Re: entropy at stage 1

From: Jorge Almeida <jjalmeida_at_gmail.com>
Date: Wed, 27 Sep 2017 03:37:10 -0700

On Wed, Sep 27, 2017 at 12:36 AM, Rasmus Villemoes
<rasmus.villemoes_at_prevas.dk> wrote:
> On 2017-09-26 18:20, Jorge Almeida wrote:
>> This is what I do at stage 1, regarding entropy gathering:
>

>
>> - start haveged service soon
>> - in background,
>> - read 512 bytes from /dev/random and write them to /dev/urandom
>> - write something to a pipe entropy_pipe
>>
>> -meanwhile, do other stuff (filesystem checking, etc)
>>
>> -in background,
>> -read from entropy_pipe (blocks until ready)
>> - start services that require /dev/urandom in a sane state
>
> The two processes with an entropy_pipe between them seems overkill, why
> not just have one process do getrandom(,,0)?

The purpose of the pipe is to allow doing other stuff while gathering
entropy (IOW, parallelism; besides, fsck'ing adds to entropy). The
processes that require /dev/urandom may have their own established
code that I wouldn't dream to touch (e.g. sshd). Launching such
processes after a successful reading from the pipe ensures that
/dev/urandom is sane. (Doing getrandom() after copying to /dev/random
is not an option unless the scripting language supports it. Besides,
dealing with an anonymous pipe is simple enough).

What I'm not sure is wheather the /dev/random -> /dev/urandom copying
idea is sound, and wheather using haveged is this context is safe (I
know it accelerates things, I _hope_ it does it right).

Jorge
Received on Wed Sep 27 2017 - 10:37:10 UTC

This archive was generated by hypermail 2.3.0 : Sun May 09 2021 - 19:38:49 UTC