Move the process of storing entropy from /dev/random and reseeding with

it at boot time closer to the way we want it to be in the final version. * Move the default directory to /var/db/entropy * Run the entropy saving cron job every 11 minutes. This seems to be a better default, although still bikeshed material. * Feed /dev/random some cheesy "entropy" from various commands and files before the disks are mounted. This gives /dev/random a better chance of running without blocking early. * Move the reseeding with previously stored entropy to the point immediately after the disks are mounted. * Make the harvesting script a little safer in regards to the possibility of accidentally overwriting something other than a regular file.
2001-01-14 07:18:31 +00:00 · 2001-01-14 07:18:31 +00:00 · 10fe5181ec
commit 10fe5181ec
parent 940b9a4808
6 changed files with 61 additions and 72 deletions
--- a/etc/crontab
+++ b/etc/crontab
@ -8,11 +8,11 @@ HOME=/var/log
 #
 #minute	hour	mday	month	wday	who	command
 #
-# save some entropy so that /dev/random can reseed on boot
-*/3	*	*	*	*	operator /usr/libexec/save-entropy
-#
 */5	*	*	*	*	root	/usr/libexec/atrun
 #
+# save some entropy so that /dev/random can reseed on boot
+*/11	*	*	*	*	operator /usr/libexec/save-entropy
+#
 # rotate log files every hour, if necessary
 0	*	*	*	*	root	newsyslog
 #
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@ -324,7 +324,7 @@ start_vinum=""		# set to YES to start vinum
 unaligned_print="YES"	# print unaligned access warnings on the alpha (or NO).
 entropy_file="/entropy" # Set to NO to disable caching entropy through reboots.
 			# /var/db/entropy is preferred if / is not available.
-entropy_dir="/.entropy" # Set to NO to disable caching entropy via cron.
+entropy_dir="/var/db/entropy" # Set to NO to disable caching entropy via cron.
 entropy_save_sz="2048" 	# Size of the entropy cache files.
 entropy_save_num="8" 	# Number of entropy cache files to save.

--- a/etc/mtree/BSD.root.dist
+++ b/etc/mtree/BSD.root.dist
@ -5,10 +5,6 @@

 /set type=dir uname=root gname=wheel mode=0755
 .
-/set type=dir uname=operator gname=operator mode=0700
-    .entropy
-    ..
-/set type=dir uname=root gname=wheel mode=0755
    bin
    ..
    boot
--- a/etc/mtree/BSD.var.dist
+++ b/etc/mtree/BSD.var.dist
@ -24,6 +24,10 @@
        ..
    ..
    db              mode=0755
+/set type=dir uname=operator gname=operator mode=0700
+    entropy
+    ..
+/set type=dir uname=root gname=wheel
        pkg         mode=0755
        ..
    ..
--- a/etc/rc
+++ b/etc/rc
@ -71,6 +71,13 @@ elif [ -r /etc/rc.conf ]; then
 	. /etc/rc.conf
 fi

+feed_dev_random() {
+	if [ -f "${1}" -a -r "${1}" -a -s "${1}" ]; then
+		echo "Using ${1} as an entropy file"
+		cat "${1}" | dd of=/dev/random bs=8k 2>/dev/null
+	fi
+}
+
 chkdepend() {
 	svc=$1
 	svc_var=$2
@ -100,15 +107,15 @@ chkdepend NFS nfs_server_enable portmap portmap_enable
 chkdepend NIS nis_server_enable portmap portmap_enable
 chkdepend NIS nis_client_enable portmap portmap_enable

-# First pass at entropy recovery so the rebooting /dev/random can reseed.
+# First pass at reseeding /dev/random.
 #
-feed_dev_random() {
-	if [ -f "${1}" -a -r "${1}" -a -s "${1}" ]; then
-		echo "Using ${1} as an entropy file"
-		cat ${1} > /dev/random 2> /dev/random &&
-		entropy_reseeded=yes
-	fi
-}
+# XXX temporary until we can get the entropy
+# harvesting rate up
+# Entropy below is not great,
+# but better than nothing.
+( ps -efauxww; sysctl -a; date; df -ib; dmesg; ps -efauxww; ) \
+    | dd of=/dev/random bs=8k 2>/dev/null
+cat /bin/ls | dd of=/dev/random bs=8k 2>/dev/null

 case ${entropy_file} in
 [Nn][Oo] | '')
@ -120,21 +127,6 @@ case ${entropy_file} in
 	;;
 esac

-case ${entropy_dir} in
-[Nn][Oo])
-	;;
-*)
-	entropy_dir=${entropy_dir:-/.entropy}
-	if [ -d "${entropy_dir}" ]; then
-		if [ -w /dev/random ]; then
-			for seedfile in ${entropy_dir}/*; do
-				feed_dev_random "${seedfile}"
-			done
-		fi
-	fi
-	;;
-esac
-
 # Configure ccd devices.
 #
 if [ -r /etc/ccd.conf ]; then
@ -224,44 +216,31 @@ if [ -n "${diskless_mount}" -a -r "${diskless_mount}" ]; then
 		sh ${diskless_mount}
 fi

