Date: Thu, 15 Apr 2004 15:48:09 +0100 From: Mark Murray <mark@grondar.org> To: Peter Jeremy <peterjeremy@optushome.com.au> Cc: freebsd-current@FreeBSD.ORG Subject: Re: dev/random Message-ID: <200404151448.i3FEm9In021190@grimreaper.grondar.org> In-Reply-To: Your message of "Wed, 14 Apr 2004 19:05:06 %2B1000." <20040414090506.GA25565@server.vk2pj.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Peter Jeremy writes: > On Tue, Apr 13, 2004 at 04:28:16PM -0700, Brooks Davis wrote: > >To be clear, the problem is not that you can't open /dev/random for > >read, it's that read() blocks until sufficent entropy arrives. It's > >worth noting that the quality of entropy needed in initdiskless is > >pretty minimal. rand() would actually be fine here other then the fact > >that use of rand should not be encouraged. > > If you don't need a great deal of entropy, you might be able to get > away with stirring in the time of day, CPU cycle counter[1], and maybe > time a couple of arbitrary disk seeks. If you had a _really_ cheap > stirring function, maybe stir in all of KVM (this should vary slightly > from boot to boot). This should be enough entropy to get to the > point where you can start loading or acquiring reasonable entropy. Check /etc/rc.d/*random* - we've been doing this for years. :-) > I recall being bitten on several occasions when I was trying to use > ed(1) in single user mode and having ed decide there wasn't enough > entropy to create its temporary file. > > Of course, the default behaviour of automatically building ssh host > keys as part of the boot sequence (when there's virtually no entropy > available) is probably undesirable. We understand the problem all too well. There are two conflicting parts; 1) Starting the device early enough and 2) making it secure (enough). Most of the entropy arguments involve, in effect, differing opinions on what "early enough" and "secure enough" mean. M -- Mark Murray iumop ap!sdn w,I idlaH
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404151448.i3FEm9In021190>