From 0fb11190fa5911f6f9c20c38e74a664826157a34 Mon Sep 17 00:00:00 2001 From: William Hubbs Date: Wed, 30 Mar 2022 11:15:13 -0500 Subject: [PATCH] add seedrng service for Linux This moves urandom to *bsd only and adds seedrng as a separate service for Linux. This fixes #510 --- conf.d/Makefile | 6 +++--- conf.d/meson.build | 4 +++- conf.d/seedrng | 17 +++++++++++++++ conf.d/urandom | 9 +------- init.d/Makefile | 8 +++---- init.d/meson.build | 3 ++- init.d/seedrng.in | 46 ++++++++++++++++++++++++++++++++++++++++ init.d/urandom.in | 39 +++++++++++++++------------------- runlevels/Makefile | 10 ++++----- tools/meson_runlevels.sh | 6 +++--- 10 files changed, 101 insertions(+), 47 deletions(-) create mode 100644 conf.d/seedrng create mode 100644 init.d/seedrng.in diff --git a/conf.d/Makefile b/conf.d/Makefile index 64168374..6d2e7de1 100644 --- a/conf.d/Makefile +++ b/conf.d/Makefile @@ -1,7 +1,7 @@ include ../mk/net.mk DIR= ${CONFDIR} -CONF= bootmisc fsck hostname localmount netmount swap urandom ${CONF-${OS}} +CONF= bootmisc fsck hostname localmount netmount swap ${CONF-${OS}} ifeq (${MKNET},yes) CONF+= network staticroute @@ -10,11 +10,11 @@ endif MK= ../mk include ${MK}/os.mk -CONF-FreeBSD= ipfw modules moused powerd rarpd savecore syscons +CONF-FreeBSD= ipfw modules moused powerd rarpd savecore syscons urandom CONF-Linux= agetty consolefont devfs dmesg hwclock keymaps killprocs modules \ mtab net-online -CONF-NetBSD= moused rarpd savecore +CONF-NetBSD= moused rarpd savecore urandom include ${MK}/scripts.mk diff --git a/conf.d/meson.build b/conf.d/meson.build index ddb056a4..ce704180 100644 --- a/conf.d/meson.build +++ b/conf.d/meson.build @@ -7,7 +7,6 @@ conf_common = [ 'localmount', 'netmount', 'swap', - 'urandom', ] conf_net = [ @@ -23,6 +22,7 @@ conf_FreeBSD = [ 'rarpd', 'savecore', 'syscons', + 'urandom', ] conf_Linux = [ @@ -36,12 +36,14 @@ conf_Linux = [ 'modules', 'mtab', 'net-online', + 'seedrng', ] conf_NetBSD = [ 'moused', 'rarpd', 'savecore', + 'urandom', ] conf_data = conf_common diff --git a/conf.d/seedrng b/conf.d/seedrng new file mode 100644 index 00000000..61670504 --- /dev/null +++ b/conf.d/seedrng @@ -0,0 +1,17 @@ +# The convention in this file is to show the default settings +# commented out. +# +# Sometimes you want to have urandom start before "localmount" +# (say for crypt swap), so you will need to customize this +# behavior. If you have /var on a separate partition, make sure paths +# under /var are adjusted to point to locations on your +# root device. +# +# Set skip_credit to yes or true if you do not want seed files to +# actually credit the random number generator. +# For example, you should set this if you plan to replicate the file +# system image without removing the contents of ${seed_dir}. +# +# lock_file=/var/run/seedrng.lock +# seed_dir=/var/lib/seedrng +# skip_credit=no diff --git a/conf.d/urandom b/conf.d/urandom index 744e4f70..f721a249 100644 --- a/conf.d/urandom +++ b/conf.d/urandom @@ -2,11 +2,4 @@ # (say for crypt swap), so you will need to customize this # behavior. If you have /var on a separate partition, then # make sure this path lives on your root device somewhere. -seed_dir="/var/lib/seedrng" -lock_file="/var/run/seedrng.lock" - -# Set this to true if you do not want seed files to actually -# credit the RNG. Set this if you plan to replicate this -# file system image and do not have the wherewithal to first -# delete the contents of /var/lib/seedrng. -skip_credit="false" +urandom_seed="/var/lib/misc/random-seed" diff --git a/init.d/Makefile b/init.d/Makefile