[Buildroot] [PATCH] package/haveged: Allow service to run early

Jérémy ROSEN jeremy.rosen at smile.fr
Mon Jun 8 14:14:00 UTC 2020


Le lun. 8 juin 2020 à 10:38, Alexander Dahl <post at lespocky.de> a écrit :

> Hei hei,
>
> I'd like to hook in, because I had that topic on my desk lately
> (although not with buildroot).
>
> On Sun, Jun 07, 2020 at 10:36:18PM +0200, Norbert Lange wrote:
> > > I mean... if it's not high grade entropy, it shouldn't credit the
> kernel entropy
> > > pool,and if the user is ok with unreliable entropy,
> systemd-random-seed is
> > > probably a faster way to get some.
> >
> >
> > haveged is barely entropy, certainly not more than the kernel
> > provides, it is a means to fake entropy. Gets you to boot faster.
>
> Well, the system can boot faster, because haveged provides entropy
> from unpredictable internal CPU states. It's not just another PRNG.
>
> Oh. I didn't know that... interesting

So. haveged provides high quality entropy to the kernel.
That entropy is probably credited (unlike systemd-random-seed)
So it is even more important that it is ordered before systemd-random-seed.

> systemd-random-seed needs a filesystem to store stuff, does not credit
> > the entropy pool (by default).. and won't help at all when booting the
> > first time.
> >


> > I think what you have in mind is more like rng-tools, which feed real,
> > quality entropy to the kernel.
>
> rng-tools can not do that by itself, but needs a real HWRNG or
> something like jitterentropy-rng (which gets its entropy from CPU
> execution timing jitter). So rng-tools alone doesn't help you,
> especially if your hardware has no hwrng.
>
> > The user should pick what he needs, haveged will never give you better
> > entropy over the kernel or real HW sources,  systemd-random-seed will
> > not let you boot faster (by default).
>
> I'm curious, where do you think the kernel gets entropy from? ;-)
>
> What you all might find interesting: newer OpenSSL versions, I think
> from some 1.1.1 bugfix release onwards block until the kernel has
> initialized its crng.  The upcoming (not yet released) dropbear will
> do that, too. Both don't rely on /dev/urandom for that but on the
> getrandom(2) syscall IIRC. Without having looked in systemd source, I
> would guess they do something similar?
>
> Yes it's exactly that. systemd-random-seed will block until urng is ready
so
other services don't have to do that themselves (it makes sense for
dropbear/openssl to do that themselves anyway, for the non-systemd case,
 but in a systemd-based distro, they won't wait because systemd-random-seed
 will already have done the waiting)

So at this point,  I am more and more convinced that haveged must be
ordered before systemd-random-seed. Not doing so is incorrect. At best
it will work by luck and at worst the entropy provided by haveged will
arrive
too late.

On a read-only filesystem, systemd-random-seed will not read the file and
feed
entropy (which is not credited anyway) but it will still block the boot and
thus
ensure that any "normal" (post sysinit) daemon will have proper urng.

Please add the Before= it has no ill effect AFAICT and not doing so might
prevent faster boots in the very cases where you try to avoid it.

Regards.
Jeremy



> So, it's complicated … ;-)
>
> Greets
> Alex
>
> --
> /"\ ASCII RIBBON | »With the first link, the chain is forged. The first
> \ / CAMPAIGN     | speech censured, the first thought forbidden, the
>  X  AGAINST      | first freedom denied, chains us all irrevocably.«
> / \ HTML MAIL    | (Jean-Luc Picard, quoting Judge Aaron Satie)
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
>


-- 
[image: SMILE]  <http://www.smile.eu/>

20 rue des Jardins
92600 Asnières-sur-Seine
*Jérémy ROSEN*
Architecte technique

[image: email] jeremy.rosen at smile.fr
[image: phone]  +33 6 88 25 87 42
[image: url] http://www.smile.eu

[image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
<https://www.facebook.com/smileopensource> [image: LinkedIn]
<https://www.linkedin.com/company/smile> [image: Github]
<https://github.com/Smile-SA>

[image: Découvrez l’univers Smile, rendez-vous sur smile.eu]
<https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200608/daa97438/attachment-0001.html>


More information about the buildroot mailing list