From owner-freebsd-current@FreeBSD.ORG Tue Apr 13 22:22:57 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C97C16A4CE; Tue, 13 Apr 2004 22:22:57 -0700 (PDT) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6EA5843D3F; Tue, 13 Apr 2004 22:22:57 -0700 (PDT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (IDENT:brdavis@localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.12.10/8.12.3) with ESMTP id i3E5MKkS028021; Tue, 13 Apr 2004 22:22:24 -0700 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.12.10/8.12.3/Submit) id i3E5MIkJ028014; Tue, 13 Apr 2004 22:22:18 -0700 Date: Tue, 13 Apr 2004 22:22:18 -0700 From: Brooks Davis To: Robert Watson Message-ID: <20040414052218.GA21361@Odin.AC.HMC.Edu> References: <407CA90B.4010208@mac.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="X1bOJ3K7DJ5YkBrT" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.4i X-Virus-Scanned: by amavisd-milter (http://amavis.org/) on odin.ac.hmc.edu cc: Chuck Swiger cc: freebsd-current@freebsd.org Subject: Re: dev/random X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 05:22:57 -0000 --X1bOJ3K7DJ5YkBrT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 14, 2004 at 12:31:31AM -0400, Robert Watson wrote: >=20 > On Tue, 13 Apr 2004, Chuck Swiger wrote: >=20 > > > Consider a PC in a University's PC access hall/lab. Would you (parano= id > > > as you are!) trust _anything_ on that machine's hard disk? > >=20 > > I'm not paranoid...they really are out to get me. :-) [1] > >=20 > > Anyway, in the circumstances pertaining to this thread, aren't we > > talking about diskless clients in a university lab, and an > > access-controlled fileserver locked away in a rack somewhere which has > > the disks?=20 >=20 > I have to say that if you're loading your kernel out of TFTP, and your > root file system is running out of NFS, the chances are you won't mind > loading /entropy out of NFS. It's probably reasionable to try pulling data from /entropy while bootstrapping, but in a diskless environment, unless you add some sort of regeneration scheme to the server, you may be worse off then if you'd just stuck with the output of various commands. At least /bin/date produces different output each time you boot... I'll admit the for the security model on my diskless cluster, I could happily seed my PRNG with the output of a decently random version of chargen on the boot server. If only we had netcat in the base. :-) > Sounds like a tunable is called for that can be turned on in that > environment, and possible a console warning if the system is stalled >1 > second during boot waiting on entropy... I like the idea of a console warning on blocked reads of /dev/random. One issue we hit recently is that we don't enable any of the harvesters until initrandom is run. We may want to enable them by default and have initrandom disable them based on rc.conf settings rather then the other way around. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --X1bOJ3K7DJ5YkBrT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAfMqJXY6L6fI4GtQRAtaqAKCTh2nJlNxpfFmN4/P+Rb7mPYBmigCgn5ao Y8TR+NvdV6m+emyFY/xfyns= =jVvt -----END PGP SIGNATURE----- --X1bOJ3K7DJ5YkBrT--