Updated random(4) boot/shutdown scripting.

Fix the man pages as well.

Differential Revision: https://reviews.freebsd.org/D2924
Approved by: so (delphij)

etc/defaults/rc.conf

@@ -630,15 +630,16 @@ kern_securelevel="-1"	# range: -1..3 ; `-1' is the most insecure
 			# in the system booting with securelevel set to 1, as
 			# init(8) will raise the level when rc(8) completes.
 update_motd="YES"	# update version info in /etc/motd (or NO)
-entropy_file="/entropy"	# Set to NO to disable caching entropy through reboots.
+entropy_boot_file="/boot/entropy"	# Set to NO to disable very early
+			# (used at early boot time) entropy caching through reboots.
+entropy_file="/entropy"	# Set to NO to disable late (used when going multi-user)
+			# entropy through reboots.
 			# /var/db/entropy-file is preferred if / is not avail.
 entropy_dir="/var/db/entropy" # Set to NO to disable caching entropy via cron.
 entropy_save_sz="4096"	# Size of the entropy cache files.
 entropy_save_num="8"	# Number of entropy cache files to save.
-harvest_interrupt="YES"	# Entropy device harvests interrupt randomness
-harvest_ethernet="YES"	# Entropy device harvests ethernet randomness
-harvest_p_to_p="YES"	# Entropy device harvests point-to-point randomness
-harvest_swi="YES"	# Entropy device harvests internal SWI randomness
+harvest_mask="511"	# Entropy device harvests all but the very invasive sources.
+			# (See 'sysctl kern.random.harvest' and random(4))
 dmesg_enable="YES"	# Save dmesg(8) to /var/run/dmesg.boot
 watchdogd_enable="NO"	# Start the software watchdog daemon
 watchdogd_flags=""	# Flags to watchdogd (if enabled)

etc/rc.d/random

@@ -41,6 +41,13 @@ feed_dev_random()
 
 random_start()
 {
+
+	if [ ${harvest_mask} -gt 0 ]; then
+		echo -n 'Setting up harvesting:'
+		${SYSCTL} kern.random.harvest.mask=${harvest_mask} > /dev/null
+		${SYSCTL_N} kern.random.harvest.mask_symbolic
+	fi
+
 	echo -n 'Feeding entropy:'
 
 	if [ ! -w /dev/random ] ; then
@@ -68,6 +75,14 @@ random_start()
 		;;
 	esac
 
+	case ${entropy_boot_file:=/boot/entropy} in
+	[Nn][Oo] | '')
+		;;
+	*)
+		save_dev_random "${entropy_boot_file}"
+		;;
+	esac
+
 	echo '.'
 }
 
@@ -100,7 +115,33 @@ random_stop()
 			;;
 		*)
 			dd if=/dev/random of=${entropy_file_confirmed} \
-			   bs=4096 count=1 2> /dev/null
+			    bs=4096 count=1 2> /dev/null ||
+			    warn 'write failed (unwriteable file or full fs?)'
+			echo '.'
+			;;
+		esac
+		umask ${oumask}
+		;;
+	esac
+	case ${entropy_boot_file:=/boot/entropy} in
+	[Nn][Oo] | '')
+		;;
+	*)
+		echo -n 'Writing early boot entropy file:'
+		rm -f ${entropy_boot_file} 2> /dev/null
+		oumask=`umask`
+		umask 077
+		if touch ${entropy_boot_file} 2> /dev/null; then
+			entropy_boot_file_confirmed="${entropy_boot_file}"
+		fi
+		case ${entropy_boot_file_confirmed} in
+		'')
+			warn 'write failed (read-only fs?)'
+			;;
+		*)
+			dd if=/dev/random of=${entropy_boot_file_confirmed} \
+			    bs=4096 count=1 2> /dev/null ||
+			    warn 'write failed (unwriteable file or full fs?)'
 			echo '.'
 			;;
 		esac