index c97aeda9..ee227f43 100644 --- a/init.d/Makefile +++ b/init.d/Makefile @@ -3,7 +3,7 @@ include ../mk/net.mk DIR= ${INITDIR} SRCS= bootmisc.in fsck.in hostname.in local.in localmount.in loopback.in \ netmount.in osclock.in root.in savecache.in swap.in swclock.in \ - sysctl.in runsvdir.in urandom.in s6-svscan.in ${SRCS-${OS}} + sysctl.in runsvdir.in s6-svscan.in ${SRCS-${OS}} BIN= ${OBJS} # Are we installing our network scripts? @@ -16,7 +16,7 @@ include ${MK}/os.mk # Generic BSD scripts SRCS-FreeBSD= hostid.in modules.in moused.in newsyslog.in pf.in rarpd.in \ - rc-enabled.in rpcbind.in savecore.in syslogd.in + rc-enabled.in rpcbind.in savecore.in syslogd.in urandom.in # These are FreeBSD specific SRCS-FreeBSD+= adjkerntz.in devd.in dumpon.in encswap.in ipfw.in \ mixer.in nscd.in powerd.in syscons.in @@ -24,11 +24,11 @@ SRCS-FreeBSD+= adjkerntz.in devd.in dumpon.in encswap.in ipfw.in \ SRCS-Linux= agetty.in binfmt.in devfs.in cgroups.in dmesg.in hwclock.in \ consolefont.in keymaps.in killprocs.in modules.in \ mount-ro.in mtab.in numlock.in procfs.in net-online.in save-keymaps.in \ - save-termencoding.in sysfs.in termencoding.in + save-termencoding.in seedrng.in sysfs.in termencoding.in # Generic BSD scripts SRCS-NetBSD= hostid.in moused.in newsyslog.in pf.in rarpd.in rc-enabled.in \ - rpcbind.in savecore.in syslogd.in + rpcbind.in savecore.in syslogd.in urandom.in # These are NetBSD specific SRCS-NetBSD+= devdb.in swap-blk.in ttys.in wscons.in diff --git a/init.d/meson.build b/init.d/meson.build index a34f1c35..ab4b27f4 100644 --- a/init.d/meson.build +++ b/init.d/meson.build @@ -15,7 +15,6 @@ init_common = [ 'swclock.in', 'sysctl.in', 'runsvdir.in', - 'urandom.in', 's6-svscan.in', ] @@ -44,6 +43,7 @@ init_Linux = [ 'net-online.in', 'save-keymaps.in', 'save-termencoding.in', + 'seedrng.in', 'sysfs.in', 'termencoding.in', ] @@ -58,6 +58,7 @@ init_BSD = [ 'rpcbind.in', 'savecore.in', 'syslogd.in', + 'urandom.in', ] init_FreeBSD = [ diff --git a/init.d/seedrng.in b/init.d/seedrng.in new file mode 100644 index 00000000..25e9ad13 --- /dev/null +++ b/init.d/seedrng.in @@ -0,0 +1,46 @@ +#!@SBINDIR@/openrc-run +# Copyright (c) 2007-2022 The OpenRC Authors. +# See the Authors file at the top-level directory of this distribution and +# https://github.com/OpenRC/openrc/blob/HEAD/AUTHORS +# +# This file is part of OpenRC. It is subject to the license terms in +# the LICENSE file found in the top-level directory of this +# distribution and at https://github.com/OpenRC/openrc/blob/HEAD/LICENSE +# This file may not be copied, modified, propagated, or distributed +# except according to the terms contained in the LICENSE file. + +description="Initializes the random number generator." + +depend() +{ + after clock + need localmount + keyword -docker -jail -lxc -openvz -prefix -systemd-nspawn + provide urandom +} + +seedrng_options() +{ + [ -n "${lock_file}" ] && + echo "--lock-file \"${lock_file}\"" + [ -n "${seed_dir}" ] && + echo "--seed-dir \"${seed_dir}\"" + rc_yesno "${skip_credit}" && + echo "--skip-credit" +} + +start() +{ + ebegin "Seeding random number generator" + seedrng $(seedrng_options) + eend $? "Error seeding random number generator" + return 0 +} + +stop() +{ + ebegin "Saving random number generator seed" + seedrng $(seedrng_options) + eend $? "Error saving random number generator seed" + return 0 +} diff --git a/init.d/urandom.in b/init.d/urandom.in index cda431fd..8b7072c1 100644 --- a/init.d/urandom.in +++ b/init.d/urandom.in @@ -9,10 +9,7 @@ # This file may not be copied, modified, propagated, or