add seedrng service for Linux

This moves urandom to *bsd only and adds seedrng as a separate service
for Linux.

This fixes #510
This commit is contained in:
William Hubbs 2022-03-30 11:15:13 -05:00
parent df18158e60
commit 0fb11190fa
10 changed files with 101 additions and 47 deletions

View File

@ -1,7 +1,7 @@
include ../mk/net.mk include ../mk/net.mk
DIR= ${CONFDIR} DIR= ${CONFDIR}
CONF= bootmisc fsck hostname localmount netmount swap urandom ${CONF-${OS}} CONF= bootmisc fsck hostname localmount netmount swap ${CONF-${OS}}
ifeq (${MKNET},yes) ifeq (${MKNET},yes)
CONF+= network staticroute CONF+= network staticroute
@ -10,11 +10,11 @@ endif
MK= ../mk MK= ../mk
include ${MK}/os.mk include ${MK}/os.mk
CONF-FreeBSD= ipfw modules moused powerd rarpd savecore syscons CONF-FreeBSD= ipfw modules moused powerd rarpd savecore syscons urandom
CONF-Linux= agetty consolefont devfs dmesg hwclock keymaps killprocs modules \ CONF-Linux= agetty consolefont devfs dmesg hwclock keymaps killprocs modules \
mtab net-online mtab net-online
CONF-NetBSD= moused rarpd savecore CONF-NetBSD= moused rarpd savecore urandom
include ${MK}/scripts.mk include ${MK}/scripts.mk

View File

@ -7,7 +7,6 @@ conf_common = [
'localmount', 'localmount',
'netmount', 'netmount',
'swap', 'swap',
'urandom',
] ]
conf_net = [ conf_net = [
@ -23,6 +22,7 @@ conf_FreeBSD = [
'rarpd', 'rarpd',
'savecore', 'savecore',
'syscons', 'syscons',
'urandom',
] ]
conf_Linux = [ conf_Linux = [
@ -36,12 +36,14 @@ conf_Linux = [
'modules', 'modules',
'mtab', 'mtab',
'net-online', 'net-online',
'seedrng',
] ]
conf_NetBSD = [ conf_NetBSD = [
'moused', 'moused',
'rarpd', 'rarpd',
'savecore', 'savecore',
'urandom',
] ]
conf_data = conf_common conf_data = conf_common

17
conf.d/seedrng Normal file
View File

@ -0,0 +1,17 @@
# The convention in this file is to show the default settings
# commented out.
#
# Sometimes you want to have urandom start before "localmount"
# (say for crypt swap), so you will need to customize this
# behavior. If you have /var on a separate partition, make sure paths
# under /var are adjusted to point to locations on your
# root device.
#
# Set skip_credit to yes or true if you do not want seed files to
# actually credit the random number generator.
# For example, you should set this if you plan to replicate the file
# system image without removing the contents of ${seed_dir}.
#
# lock_file=/var/run/seedrng.lock
# seed_dir=/var/lib/seedrng
# skip_credit=no

View File

@ -2,11 +2,4 @@
# (say for crypt swap), so you will need to customize this # (say for crypt swap), so you will need to customize this
# behavior. If you have /var on a separate partition, then # behavior. If you have /var on a separate partition, then
# make sure this path lives on your root device somewhere. # make sure this path lives on your root device somewhere.
seed_dir="/var/lib/seedrng" urandom_seed="/var/lib/misc/random-seed"
lock_file="/var/run/seedrng.lock"
# Set this to true if you do not want seed files to actually
# credit the RNG. Set this if you plan to replicate this
# file system image and do not have the wherewithal to first
# delete the contents of /var/lib/seedrng.
skip_credit="false"

