guix-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/01: services: urandom-seed: Try using a HWRNG to seed the Linux CRNG

From: Leo Famulari
Subject: 01/01: services: urandom-seed: Try using a HWRNG to seed the Linux CRNG at boot.
Date: Tue, 19 Dec 2017 11:31:36 -0500 (EST) 
lfam pushed a commit to branch master
in repository guix.

commit 9a56cf2b5b4970843c215091ea9823a67e077310
Author: Leo Famulari <address@hidden>
Date:   Wed Dec 13 18:49:28 2017 -0500

    services: urandom-seed: Try using a HWRNG to seed the Linux CRNG at boot.
    
    * gnu/services/base.scm (urandom-seed-shepherd-service): Try to read from
    '/dev/hwrng' at boot, as a supplement to any saved random seed.
    * doc/guix.texi (Base Services): Document the new feature.
---
 doc/guix.texi         |  4 +++-
 gnu/services/base.scm | 18 ++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 3bb29db..6b6f8de 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -10025,7 +10025,9 @@ well as in the @var{groups} field of the 
@var{operating-system} record.
 
 @deffn {Scheme Procedure} urandom-seed-service
 Save some entropy in @var{%random-seed-file} to seed @file{/dev/urandom}
-when rebooting.
+when rebooting.  It also tries to seed @file{/dev/urandom} from
address@hidden/dev/hwrng} while booting, if @file{/dev/hwrng} exists and is
+readable.
 @end deffn
 
 @defvr {Scheme Variable} %random-seed-file
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 5e08927..a3654fd 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -516,6 +516,24 @@ stopped before 'kill' is called."
                           (call-with-output-file "/dev/urandom"
                             (lambda (urandom)
                               (dump-port seed urandom))))))
+
+                    ;; Try writing from /dev/hwrng into /dev/urandom.
+                    ;; It seems that the file /dev/hwrng always exists, even
+                    ;; when there is no hardware random number generator
+                    ;; available. So, we handle a failed read or any other 
error
+                    ;; reported by the operating system.
+                    (let ((buf (catch 'system-error
+                                 (lambda ()
+                                   (call-with-input-file "/dev/hwrng"
+                                     (lambda (hwrng)
+                                       (get-bytevector-n hwrng 512))))
+                                 ;; Silence is golden...
+                                 (const #f))))
+                      (when buf
+                        (call-with-output-file "/dev/urandom"
+                          (lambda (urandom)
+                            (put-bytevector urandom buf)))))
+
                     ;; Immediately refresh the seed in case the system doesn't
                     ;; shut down cleanly.
                     (call-with-input-file "/dev/urandom"
reply via email to
[Prev in Thread] Current Thread [Next in Thread]