Date: Tue, 04 Sep 2012 15:46:22 -0700 From: Doug Barton <dougb@FreeBSD.org> To: Peter Jeremy <peter@rulingia.com> Cc: Arthur Mesh <arthurmesh@gmail.com>, freebsd-security@freebsd.org, freebsd-rc@freebsd.org, Mark Murray <markm@FreeBSD.org> Subject: Re: svn commit: r239569 - head/etc/rc.d Message-ID: <504684BE.7070603@FreeBSD.org> In-Reply-To: <20120904220754.GA3643@server.rulingia.com> References: <201208221843.q7MIhLU4077951@svn.freebsd.org> <5043DBAF.40506@FreeBSD.org> <20120903171538.GM1464@x96.org> <50450F2A.10708@FreeBSD.org> <20120903203505.GN1464@x96.org> <50451D6E.30401@FreeBSD.org> <20120903214638.GO1464@x96.org> <50453686.9090100@FreeBSD.org> <20120904220754.GA3643@server.rulingia.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 09/04/2012 03:07 PM, Peter Jeremy wrote: > On 2012-Sep-03 16:00:22 -0700, Doug Barton <dougb@freebsd.org> wrote: >> The static files are provided as a means to stir the pool to unblock the >> device at boot time. > > As far as I can tell, this is no longer required. It always has been required in the sense that it improves the quality of the random bits during and shortly after boot. > Both the Yarrow and > Nehemiah Padlock generators initialise to "seeded" and there is no > provision (other than sysctl) to "unseed" them. That's a bit of a chimera, and I would prefer that Mark comment on that if he so desires. :) > Yarrow will begin > collecting entropy as soon as the random device receives a MOD_LOAD > event during kernel startup. .... assuming all of the defaults, yes. This is another reason I'm not very concerned about replay attacks. >> What if, instead of replacing /entropy, we add an additional file in >> /var/db/entropy at boot time that is numerically 1 higher than >> $entropy_save_num ? > > That sounds like a reasonable idea. Thanks. I am particularly interested in what David and Arthur have to say about it. >> (Note, I have to fix the rotation script to account >> for this, but I have had "improve the rotation script" on my TODO list >> for a long time now, and this is a good excuse for me to get a round >> 'tuit.) > > You might like to look at kern/134225 (which is misfiled, sorry). I just grabbed that, thanks. I wish someone had brought that to my attention sooner, but there you go. Overall I like the approach, but I may rework the logic a bit. Thank you for suggesting it. Doug
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?504684BE.7070603>