[Buildroot] [PATCH] package/haveged: Allow service to run early
post at lespocky.de
Mon Jun 8 08:38:29 UTC 2020
I'd like to hook in, because I had that topic on my desk lately
(although not with buildroot).
On Sun, Jun 07, 2020 at 10:36:18PM +0200, Norbert Lange wrote:
> > I mean... if it's not high grade entropy, it shouldn't credit the kernel entropy
> > pool,and if the user is ok with unreliable entropy, systemd-random-seed is
> > probably a faster way to get some.
> haveged is barely entropy, certainly not more than the kernel
> provides, it is a means to fake entropy. Gets you to boot faster.
Well, the system can boot faster, because haveged provides entropy
from unpredictable internal CPU states. It's not just another PRNG.
> systemd-random-seed needs a filesystem to store stuff, does not credit
> the entropy pool (by default).. and won't help at all when booting the
> first time.
> I think what you have in mind is more like rng-tools, which feed real,
> quality entropy to the kernel.
rng-tools can not do that by itself, but needs a real HWRNG or
something like jitterentropy-rng (which gets its entropy from CPU
execution timing jitter). So rng-tools alone doesn't help you,
especially if your hardware has no hwrng.
> The user should pick what he needs, haveged will never give you better
> entropy over the kernel or real HW sources, systemd-random-seed will
> not let you boot faster (by default).
I'm curious, where do you think the kernel gets entropy from? ;-)
What you all might find interesting: newer OpenSSL versions, I think
from some 1.1.1 bugfix release onwards block until the kernel has
initialized its crng. The upcoming (not yet released) dropbear will
do that, too. Both don't rely on /dev/urandom for that but on the
getrandom(2) syscall IIRC. Without having looked in systemd source, I
would guess they do something similar?
So, it's complicated … ;-)
/"\ ASCII RIBBON | »With the first link, the chain is forged. The first
\ / CAMPAIGN | speech censured, the first thought forbidden, the
X AGAINST | first freedom denied, chains us all irrevocably.«
/ \ HTML MAIL | (Jean-Luc Picard, quoting Judge Aaron Satie)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the buildroot