From owner-freebsd-security@FreeBSD.ORG Fri Sep 21 07:09:36 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 088441065677; Fri, 21 Sep 2012 07:09:36 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id BDFE48FC1A; Fri, 21 Sep 2012 07:09:35 +0000 (UTC) Received: from localhost (dkr183.neoplus.adsl.tpnet.pl [83.24.21.183]) by mail.dawidek.net (Postfix) with ESMTPSA id D59458E5; Fri, 21 Sep 2012 09:08:38 +0200 (CEST) Date: Fri, 21 Sep 2012 09:09:56 +0200 From: Pawel Jakub Dawidek To: David O'Brien Message-ID: <20120921070956.GA1382@garage.freebsd.pl> References: <20120918211422.GA1400@garage.freebsd.pl> <20120919223459.GC25606@dragon.NUXI.org> <20120921053549.GF1407@garage.freebsd.pl> <20120921060815.GA42778@dragon.NUXI.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="lrZ03NoBR/3+SXJZ" Content-Disposition: inline In-Reply-To: <20120921060815.GA42778@dragon.NUXI.org> X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) X-Mailman-Approved-At: Fri, 21 Sep 2012 07:23:32 +0000 Cc: freebsd-security@FreeBSD.org Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Sep 2012 07:09:36 -0000 --lrZ03NoBR/3+SXJZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 20, 2012 at 11:08:15PM -0700, David O'Brien wrote: > On Fri, Sep 21, 2012 at 07:35:49AM +0200, Pawel Jakub Dawidek wrote: > > Note that adding sysctl to turn off entropy harvesting from > > device_attach() is pretty useless, as sysctls can be changed once we > > start userland and then all device_attach() are already called (modulo > > drivers loaded later). >=20 > That is what I had in mind -- .ko drivers loaded post 'initrandom'. >=20 > The same could be said for kern.random.sys.harvest.interrupt. > By the time kern.random.sys.harvest.interrupt can be turned off, > my test system has already processed 784 'origin interrupt' queue > entries and went from kern.random.sys.seeded=3D0->1. Yes, this is exactly why I'd like to see corresponding tunable for all those sysctls. --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --lrZ03NoBR/3+SXJZ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBcEsQACgkQForvXbEpPzStFACeOALT31CDBZgi3wA843QKK+NQ NaQAnRmjjgU+Zv70L/H+FG9pPz682eOf =Bqar -----END PGP SIGNATURE----- --lrZ03NoBR/3+SXJZ--