Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 13 Apr 2004 20:10:17 -0700
From:      Brooks Davis <brooks@one-eyed-alien.net>
To:        Chuck Swiger <cswiger@mac.com>
Cc:        freebsd-current@freebsd.org
Subject:   Re: dev/random
Message-ID:  <20040414031017.GA20404@Odin.AC.HMC.Edu>
In-Reply-To: <407C9B07.9070108@mac.com>
References:  <200404131550.i3DFocIn099231@grimreaper.grondar.org> <428207C0-8D7B-11D8-B697-003065ABFD92@mac.com> <20040413191058.GF20550@Odin.AC.HMC.Edu> <D30E2B24-8D8D-11D8-B697-003065ABFD92@mac.com> <20040413232816.GB25818@Odin.AC.HMC.Edu> <407C9B07.9070108@mac.com>

next in thread | previous in thread | raw e-mail | index | archive | help

--DocE+STaALJfprDB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Apr 13, 2004 at 09:59:35PM -0400, Chuck Swiger wrote:
> >>Anyway, if /etc/rc.d/initdiskless is available, you've got a root=20
> >>filesystem to read from, so can't one nudge the diskless client's=20
> >>/dev/random using entropy from a file stored on it?
> >
> >You can use a file at this point, but what file should you use?
>=20
> I would choose a file that software like OpenSSL, OpenSSH, GnuPG, the EGD=
,=20
> would expect to read entropy from, preferably by default.  When we also=
=20
> need to consider the context of diskless booting where only a minimal roo=
t=20
> filesystem is mounted, it seems /etc/entropy is reasonable.

Those programs mostly hope /dev/random works.  EGD provides a fake
/dev/random based on things like ps output.

> >You almost certaintly don't have a /var and there's a good change / isn't
> >writable at all and starting all your hosts with the same entropy is
> >definatly a bad idea.  You also may not have anything in /etc other then
> >what is provided by make distribution.
>=20
> Starting all of your hosts with the same entropy is a bad idea, agreed.
>=20
> I would say that doing something which lets the hosts start rather than=
=20
> hang is better than not having a host start up at all.  But I think one c=
an=20
> do better than use the same entropy for all clients, which is what my nex=
t=20
> suggestion was about:
>=20
> >>Or perhaps the /usr/share/examples/diskless/clone_root script could=20
> >>call mknod to create a clone of the server's /dev/random device under=
=20
> >>the diskless root directory, to provide different "real" entropy for=20
> >>each diskless client?
> >
> >I'm not sure what you're getting at here. /dev is devfs even in single
> >user so mknod isn't applicable.  It's not optional.
>=20
> Excuse me, one used to use mknod to create named pipes.  Under FreeBSD it=
's=20
> now mkfifo.  Maybe a diff would explain what I mean better:
>=20
> --- clone_root_20040413 Tue Apr 13 21:01:57 2004
> +++ clone_root  Tue Apr 13 21:08:33 2004
> @@ -94,4 +94,6 @@
>         #       (cd $DEST; cpio -i -H newc -d )
>         echo "+++ Fixing permissions on some objects"
>         chmod 555 $DEST/sbin/init
> +       echo "creating /etc/entropy"
> +       mkfifo ${DEST}/etc/entropy
>  }

I forgot about that use since I rairly use that feature, but see below.

> ...and set up an rc script on the fileserver to do:
>
>       cat /dev/random > ${DEST}/etc/entropy
>
> ...to fill the named pipe with high-quality entropy when and if a
> client machine reads that file.  Hmm, quick testing suggests the cat
> statement will terminate if too much data is read at a time, maybe
> "tail -f" instead?
>
> Somewhere in /etc/rc.d/initdiskless (or somewhere else appropriate),
> have client machines do something like:
>
>       dd if=3D/etc/entropy of=3D/dev/random bs=3D512 count=3D1 2>/dev/null
>
> Even though the client machines are mounting the diskless root
> read-only, each client that reads /etc/entropy will be getting
> different bits, ie, they'll be grabbing entropy from the server's
> random pool to initialize themselves.

This won't work.  A named pipe is only usable on the local machine much
like a device node.  The filesystem is bairly involved in the process.
As Mark points out, in many environments, this would be a bad idea even
if it worked because it would be easily sniffable.

> >To be clear, the problem is not that you can't open /dev/random for
> >read, it's that read() blocks until sufficent entropy arrives.  It's
> >worth noting that the quality of entropy needed in initdiskless is
> >pretty minimal.  rand() would actually be fine here other then the fact
> >that use of rand should not be encouraged.
>=20
> Perhaps it might be useful to have a sysctl for whether /dev/random block=
s=20
> or whether it switches from providing "true" entropy to providing=20
> cryptographicly strong random numbers generated by a decent PRNG seeded b=
y=20
> or otherwise merged with what "true" entropy is available.  [aka=20
> /dev/urandom]

We've got that already, it's just implemented by dumping junk into
/dev/random and hoping it's good enough like is currently done in
initrandom.

-- Brooks

--=20
Any statement of the form "X is the one, true Y" is FALSE.
PGP fingerprint 655D 519C 26A7 82E7 2529  9BF0 5D8E 8BE9 F238 1AD4

--DocE+STaALJfprDB
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAfKuZXY6L6fI4GtQRAibvAJ9cneHuI4HwwTLuZG4er5J/A2UTngCfcWI3
LAMCoZkjruxoaiUP5aZryXE=
=0TC3
-----END PGP SIGNATURE-----

--DocE+STaALJfprDB--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040414031017.GA20404>