Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 04 Sep 2012 15:46:22 -0700
From:      Doug Barton <dougb@FreeBSD.org>
To:        Peter Jeremy <peter@rulingia.com>
Cc:        Arthur Mesh <arthurmesh@gmail.com>, freebsd-security@freebsd.org, freebsd-rc@freebsd.org, Mark Murray <markm@FreeBSD.org>
Subject:   Re: svn commit: r239569 - head/etc/rc.d
Message-ID:  <504684BE.7070603@FreeBSD.org>
In-Reply-To: <20120904220754.GA3643@server.rulingia.com>
References:  <201208221843.q7MIhLU4077951@svn.freebsd.org> <5043DBAF.40506@FreeBSD.org> <20120903171538.GM1464@x96.org> <50450F2A.10708@FreeBSD.org> <20120903203505.GN1464@x96.org> <50451D6E.30401@FreeBSD.org> <20120903214638.GO1464@x96.org> <50453686.9090100@FreeBSD.org> <20120904220754.GA3643@server.rulingia.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 09/04/2012 03:07 PM, Peter Jeremy wrote:
> On 2012-Sep-03 16:00:22 -0700, Doug Barton <dougb@freebsd.org> wrote:
>> The static files are provided as a means to stir the pool to unblock the
>> device at boot time.
> 
> As far as I can tell, this is no longer required. 

It always has been required in the sense that it improves the quality of
the random bits during and shortly after boot.

> Both the Yarrow and
> Nehemiah Padlock generators initialise to "seeded" and there is no
> provision (other than sysctl) to "unseed" them. 

That's a bit of a chimera, and I would prefer that Mark comment on that
if he so desires. :)

> Yarrow will begin
> collecting entropy as soon as the random device receives a MOD_LOAD
> event during kernel startup.

.... assuming all of the defaults, yes. This is another reason I'm not
very concerned about replay attacks.

>> What if, instead of replacing /entropy, we add an additional file in
>> /var/db/entropy at boot time that is numerically 1 higher than
>> $entropy_save_num ?
> 
> That sounds like a reasonable idea.

Thanks. I am particularly interested in what David and Arthur have to
say about it.

>> (Note, I have to fix the rotation script to account
>> for this, but I have had "improve the rotation script" on my TODO list
>> for a long time now, and this is a good excuse for me to get a round
>> 'tuit.)
> 
> You might like to look at kern/134225 (which is misfiled, sorry).

I just grabbed that, thanks. I wish someone had brought that to my
attention sooner, but there you go. Overall I like the approach, but I
may rework the logic a bit. Thank you for suggesting it.

Doug



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?504684BE.7070603>