From owner-freebsd-security@FreeBSD.ORG Mon Sep 3 02:18:41 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9DCFA106566B; Mon, 3 Sep 2012 02:18:41 +0000 (UTC) (envelope-from freebsd@damnhippie.dyndns.org) Received: from duck.symmetricom.us (duck.symmetricom.us [206.168.13.214]) by mx1.freebsd.org (Postfix) with ESMTP id 5BE9D8FC14; Mon, 3 Sep 2012 02:18:41 +0000 (UTC) Received: from damnhippie.dyndns.org (daffy.symmetricom.us [206.168.13.218]) by duck.symmetricom.us (8.14.5/8.14.5) with ESMTP id q832IeHA022921; Sun, 2 Sep 2012 20:18:40 -0600 (MDT) (envelope-from freebsd@damnhippie.dyndns.org) Received: from [172.22.42.240] (revolution.hippie.lan [172.22.42.240]) by damnhippie.dyndns.org (8.14.3/8.14.3) with ESMTP id q832Ic7J039608; Sun, 2 Sep 2012 20:18:38 -0600 (MDT) (envelope-from freebsd@damnhippie.dyndns.org) From: Ian Lepore To: Doug Barton In-Reply-To: <5043E449.8050005@FreeBSD.org> References: <201208222337.q7MNbORo017642@svn.freebsd.org> <5043E449.8050005@FreeBSD.org> Content-Type: text/plain; charset="us-ascii" Date: Sun, 02 Sep 2012 20:18:38 -0600 Message-ID: <1346638718.1140.573.camel@revolution.hippie.lan> Mime-Version: 1.0 X-Mailer: Evolution 2.32.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 03 Sep 2012 03:19:08 +0000 Cc: Arthur Mesh , freebsd-security@freebsd.org, freebsd-rc@freebsd.org Subject: Re: svn commit: r239598 - head/etc/rc.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Sep 2012 02:18:41 -0000 On Sun, 2012-09-02 at 15:57 -0700, Doug Barton wrote: > The attached patch simplifies the script quite a bit, and restores the > traditional order of running the "best effort" entropy first. I'm > interested in what others think about this. (Note, the patch is easier > to understand if you apply it and look at the resulting file.) I have a patchset somewhere that added the ability to supply an alternate command to generate "best effort" entropy. The reason is that the existing code on an embedded system with no realtime clock hardware generates a sequence that sometimes differs by two full bytes from one boot to the next. Often it's identical. Adding insult is the fact that the existing sequence takes about 4-5 seconds on that platform. There just isn't much entropy available there, but I came up with a command sequence that ran in about a second and generated more differences on each boot. I'm still interested in the ability to override the default best effort generator with something else via entries in rc.conf; I'm not picky about the mechanism for doing so. If there's any interest, I'll try to find that old patch I had for it (which I never submitted for fear of starting a "that's not good enough entropy" flame war). -- Ian