Date: Thu, 12 Jul 2018 11:40:48 -0700 From: Conrad Meyer <cem@freebsd.org> To: Dirk-Willem van Gulik <dirkx@webweaving.org> Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: Re: Limits to seeding /dev/random | random(4) Message-ID: <CAG6CVpW=gXK-a7RAmDm=xBb3WP=bK3sLxOTBm3r0Y=ES4KzWPg@mail.gmail.com> In-Reply-To: <55685C1F-4711-40C7-8EB4-2930BF8C9884@webweaving.org> References: <3A988D26-7B08-4301-8176-B0ED8A559420@webweaving.org> <1531317515.66719.20.camel@freebsd.org> <20180712165751.1e5b8e24@gumby.homeunix.com> <7C42CD28-078F-4AF6-90F2-5E951F8386D5@webweaving.org> <CAG6CVpX1DnB7KDigG=wMPROM6vvdw0LB005u6d3c29Dbp7NhTw@mail.gmail.com> <55685C1F-4711-40C7-8EB4-2930BF8C9884@webweaving.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jul 12, 2018 at 10:42 AM, Dirk-Willem van Gulik <dirkx@webweaving.org> wrote: > Is there any point - much later post boot, in a non-network, read-only si= tuation with essentially just 3 or 4 user processes running with no IO or i= nteraction - to send some entropy (withewashed (or raw with random_harvest_= queue()) to wards the PRNG ? > > Or is that pointless from thereon. It isn't needed, but it doesn't hurt either (barring elevated CPU use from excessive feeding). > On 12 Jul 2018, at 19:32, Conrad Meyer <cem@freebsd.org> wrote: >> /dev/u?random never produces unseeded results. If it is not seeded, >> reads will just block indefinitely, until it is seeded. > > As we=E2=80=99ve found out the hard way (although we are not sure it is i= ndefinitely). It is indefinite, until seeding. Maybe signals can interrupt the wait, but you should be checking the return value of read(2) of /dev/random. >> To seed the device without a writable filesystem, write 1kB+ of >> whitened random from your device into /dev/random early in boot, and >> you will be good to go. You can do the ongoing trickle after that if >> you want, but it is not necessary. On FreeBSD 12-CURRENT, you can >> verify /dev/random is seeded when getrandom(..., GRND_NONBLOCK) no >> longer returns -1 with EAGAIN errno. If you need to use a FreeBSD >> prior to 12, you'll know random is seeded when reads no longer block. > > Thanks for that. Unfortunately we=E2=80=99re in a read-only situation. An= d we=E2=80=99ve had CI testing yield identical results a few times now. Identical results are very troubling. Maybe your readonly filesystems contain a static "entropy" file that is being fed in every boot (with identical contents)? If so, you definitely want to remove that during image generation. That, in tandem with few other sources of entropy, could explain identical results. Another thing I would suggest is taking samples directly from your random device and running them through https://github.com/usnistgov/SP800-90B_EntropyAssessment to sanity check their randomness. W. Dean Freeman did some great work evaluating random sources in FreeBSD within the last couple years; you can check out his work here: https://github.com/badfilemagic/fbsd-entropy Best, Conrad
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAG6CVpW=gXK-a7RAmDm=xBb3WP=bK3sLxOTBm3r0Y=ES4KzWPg>