View File

@ -3,7 +3,7 @@ include ../mk/net.mk
DIR= ${INITDIR} DIR= ${INITDIR}
SRCS= bootmisc.in fsck.in hostname.in local.in localmount.in loopback.in \ SRCS= bootmisc.in fsck.in hostname.in local.in localmount.in loopback.in \
netmount.in osclock.in root.in savecache.in swap.in swclock.in \ netmount.in osclock.in root.in savecache.in swap.in swclock.in \
sysctl.in runsvdir.in urandom.in s6-svscan.in ${SRCS-${OS}} sysctl.in runsvdir.in s6-svscan.in ${SRCS-${OS}}
BIN= ${OBJS} BIN= ${OBJS}
# Are we installing our network scripts? # Are we installing our network scripts?
@ -16,7 +16,7 @@ include ${MK}/os.mk
# Generic BSD scripts # Generic BSD scripts
SRCS-FreeBSD= hostid.in modules.in moused.in newsyslog.in pf.in rarpd.in \ SRCS-FreeBSD= hostid.in modules.in moused.in newsyslog.in pf.in rarpd.in \
rc-enabled.in rpcbind.in savecore.in syslogd.in rc-enabled.in rpcbind.in savecore.in syslogd.in urandom.in
# These are FreeBSD specific # These are FreeBSD specific
SRCS-FreeBSD+= adjkerntz.in devd.in dumpon.in encswap.in ipfw.in \ SRCS-FreeBSD+= adjkerntz.in devd.in dumpon.in encswap.in ipfw.in \
mixer.in nscd.in powerd.in syscons.in mixer.in nscd.in powerd.in syscons.in
@ -24,11 +24,11 @@ SRCS-FreeBSD+= adjkerntz.in devd.in dumpon.in encswap.in ipfw.in \
SRCS-Linux= agetty.in binfmt.in devfs.in cgroups.in dmesg.in hwclock.in \ SRCS-Linux= agetty.in binfmt.in devfs.in cgroups.in dmesg.in hwclock.in \
consolefont.in keymaps.in killprocs.in modules.in \ consolefont.in keymaps.in killprocs.in modules.in \
mount-ro.in mtab.in numlock.in procfs.in net-online.in save-keymaps.in \ mount-ro.in mtab.in numlock.in procfs.in net-online.in save-keymaps.in \
save-termencoding.in sysfs.in termencoding.in save-termencoding.in seedrng.in sysfs.in termencoding.in
# Generic BSD scripts # Generic BSD scripts
SRCS-NetBSD= hostid.in moused.in newsyslog.in pf.in rarpd.in rc-enabled.in \ SRCS-NetBSD= hostid.in moused.in newsyslog.in pf.in rarpd.in rc-enabled.in \
rpcbind.in savecore.in syslogd.in rpcbind.in savecore.in syslogd.in urandom.in
# These are NetBSD specific # These are NetBSD specific
SRCS-NetBSD+= devdb.in swap-blk.in ttys.in wscons.in SRCS-NetBSD+= devdb.in swap-blk.in ttys.in wscons.in

View File

@ -15,7 +15,6 @@ init_common = [
'swclock.in', 'swclock.in',
'sysctl.in', 'sysctl.in',
'runsvdir.in', 'runsvdir.in',
'urandom.in',
's6-svscan.in', 's6-svscan.in',
] ]
@ -44,6 +43,7 @@ init_Linux = [
'net-online.in', 'net-online.in',
'save-keymaps.in', 'save-keymaps.in',
'save-termencoding.in', 'save-termencoding.in',
'seedrng.in',
'sysfs.in', 'sysfs.in',
'termencoding.in', 'termencoding.in',
] ]
@ -58,6 +58,7 @@ init_BSD = [
'rpcbind.in', 'rpcbind.in',
'savecore.in', 'savecore.in',
'syslogd.in', 'syslogd.in',
'urandom.in',
] ]
init_FreeBSD = [ init_FreeBSD = [

46
init.d/seedrng.in Normal file
View File

@ -0,0 +1,46 @@
#!@SBINDIR@/openrc-run
# Copyright (c) 2007-2022 The OpenRC Authors.
# See the Authors file at the top-level directory of this distribution and
# https://github.com/OpenRC/openrc/blob/HEAD/AUTHORS
#
# This file is part of OpenRC. It is subject to the license terms in
# the LICENSE file found in the top-level directory of this
# distribution and at https://github.com/OpenRC/openrc/blob/HEAD/LICENSE
# This file may not be copied, modified, propagated, or distributed
# except according to the terms contained in the LICENSE file.
description="Initializes the random number generator."
depend()
{
after clock
need localmount
keyword -docker -jail -lxc -openvz -prefix -systemd-nspawn
provide urandom
}
seedrng_options()
{
[ -n "${lock_file}" ] &&
echo "--lock-file \"${lock_file}\""
[ -n "${seed_dir}" ] &&
echo "--seed-dir \"${seed_dir}\""
rc_yesno "${skip_credit}" &&
echo "--skip-credit"
}
start()
{
ebegin "Seeding random number generator"
seedrng $(seedrng_options)
eend $? "Error seeding random number generator"
return 0
}
stop()
{
ebegin "Saving random number generator seed"
seedrng $(seedrng_options)
eend $? "Error saving random number generator seed"
return 0
}

