[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 0/1] Improvements to urandom-seed service
|
From: |
Ludovic Courtès |
|
Subject: |
Re: [PATCH 0/1] Improvements to urandom-seed service |
|
Date: |
Sun, 05 Jun 2016 00:47:56 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
Leo Famulari <address@hidden> skribis:
> I read more on the subject of seeding /dev/urandom [0] and I found that
> our service should be improved.
>
> We should "refresh" the seed unconditionally in 'start', after we use it
> to seed /dev/urandom [1]. This way, if there is no clean shut down, the
> next boot does not re-use the same seed. At first boot, this "refreshed"
> seed may not be of great quality, since we have not seeded /dev/urandom
> yet, but it's better than the possibility of a 2nd boot with no seeding
> at all.
>
> This is recommended in the example in random(4) and the Linux code
> comments [2]. I missed this before.
OK, makes sense.
> Currently, we make sure the seed exists with appropriate permissions
> during activation.
>
> If we refresh the seed in 'start', we can ensure it exists before
> refreshing it. Since 'stop' also creates the seed file, we might as well
> remove the activation code entirely... right?
Right.
> In that case, we also need to do mkdir-p in 'stop', to be sure.
Can’t hurt. ;-)
> * gnu/services/base.scm (urandom-seed-shepherd-service): Refresh the random
> seed unconditionally at boot. Ensure directory structure for %random-seed-file
> exists when shutting down.
> (%urandom-seed-activation): Remove variable.
> (urandom-seed-service-type): Remove deleted variable from list of extensions.
LGTM.
Thanks!
Ludo’.