX5xo9qqA==:117 a=77w7SaWwojGJqjX5xo9qqA==:17 a=IkcTkHD0fZMA:10 a=VUJBJC2UJ8kA:10 a=IeEZtZZyLHQ6mSkU4lwA:9 a=QEXdDO2ut3YA:10 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 May 2018 11:41:20 -0000 Hello all, Since the new random device has been put in, sysutils/monitorix no longer has a sysctl to poll to view the current state of entropy (i.e. kern.random.sys.seeded). I have come to the understanding that it is no longer necessary or relevant information with the new driver, and entropy is always at an acceptable state; the author has suggested disabling this test on FreeBSD. Am I correct that there is no point in checking for entropy any more, and the entropy is unmeasurable? Chris -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From owner-freebsd-security@freebsd.org Tue May 15 14:54:49 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5E416EDF5C3 for ; Tue, 15 May 2018 14:54:49 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D3BC17D6F8 for ; Tue, 15 May 2018 14:54:48 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: by mail-wm0-x22b.google.com with SMTP id x12-v6so16194355wmc.0 for ; Tue, 15 May 2018 07:54:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=nYvL3ODQNySwEQlpFWT2lb0QSZ4SX9lXC0/0tTvnOUc=; b=YWZ/kxdq22fM0cg9e63qNMLqsKyCC9g4reL0nSFHdqM3ZEZfT20VmDvw3CjKQKCsnr C2/w+7WQN5h3+teLgTnVdBIkOZkSwNUZYJMIa/MQ8zbgCH88DJgB1xyTc+ztg1LS5mk2 vVHHnNkYol4V5EDItF9IXOymfz8M4Ttian+9nTh3sErFBK8JDQVh8OeO2/+4AuVrw4F0 tYM68vz2VbYsxuJM1lezlmOQ+Vv8babmqSEJYOK0UaOkO1LL8mBSv3d+gITVzm3HBagW 9NjyViH+Q1DL7g7cnhTrcV2OF4VBPqcy5LkQkANxogAZJV6dVQGA+PB0eK4VIqNjqfWl msXQ== X-Gm-Message-State: ALKqPwdwAR66UCJNTdkRrSU4hj1wPTxHJdO9bjc8NnuFy7ftTNJl+ORi wL/RG4wgXigvfSrc3ee2qYtpRKjQ X-Google-Smtp-Source: AB8JxZq11vKf6WHJS+J2C5bZxJ9NrQxcDyMG7VK7DQIVQNMvflnS129sOM8XAJ2/ypjVeV02dctowA== X-Received: by 2002:a1c:6d97:: with SMTP id b23-v6mr8377056wmi.86.1526396087106; Tue, 15 May 2018 07:54:47 -0700 (PDT) Received: from gumby.homeunix.com ([90.195.192.11]) by smtp.gmail.com with ESMTPSA id a129-v6sm13556851wme.3.2018.05.15.07.54.45 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 15 May 2018 07:54:46 -0700 (PDT) Date: Tue, 15 May 2018 15:54:44 +0100 From: RW To: freebsd-security@freebsd.org Subject: Re: Querying entropy state Message-ID: <20180515155444.0bb41e5f@gumby.homeunix.com> In-Reply-To: <130fc299-7d4e-e3fe-7ba8-d4d3a677591f@FreeBSD.org> References: <130fc299-7d4e-e3fe-7ba8-d4d3a677591f@FreeBSD.org> X-Mailer: Claws Mail 3.15.1 (GTK+ 2.24.31; amd64-portbld-freebsd11.1) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 May 2018 14:54:49 -0000 On Tue, 15 May 2018 12:17:28 +0100 Chris Rees wrote: > Hello all, > > Since the new random device has been put in, sysutils/monitorix no > longer has a sysctl to poll to view the current state of entropy > (i.e. kern.random.sys.seeded). > > I have come to the understanding that it is no longer necessary or > relevant information with the new driver, and entropy is always at an > acceptable state; the author has suggested disabling this test on > FreeBSD. > > Am I correct that there is no point in checking for entropy any more, > and the entropy is unmeasurable? It hasn't been for many years. kern.random.sys.seeded was set when yarrow first seeded itself after a