From owner-freebsd-security@FreeBSD.ORG Sat Sep 15 03:39:28 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DEAB7106566B; Sat, 15 Sep 2012 03:39:27 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id 9176A8FC17; Sat, 15 Sep 2012 03:39:27 +0000 (UTC) Received: from Xins-MacBook-Pro.local (c-67-188-85-47.hsd1.ca.comcast.net [67.188.85.47]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id EF7021E249; Fri, 14 Sep 2012 20:39:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1347680367; bh=pOPjjNQN7esT0aY5QKmgHuSFuvuDnqBfOmo1tdn80nw=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=0oTDLc7Rel71FQ0MP9j9fJZsBPCpGcF1Vcr5D/xLIyNeMEIde8IwwSIpRryouDA/G mmBGJZpccYeWL6skO2BirzvxaaFOqSHs1LL9/i2IJtWzsV6LpAsOT4YxfeNHizKgo4 ZpcvhFNFYGOw4jnwtrzYgP2HBxITsi6sP9zXOK3k= Message-ID: <5053F86F.10804@delphij.net> Date: Fri, 14 Sep 2012 20:39:27 -0700 From: Xin Li Organization: The FreeBSD Project User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:15.0) Gecko/20120907 Thunderbird/15.0.1 MIME-Version: 1.0 To: Samuel Ports References: <50453686.9090100@FreeBSD.org> <20120911082309.GD72584@dragon.NUXI.org> <504F0687.7020309@FreeBSD.org> <201209121628.18088.jhb@freebsd.org> <5050F477.8060409@FreeBSD.org> <20120912213141.GI14077@x96.org> <20120913052431.GA15052@dragon.NUXI.org> <20120914154617.39025ac0@gumby.homeunix.com> <20120915010713.492c65a0@gumby.homeunix.com> <-5330022830022085986@unknownmsgid> In-Reply-To: <-5330022830022085986@unknownmsgid> X-Enigmail-Version: 1.4.4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Arthur Mesh , Lepore , Doug Barton , "Ian@freebsd.org" , Ben Laurie , "freebsd-security@freebsd.org" , RW , "Bjoern A. Zeeb" Subject: Re: svn commit: r239569 - head/etc/rc.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Sep 2012 03:39:28 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 9/14/12 7:18 PM, Samuel Ports wrote: > Omg cant an freebsd-entropy be created as mailing list already Nothing prevents you from unsubscribing this mailing list. > Sent from my iPhone > > On Sep 14, 2012, at 8:09 PM, RW > wrote: > >> On Fri, 14 Sep 2012 17:25:59 +0100 Ben Laurie wrote: >> >>> On Fri, Sep 14, 2012 at 3:46 PM, RW >>> wrote: >>>> On Fri, 14 Sep 2012 14:43:53 +0100 Ben Laurie wrote: >>>> >>>>> On Fri, Sep 14, 2012 at 2:38 PM, Bjoern A. Zeeb >>>>> wrote: >>>>>> 7) send all data to the kernel and hash (arch dependent?) >>>>>> it + counter value into the buffer on overflow, as in >>>>>> b[n] = H(b[n] + c + i[n]) in the kernel (can control when >>>>>> buffer full and only then take action when needed, >>>>>> indepedent on how seed data is chosen, uses standard >>>>>> technology) >>>>> >>>>> IMO, this is the only good option. >>>> >>>> No it isn't. I means that the hashing is unconditional, so >>>> anyone that needs a faster boot needs to patch the kernel. >>> >>> Has anyone measured the cost of doing this? Also, if you really >>> want to turn it off, we could provide a flag. >> >> Yes, read the thread. >> >>>> It has no advantage whatsoever over a minor change to >>>> initrandom. >>> >>> It absolutely has. It applies to all inputs to /dev/random, not >>> just those that come from initrandom. >> >> If the rc script are written correctly it shouldn't matter, there >> no need to write to /dev/random after the boot - it wont do >> anything useful. >> >> It has no advantage over hashing the low-grade entropy in >> userland which is is just couple of lines difference in a shell >> script. >> >>> Also, should something get to write to it before initrandom, >>> initrandom's input would still be used. >> >> There's no reason to do that, so why do you think it matter? >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security To >> unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security To > unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) iQEcBAEBCAAGBQJQU/hvAAoJEG80Jeu8UPuzW0sIAIzWmkzVABPNjBEJB5LCKUF2 bhBC2Aapmr5mbxJOqON9j/XCccfcp97iZaQrdOwa7wTOe/7NNZgqDOr6Go2mcQNv SBkhPdi9CoQaAYUoZ65kn9L3UHODbZzDke7jC7LaDxK0tBUl2r+rnaNuwswSxlCU ZsyklowaaHvV9QOVzi1Th/4CrpBocjLjFheziI7reMpQA09+3aMZgVX2hJyU/pY7 l1dB8ymMha4mJ5hYx+j3ZZw40biS9mtHtT+TC4GogQycupkKwxH5jnZGW27/PkY/ ei54JvXCFzHtsyqh61M41Eo1YYo4zMpGphStOFZUYkdaYYz9Js1Qo/5b70/KRYQ= =KuMx -----END PGP SIGNATURE-----