View File

@ -9,10 +9,7 @@
# This file may not be copied, modified, propagated, or distributed # This file may not be copied, modified, propagated, or distributed
# except according to the terms contained in the LICENSE file. # except according to the terms contained in the LICENSE file.
export SEEDRNG_SEED_DIR="${seed_dir:-/var/lib/seedrng}" : ${urandom_seed:=${URANDOM_SEED:-/var/lib/misc/random-seed}}
export SEEDRNG_LOCK_FILE="${lock_file:-/var/run/seedrng.lock}"
export SEEDRNG_SKIP_CREDIT="${skip_credit:-false}"
: ${urandom_seed:=${SEEDRNG_SEED_DIR}/../misc/random-seed}
description="Initializes the random number generator." description="Initializes the random number generator."
depend() depend()
@ -24,35 +21,33 @@ depend()
save_seed() save_seed()
{ {
local psz=1
if [ -e /proc/sys/kernel/random/poolsize ]; then
: $(( psz = $(cat /proc/sys/kernel/random/poolsize) / 4096 ))
fi
( # sub shell to prevent umask pollution ( # sub shell to prevent umask pollution
umask 077 umask 077
dd if=/dev/urandom of="$urandom_seed" count=1 2>/dev/null dd if=/dev/urandom of="$urandom_seed" count=${psz} 2>/dev/null
) )
} }
start() start()
{ {
if [ "$RC_UNAME" = Linux ]; then [ -c /dev/urandom ] || return
seedrng if [ -f "$urandom_seed" ]; then
else ebegin "Initializing random number generator"
[ -c /dev/urandom ] || return cat "$urandom_seed" > /dev/urandom
if [ -f "$urandom_seed" ]; then eend $? "Error initializing random number generator"
ebegin "Initializing random number generator"
cat "$urandom_seed" > /dev/urandom
eend $? "Error initializing random number generator"
fi
rm -f "$urandom_seed" && save_seed
fi fi
rm -f "$urandom_seed" && save_seed
return 0 return 0
} }
stop() stop()
{ {
if [ "$RC_UNAME" = Linux ]; then ebegin "Saving random seed"
seedrng save_seed
else eend $? "Failed to save random seed"
ebegin "Saving random seed"
save_seed
eend $? "Failed to save random seed"
fi
} }

View File

@ -1,7 +1,7 @@
include ../mk/net.mk include ../mk/net.mk
BOOT= bootmisc fsck hostname localmount loopback \ BOOT= bootmisc fsck hostname localmount loopback \
root swap sysctl urandom ${BOOT-${OS}} root swap sysctl ${BOOT-${OS}}
DEFAULT= local netmount DEFAULT= local netmount
NONETWORK= local NONETWORK= local
SHUTDOWN= savecache ${SHUTDOWN-${OS}} SHUTDOWN= savecache ${SHUTDOWN-${OS}}
@ -29,20 +29,20 @@ BOOT-${OS}=
SHUTDOWN-${OS}= SHUTDOWN-${OS}=
SYSINIT-${OS}= SYSINIT-${OS}=
BOOT-BSD= hostid newsyslog savecore syslogd swap-blk BOOT-BSD= hostid newsyslog savecore syslogd swap-blk urandom
# Generic BSD stuff # Generic BSD stuff
BOOT-FreeBSD+= hostid modules newsyslog savecore syslogd BOOT-FreeBSD+= hostid modules newsyslog savecore syslogd urandom
# FreeBSD specific stuff # FreeBSD specific stuff
BOOT-FreeBSD+= adjkerntz dumpon syscons BOOT-FreeBSD+= adjkerntz dumpon syscons
BOOT-Linux+= binfmt hwclock keymaps modules mtab procfs save-keymaps \ BOOT-Linux+= binfmt hwclock keymaps modules mtab procfs save-keymaps \
save-termencoding termencoding save-termencoding seedrng termencoding
SHUTDOWN-Linux= killprocs mount-ro SHUTDOWN-Linux= killprocs mount-ro
SYSINIT-Linux= devfs cgroups dmesg sysfs SYSINIT-Linux= devfs cgroups dmesg sysfs
# Generic BSD stuff # Generic BSD stuff
BOOT-NetBSD+= hostid newsyslog savecore syslogd BOOT-NetBSD+= hostid newsyslog savecore syslogd urandom
# NetBSD specific stuff # NetBSD specific stuff
BOOT-NetBSD+= devdb swap-blk ttys wscons BOOT-NetBSD+= devdb swap-blk ttys wscons

View File

@ -24,11 +24,11 @@ case "${os}" in
;; ;;
esac esac
boot="bootmisc fsck hostname localmount loopback root swap sysctl urandom" boot="bootmisc fsck hostname localmount loopback root swap sysctl"
if [ "${net}" = yes ]; then if [ "${net}" = yes ]; then
boot="${boot} network staticroute" boot="${boot} network staticroute"
fi fi
boot_BSD="hostid newsyslog savecore syslogd" boot_BSD="hostid newsyslog savecore syslogd urandom"
case "${os}" in case "${os}" in
DragonFly) DragonFly)
@ -39,7 +39,7 @@ case "${os}" in
;; ;;
Linux) Linux)
boot="${boot} binfmt hwclock keymaps modules mtab procfs boot="${boot} binfmt hwclock keymaps modules mtab procfs
save-keymaps save-termencoding termencoding" save-keymaps save-termencoding seedrng termencoding"
;; ;;
NetBSD) NetBSD)
boot="${boot} ${boot_BSD} devdb swap-blk tys wscons" boot="${boot} ${boot_BSD} devdb swap-blk tys wscons"