Date: Thu, 20 Sep 2012 23:08:15 -0700 From: David O'Brien <obrien@FreeBSD.org> To: Pawel Jakub Dawidek <pjd@FreeBSD.org> Cc: freebsd-security@FreeBSD.org Subject: Re: Collecting entropy from device_attach() times. Message-ID: <20120921060815.GA42778@dragon.NUXI.org> In-Reply-To: <20120921053549.GF1407@garage.freebsd.pl> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919223459.GC25606@dragon.NUXI.org> <20120921053549.GF1407@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Sep 21, 2012 at 07:35:49AM +0200, Pawel Jakub Dawidek wrote: > Note that adding sysctl to turn off entropy harvesting from > device_attach() is pretty useless, as sysctls can be changed once we > start userland and then all device_attach() are already called (modulo > drivers loaded later). That is what I had in mind -- .ko drivers loaded post 'initrandom'. The same could be said for kern.random.sys.harvest.interrupt. By the time kern.random.sys.harvest.interrupt can be turned off, my test system has already processed 784 'origin interrupt' queue entries and went from kern.random.sys.seeded=0->1. > What I'd like to see is for all those sysctls to > have corresponding tunables, then it would make more sense. True. I don't know if Mark thought about this approach and felt there was an issue or not. For consistency sake, if we have kern.random.sys.harvest.interrupt, we should have kern.random.sys.harvest.devprobe (or what ever we'd call it). -- -- David (obrien@FreeBSD.org)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120921060815.GA42778>