boot. As long as there's an entropy file this happened very early, and ordinary computers would spontaneously seed well before that. The sysctl was only relevant in some special cases like certain embedded devices. From owner-freebsd-security@freebsd.org Tue May 15 15:51:47 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 439EFEE39D8 for ; Tue, 15 May 2018 15:51:47 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DB2936C9A9 for ; Tue, 15 May 2018 15:51:46 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: by mail-wm0-x22c.google.com with SMTP id f6-v6so1899177wmc.4 for ; Tue, 15 May 2018 08:51:46 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Ot60zm5Ia4C4JosuVT5Q7NiHkxpFmnLbAkbWsWhQRr4=; b=iaul3z6Nk4xQpi8isfTqM+geA7KlXVvPu3tysVALTIOxnb+BAsrWvCLe8Br+irF5Fw 6tVaqhhn0gKD5Nswan7vcb0pwrkIcNQ8HAzDLgbSZN9WUIWP/heQsxPh2IijWKsBGePG uTyPN/WI80r14WgiAmiDIPOVqGByl/2AJ2UkV4XMTKQjzkF8wKZLMHHiBpdmOm18Q7j5 vlOrQsQG4AC38oKKOx2LdPSN+SfFJDWyjKuM++Bd51pbboGh1hjRmJtQcqz+18SRofZ8 J6uJJDcxVh8/wcObceragrEnIrEWOU9t7sJ5DTJrnJmRkSdmvqcKe1sk2updcbssTdXu jIug== X-Gm-Message-State: ALKqPwf6nuvjSBxDtiPkEHE96nHNEsOtYlg8pktezSueBE4JmSxA49qC 2eEU0ls4XBVx1uGLRFCSpX3GMg== X-Google-Smtp-Source: AB8JxZqNhBOcPRN4RIeGCIv/4OR9gh9ykqPibvaYdGvdZCXRkyawg8MJb9x711IPsHkCKVsYAXWgFQ== X-Received: by 2002:a1c:6ce:: with SMTP id 197-v6mr7816034wmg.141.1526399505493; Tue, 15 May 2018 08:51:45 -0700 (PDT) Received: from gumby.homeunix.com ([90.195.192.11]) by smtp.gmail.com with ESMTPSA id m69-v6sm952056wmd.47.2018.05.15.08.51.44 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 15 May 2018 08:51:44 -0700 (PDT) Date: Tue, 15 May 2018 16:51:43 +0100 From: RW To: freebsd-security@freebsd.org Subject: Re: Querying entropy state Message-ID: <20180515165143.393c72b1@gumby.homeunix.com> In-Reply-To: <20180515155444.0bb41e5f@gumby.homeunix.com> References: <130fc299-7d4e-e3fe-7ba8-d4d3a677591f@FreeBSD.org> <20180515155444.0bb41e5f@gumby.homeunix.com> X-Mailer: Claws Mail 3.15.1 (GTK+ 2.24.31; amd64-portbld-freebsd11.1) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 May 2018 15:51:47 -0000 On Tue, 15 May 2018 15:54:44 +0100 RW wrote: > On Tue, 15 May 2018 12:17:28 +0100 > Chris Rees wrote: > > > Hello all, > > > > Since the new random device has been put in, sysutils/monitorix no > > longer has a sysctl to poll to view the current state of entropy > > (i.e. kern.random.sys.seeded). > > > > I have come to the understanding that it is no longer necessary or > > relevant information with the new driver, and entropy is always at > > an acceptable state; the author has suggested disabling this test on > > FreeBSD. > > > > Am I correct that there is no point in checking for entropy any > > more, and the entropy is unmeasurable? > > It hasn't been for many years. > > kern.random.sys.seeded was set when yarrow first seeded itself after a > boot. As long as there's an entropy file this happened very early, and > ordinary computers would spontaneously seed well before that. The > sysctl was only relevant in some special cases like certain embedded > devices. And now I come to think of it, initrandom would throw in some low grade entropy to unblock the device even if there was no entropy file, so with the standard rc files the sysctl did nothing useful.