Date: Sun, 02 Sep 2012 15:57:13 -0700 From: Doug Barton <dougb@FreeBSD.org> To: "David E. O'Brien" <obrien@FreeBSD.org> Cc: Arthur Mesh <arthurmesh@gmail.com>, freebsd-security@FreeBSD.org, freebsd-rc@FreeBSD.org, Mark Murray <markm@FreeBSD.org> Subject: Re: svn commit: r239598 - head/etc/rc.d Message-ID: <5043E449.8050005@FreeBSD.org> In-Reply-To: <201208222337.q7MNbORo017642@svn.freebsd.org> References: <201208222337.q7MNbORo017642@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------070804020402040301080703 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit On 08/22/2012 16:37, David E. O'Brien wrote: > Author: obrien > Date: Wed Aug 22 23:37:24 2012 > New Revision: 239598 > URL: http://svn.freebsd.org/changeset/base/239598 > > Log: > * Reinstate r128059's consumption of our best entropy first. > r128060 for "hardware-supplied entropy" reversed this without reason, > seems a typo. I object to this change as well, although mostly for sentimental reasons. :) It's also dubious whether the static /entropy file is really the "best" option at that point, since the "better than nothing" entropy at least contains some elements that have the potential to be different at boot time. > * Isolate "better than nothing" implementation to a function. We generally don't extract code that's only run once into a function, and my stylistic preference is that we do not do that. The attached patch simplifies the script quite a bit, and restores the traditional order of running the "best effort" entropy first. I'm interested in what others think about this. (Note, the patch is easier to understand if you apply it and look at the resulting file.) Doug > Modified: > head/etc/rc.d/initrandom > > Modified: head/etc/rc.d/initrandom > ============================================================================== > --- head/etc/rc.d/initrandom Wed Aug 22 22:48:50 2012 (r239597) > +++ head/etc/rc.d/initrandom Wed Aug 22 23:37:24 2012 (r239598) > @@ -21,6 +21,17 @@ feed_dev_random() > fi > } > > +better_than_nothing() > +{ > + # XXX temporary until we can improve the entropy > + # harvesting rate. > + # Entropy below is not great, but better than nothing. > + # This unblocks the generator at startup > + ( ps -fauxww; sysctl -a; date; df -ib; dmesg; ps -fauxww ) \ > + | dd of=/dev/random bs=8k 2>/dev/null > + cat /bin/ls | dd of=/dev/random bs=8k 2>/dev/null > +} > + > initrandom_start() > { > soft_random_generator=`sysctl kern.random 2>/dev/null` > @@ -52,14 +63,6 @@ initrandom_start() > fi > fi > > - # XXX temporary until we can improve the entropy > - # harvesting rate. > - # Entropy below is not great, but better than nothing. > - # This unblocks the generator at startup > - ( ps -fauxww; sysctl -a; date; df -ib; dmesg; ps -fauxww ) \ > - | dd of=/dev/random bs=8k 2>/dev/null > - cat /bin/ls | dd of=/dev/random bs=8k 2>/dev/null > - > # First pass at reseeding /dev/random. > # > case ${entropy_file} in > @@ -72,6 +75,8 @@ initrandom_start() > ;; > esac > > + better_than_nothing() > + > echo -n ' kickstart' > fi > > -- I am only one, but I am one. I cannot do everything, but I can do something. And I will not let what I cannot do interfere with what I can do. -- Edward Everett Hale, (1822 - 1909) --------------070804020402040301080703 Content-Type: text/plain; charset=UTF-8; name="initrandom.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="initrandom.diff" Index: initrandom =================================================================== --- initrandom (revision 240002) +++ initrandom (working copy) @@ -1,8 +1,7 @@ #!/bin/sh -# + # $FreeBSD$ # - # PROVIDE: initrandom # REQUIRE: dumpon ddb # BEFORE: disks @@ -21,8 +20,11 @@ fi } -better_than_nothing() +initrandom_start() { + [ -w /dev/random ] || return + sysctl kern.random 2>/dev/null || return + # XXX temporary until we can improve the entropy # harvesting rate. # Entropy below is not great, but better than nothing. @@ -30,54 +32,36 @@ ( ps -fauxww; sysctl -a; date; df -ib; dmesg; ps -fauxww ) \ | dd of=/dev/random bs=8k 2>/dev/null cat /bin/ls | dd of=/dev/random bs=8k 2>/dev/null -} -initrandom_start() -{ - soft_random_generator=`sysctl kern.random 2>/dev/null` + case ${entropy_file} in + [Nn][Oo] | '') + ;; + *) + feed_dev_random "${entropy_file}" + ;; + esac echo -n 'Entropy harvesting:' - if [ \! -z "${soft_random_generator}" ] ; then + if checkyesno harvest_interrupt; then + ${SYSCTL} kern.random.sys.harvest.interrupt=1 >/dev/null + echo -n ' interrupts' + else + ${SYSCTL} kern.random.sys.harvest.interrupt=0 >/dev/null + fi - if [ -w /dev/random ]; then - if checkyesno harvest_interrupt; then - ${SYSCTL} kern.random.sys.harvest.interrupt=1 >/dev/null - echo -n ' interrupts' - else - ${SYSCTL} kern.random.sys.harvest.interrupt=0 >/dev/null - fi + if checkyesno harvest_ethernet; then + ${SYSCTL} kern.random.sys.harvest.ethernet=1 >/dev/null + echo -n ' ethernet' + else + ${SYSCTL} kern.random.sys.harvest.ethernet=0 >/dev/null + fi - if checkyesno harvest_ethernet; then - ${SYSCTL} kern.random.sys.harvest.ethernet=1 >/dev/null - echo -n ' ethernet' - else - ${SYSCTL} kern.random.sys.harvest.ethernet=0 >/dev/null - fi - - if checkyesno harvest_p_to_p; then - ${SYSCTL} kern.random.sys.harvest.point_to_point=1 >/dev/null - echo -n ' point_to_point' - else - ${SYSCTL} kern.random.sys.harvest.point_to_point=0 >/dev/null - fi - fi - - # First pass at reseeding /dev/random. - # - case ${entropy_file} in - [Nn][Oo] | '') - ;; - *) - if [ -w /dev/random ]; then - feed_dev_random "${entropy_file}" - fi - ;; - esac - - better_than_nothing - - echo -n ' kickstart' + if checkyesno harvest_p_to_p; then + ${SYSCTL} kern.random.sys.harvest.point_to_point=1 >/dev/null + echo -n ' point_to_point' + else + ${SYSCTL} kern.random.sys.harvest.point_to_point=0 >/dev/null fi echo '.' --------------070804020402040301080703--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5043E449.8050005>