-# Second attempt at reseeding, if needed.
-#
-case ${entropy_reseeded} in
-yes)
+# Reseed /dev/random with previously stored entropy.
+case ${entropy_dir} in
+[Nn][Oo])
 	;;
 *)
-	case ${entropy_file} in
-	[Nn][Oo] | '')
-		;;
-	*)
+	entropy_dir=${entropy_dir:-/var/db/entropy}
+	if [ -d "${entropy_dir}" ]; then
 		if [ -w /dev/random ]; then
-			if [ -f "${entropy_file}" -a -r "${entropy_file}" -a \
-			    -s "${entropy_file}" ]; then
-				feed_dev_random "${entropy_file}"
-			elif [ "${entropy_file}" != /var/db/entropy -a \
-			    -f /var/db/entropy -a -r /var/db/entropy -a \
-			    -s /var/db/entropy ]; then
-				feed_dev_random /var/db/entropy 
-			else
-    echo "Can't use ${entropy_file} as an entropy file, trying other sources"
-				# XXX temporary until we can get the entropy
-				# harvesting rate up
-				# Entropy below is not great,
-				# but better than nothing.
-				(ps -gauxwww; sysctl -a;
-				    dmesg) | /bin/dd of=/dev/random bs=8k 2>/dev/null
-				( for i in /etc /var/run ; do
-					cd $i ; ls -al ; cat *
-				done ) | /bin/dd of=/dev/random bs=8k 2>/dev/null
-			fi
+			for seedfile in ${entropy_dir}/*; do
+				feed_dev_random "${seedfile}"
+			done
 		fi
-		;;
-	esac
+	fi
 	;;
 esac

-# Remove these to prevent problems on future reboots
-rm -f "${entropy_file}" /var/db/entropy
+case ${entropy_file} in
+[Nn][Oo] | '')
+	;;
+*)
+	if [ -w /dev/random ]; then
+		feed_dev_random "${entropy_file}"
+	fi
+	;;
+esac

 adjkerntz -i

--- a/libexec/save-entropy/save-entropy.sh
+++ b/libexec/save-entropy/save-entropy.sh
@ -29,6 +29,8 @@
 # This script is called by cron to store bits of randomness which are
 # then used to seed /dev/random on boot.

+# Originally developed by Doug Barton, DougB@FreeBSD.org
+
 PATH=/bin:/usr/bin

 # If there is a global system configuration file, suck it in.
@ -45,33 +47,41 @@ case ${entropy_dir} in
 	exit 0
 	;;
 *)
-	entropy_dir=${entropy_dir:-/.entropy}
+	entropy_dir=${entropy_dir:-/var/db/entropy}
 	;;
 esac

 entropy_save_sz=${entropy_save_sz:-2048}
 entropy_save_num=${entropy_save_num:-8}
-entropy_save_jot=$(($entropy_save_num - 1))

 if [ ! -d "${entropy_dir}" ]; then
 	umask 077
 	mkdir "${entropy_dir}" || {
-	    logger -is The entropy directory "${entropy_dir}" does not \
+	    logger -is -t "$0" The entropy directory "${entropy_dir}" does not \
 exist, and cannot be created.  Therefore no entropy can be saved. ;
 	    exit 1;}
 	/usr/sbin/chown operator:operator "${entropy_dir}"
 	chmod 0700 "${entropy_dir}"
 fi

-rm -f "${entropy_dir}/saved-entropy.${entropy_save_num}"
-
 umask 377

-for file_num in `jot ${entropy_save_jot} ${entropy_save_jot} 1`; do
-	if [ -f "${entropy_dir}/saved-entropy.${file_num}" ]; then
-		new_num=$(($file_num + 1))
-		mv "${entropy_dir}/saved-entropy.${file_num}" \
-		    "${entropy_dir}/saved-entropy.${new_num}"
+for file_num in `jot ${entropy_save_num} ${entropy_save_num} 1`; do
+	if [ -e "${entropy_dir}/saved-entropy.${file_num}" ]; then
+		if [ -f "${entropy_dir}/saved-entropy.${file_num}" ]; then
+			new_num=$(($file_num + 1))
+			if [ "${new_num}" -gt "${entropy_save_num}" ]; then
+				rm -f "${entropy_dir}/saved-entropy.${file_num}"
+			else
+				mv "${entropy_dir}/saved-entropy.${file_num}" \
+				    "${entropy_dir}/saved-entropy.${new_num}"
+			fi
+		else
+			logger -is -t "$0" \
+"${entropy_dir}/saved-entropy.${file_num} is not a regular file, and therefore \
+it will not be rotated. Entropy file harvesting is aborted."
+			exit 1
+		fi
 	fi
 done