share/man/man5/rc.conf.5

@@ -3995,27 +3995,11 @@ set from
 .Va jail_ Ns Ao Ar jname Ac Ns Va _sysvipc_allow
 .El
 .\" -----------------------------------------------------
-.It Va harvest_interrupt
-.Pq Vt bool
-Set to
-.Dq Li YES
-to use hardware interrupts as an entropy source.
-Refer to
-.Xr random 4
-for more information.
-.It Va harvest_ethernet
-.Pq Vt bool
-Set to
-.Dq Li YES
-to use LAN traffic as an entropy source.
-Refer to
-.Xr random 4
-for more information.
-.It Va harvest_p_to_p
-.Pq Vt bool
-Set to
-.Dq Li YES
-to use serial line traffic as an entropy source.
+.It Va harvest_mask
+.Pq Vt int
+Set to a bit-mask
+representing the entropy sources
+you wish to harvest.
 Refer to
 .Xr random 4
 for more information.
@@ -4025,17 +4009,54 @@ Set to
 .Dq Li NO
 to disable caching entropy via
 .Xr cron 8 .
-Otherwise set to the directory used to store entropy files in.
+Otherwise set to the directory
+in which the entropy files are stored.
+To be useful,
+there must be
+a system cron job
+that regularly writes and rotates
+files here.
+All files found
+will be used at boot time.
+The default is
+.Pa /var/db/entropy .
 .It Va entropy_file
 .Pq Vt str
 Set to
 .Dq Li NO
 to disable caching entropy through reboots.
-Otherwise set to the filename used to store cached entropy through
-reboots.
-This file should be located on the root file system to seed the
-.Xr random 4
-device as early as possible in the boot process.
+Otherwise set to the name
+of a file used to store cached entropy.
+This file should be located
+on a file system that is readable
+before all the volumes specified in
+.Xr fstab 5
+are mounted.
+By default,
+.Pa /entropy
+is used,
+but if
+.Pa /var/db/entropy-file
+is found it will also be used.
+This will be of some use to
+.Xr bsdinstall 8 .
+.It Va entropy_boot_file
+.Pq Vt str
+Set to
+.Dq Li NO
+to disable
+very early caching entropy
+through reboots.
+Otherwise set to the filename
+used to read
+very early reboot cached entropy.
+This file should be located where
+.Xr loader 8
+can read it.
+See also
+.Xr loader.conf 5 .
+The default location is
+.Pa /boot/entropy .
 .It Va entropy_save_sz
 .Pq Vt int
 Size of the entropy cache files saved by
@@ -4478,6 +4499,7 @@ The default value is an empty string.
 .Xr ipf 5 ,
 .Xr ipnat 5 ,
 .Xr jail.conf 5 ,
+.Xr loader.conf 5 ,
 .Xr motd 5 ,
 .Xr newsyslog.conf 5 ,
 .Xr pf.conf 5 ,
@@ -4486,6 +4508,7 @@ The default value is an empty string.
 .Xr amd 8 ,
 .Xr apm 8 ,
 .Xr atm 8 ,
+.Xr bsdinstall 8 ,
 .Xr bthidd 8 ,
 .Xr chkprintcap 8 ,
 .Xr chown 8 ,
@@ -4503,6 +4526,7 @@ The default value is an empty string.
 .Xr ipnat 8 ,
 .Xr jail 8 ,
 .Xr kldxref 8 ,
+.Xr loader 8 ,
 .Xr lpd 8 ,
 .Xr mdconfig 8 ,
 .Xr mdmfs 8 ,

share/man/man9/random.9

@@ -4,8 +4,6 @@
 .\" Copyright (c) 2000
 .\"	The Regents of the University of California.  All rights reserved.
 .\"
-.\" All rights reserved.
-.\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:

sys/boot/forth/loader.conf

@@ -42,11 +42,16 @@ bitmap_type="splash_image_data" # and place it on the module_path
 ###  Random number generator configuration ###################
 ##############################################################
 
-entropy_cache_load="NO"			# Set this to YES to load entropy at boot time
+# See rc.conf(5). The entropy_boot_file config variable must agree with the
+# settings below.
+
+entropy_cache_load="YES"		# Set this to NO to disable loading
+					# entropy at boot time
 entropy_cache_name="/boot/entropy"	# Set this to the name of the file
-entropy_cache_type="/boot/entropy"	
-#kern.random.sys.seeded="0"		# Set this to 1 to start /dev/random
-					# without waiting for a (re)seed.
+entropy_cache_type="/boot/entropy"	# Required for the kernel to find
+					# the boot-time entropy cache. This
+					# must not change value even if the
+					# _name above does change!
 
 ##############################################################
 ###  RAM Blacklist configuration #############################

sys/boot/forth/loader.conf.5

@@ -252,6 +252,19 @@ and
 If set to
 .Dq NO ,
 the beastie boot menu will be displayed without ANSI coloring.
+.It Va entropy_cache_load
+.Pq Dq YES
+If set to
+.Dq NO ,
+the very early
+boot-time entropy file
+will not be loaded.
+See the entropy entries in
+.Xr rc.conf 5 .
+.It Va entropy_cache_name
+.Pq Dq /boot/entropy
+The name of the very early
+boot-time entropy cache file.
 .El
 .Sh FILES
 .Bl -tag -width /boot/defaults/loader.conf -compact
@@ -269,6 +282,7 @@ contains the instructions to automatically process
 .Nm .
 .El
 .Sh SEE ALSO
+.Xr rc.conf 5 ,
 .Xr boot 8 ,
 .Xr loader 8 ,
 .Xr loader.4th 8