distributed # except according to the terms contained in the LICENSE file. -export SEEDRNG_SEED_DIR="${seed_dir:-/var/lib/seedrng}" -export SEEDRNG_LOCK_FILE="${lock_file:-/var/run/seedrng.lock}" -export SEEDRNG_SKIP_CREDIT="${skip_credit:-false}" -: ${urandom_seed:=${SEEDRNG_SEED_DIR}/../misc/random-seed} +: ${urandom_seed:=${URANDOM_SEED:-/var/lib/misc/random-seed}} description="Initializes the random number generator." depend() @@ -24,35 +21,33 @@ depend() save_seed() { + local psz=1 + + if [ -e /proc/sys/kernel/random/poolsize ]; then + : $(( psz = $(cat /proc/sys/kernel/random/poolsize) / 4096 )) + fi + ( # sub shell to prevent umask pollution umask 077 - dd if=/dev/urandom of="$urandom_seed" count=1 2>/dev/null + dd if=/dev/urandom of="$urandom_seed" count=${psz} 2>/dev/null ) } start() { - if [ "$RC_UNAME" = Linux ]; then - seedrng - else - [ -c /dev/urandom ] || return - if [ -f "$urandom_seed" ]; then - ebegin "Initializing random number generator" - cat "$urandom_seed" > /dev/urandom - eend $? "Error initializing random number generator" - fi - rm -f "$urandom_seed" && save_seed + [ -c /dev/urandom ] || return + if [ -f "$urandom_seed" ]; then + ebegin "Initializing random number generator" + cat "$urandom_seed" > /dev/urandom + eend $? "Error initializing random number generator" fi + rm -f "$urandom_seed" && save_seed return 0 } stop() { - if [ "$RC_UNAME" = Linux ]; then - seedrng - else - ebegin "Saving random seed" - save_seed - eend $? "Failed to save random seed" - fi + ebegin "Saving random seed" + save_seed + eend $? "Failed to save random seed" } diff --git a/runlevels/Makefile b/runlevels/Makefile index 73843d8b..8d8b8e9e 100644 --- a/runlevels/Makefile +++ b/runlevels/Makefile @@ -1,7 +1,7 @@ include ../mk/net.mk BOOT= bootmisc fsck hostname localmount loopback \ - root swap sysctl urandom ${BOOT-${OS}} + root swap sysctl ${BOOT-${OS}} DEFAULT= local netmount NONETWORK= local SHUTDOWN= savecache ${SHUTDOWN-${OS}} @@ -29,20 +29,20 @@ BOOT-${OS}= SHUTDOWN-${OS}= SYSINIT-${OS}= -BOOT-BSD= hostid newsyslog savecore syslogd swap-blk +BOOT-BSD= hostid newsyslog savecore syslogd swap-blk urandom # Generic BSD stuff -BOOT-FreeBSD+= hostid modules newsyslog savecore syslogd +BOOT-FreeBSD+= hostid modules newsyslog savecore syslogd urandom # FreeBSD specific stuff BOOT-FreeBSD+= adjkerntz dumpon syscons BOOT-Linux+= binfmt hwclock keymaps modules mtab procfs save-keymaps \ - save-termencoding termencoding + save-termencoding seedrng termencoding SHUTDOWN-Linux= killprocs mount-ro SYSINIT-Linux= devfs cgroups dmesg sysfs # Generic BSD stuff -BOOT-NetBSD+= hostid newsyslog savecore syslogd +BOOT-NetBSD+= hostid newsyslog savecore syslogd urandom # NetBSD specific stuff BOOT-NetBSD+= devdb swap-blk ttys wscons diff --git a/tools/meson_runlevels.sh b/tools/meson_runlevels.sh index e24c2e2e..1473d4e2 100755 --- a/tools/meson_runlevels.sh +++ b/tools/meson_runlevels.sh @@ -24,11 +24,11 @@ case "${os}" in ;; esac -boot="bootmisc fsck hostname localmount loopback root swap sysctl urandom" +boot="bootmisc fsck hostname localmount loopback root swap sysctl" if [ "${net}" = yes ]; then boot="${boot} network staticroute" fi -boot_BSD="hostid newsyslog savecore syslogd" +boot_BSD="hostid newsyslog savecore syslogd urandom" case "${os}" in DragonFly) @@ -39,7 +39,7 @@ case "${os}" in ;; Linux) boot="${boot} binfmt hwclock keymaps modules mtab procfs - save-keymaps save-termencoding termencoding" + save-keymaps save-termencoding seedrng termencoding" ;; NetBSD) boot="${boot} ${boot_BSD} devdb swap-blk tys wscons"