[Buildroot] [PATCH] package/haveged: Allow service to run early

Jérémy ROSEN jeremy.rosen at smile.fr
Mon Jun 8 22:50:16 UTC 2020


Thx. an After= would indeed be completely wrong (and
it did cause a multi minute boot-delay  and was
removed.

Unfortunately, apart from that there is no real rational about
why this After= was added in the first place and it is not related
to our discussion (we want to add a Before=)

Thx for the search, though...

Le lun. 8 juin 2020 à 23:34, Peter Seiderer <ps.report at gmx.net> a écrit :

> Hello Jérémy, Norbert, Alexander,
>
> On Mon, 8 Jun 2020 16:14:00 +0200, Jérémy ROSEN <jeremy.rosen at smile.fr>
> wrote:
>
> > Le lun. 8 juin 2020 à 10:38, Alexander Dahl <post at lespocky.de> a écrit :
> >
> > > Hei hei,
> > >
> > > I'd like to hook in, because I had that topic on my desk lately
> > > (although not with buildroot).
> > >
> > > On Sun, Jun 07, 2020 at 10:36:18PM +0200, Norbert Lange wrote:
> > > > > I mean... if it's not high grade entropy, it shouldn't credit the
> > > kernel entropy
> > > > > pool,and if the user is ok with unreliable entropy,
> > > systemd-random-seed is
> > > > > probably a faster way to get some.
> > > >
> > > >
> > > > haveged is barely entropy, certainly not more than the kernel
> > > > provides, it is a means to fake entropy. Gets you to boot faster.
> > >
> > > Well, the system can boot faster, because haveged provides entropy
> > > from unpredictable internal CPU states. It's not just another PRNG.
> > >
> > > Oh. I didn't know that... interesting
> >
> > So. haveged provides high quality entropy to the kernel.
> > That entropy is probably credited (unlike systemd-random-seed)
> > So it is even more important that it is ordered before
> systemd-random-seed.
> >
> > > systemd-random-seed needs a filesystem to store stuff, does not
> credit
> > > > the entropy pool (by default).. and won't help at all when booting
> the
> > > > first time.
> > > >
> >
> >
> > > > I think what you have in mind is more like rng-tools, which feed
> real,
> > > > quality entropy to the kernel.
> > >
> > > rng-tools can not do that by itself, but needs a real HWRNG or
> > > something like jitterentropy-rng (which gets its entropy from CPU
> > > execution timing jitter). So rng-tools alone doesn't help you,
> > > especially if your hardware has no hwrng.
> > >
> > > > The user should pick what he needs, haveged will never give you
> better
> > > > entropy over the kernel or real HW sources,  systemd-random-seed will
> > > > not let you boot faster (by default).
> > >
> > > I'm curious, where do you think the kernel gets entropy from? ;-)
> > >
> > > What you all might find interesting: newer OpenSSL versions, I think
> > > from some 1.1.1 bugfix release onwards block until the kernel has
> > > initialized its crng.  The upcoming (not yet released) dropbear will
> > > do that, too. Both don't rely on /dev/urandom for that but on the
> > > getrandom(2) syscall IIRC. Without having looked in systemd source, I
> > > would guess they do something similar?
> > >
> > > Yes it's exactly that. systemd-random-seed will block until urng is
> ready
> > so
> > other services don't have to do that themselves (it makes sense for
> > dropbear/openssl to do that themselves anyway, for the non-systemd case,
> >  but in a systemd-based distro, they won't wait because
> systemd-random-seed
> >  will already have done the waiting)
> >
> > So at this point,  I am more and more convinced that haveged must be
> > ordered before systemd-random-seed. Not doing so is incorrect. At best
> > it will work by luck and at worst the entropy provided by haveged will
> > arrive
> > too late.
> >
> > On a read-only filesystem, systemd-random-seed will not read the file and
> > feed
> > entropy (which is not credited anyway) but it will still block the boot
> and
> > thus
> > ensure that any "normal" (post sysinit) daemon will have proper urng.
> >
> > Please add the Before= it has no ill effect AFAICT and not doing so might
> > prevent faster boots in the very cases where you try to avoid it.
>
> Did not follow the thread in detail, but did a quick search for
> haveged and systemd, found two relevant hits [1], [2], debian
> (and other) had 'After=systemd-random-seed.service' but dropped
> it leaving only:
>
>     After=apparmor.service systemd-tmpfiles-setup.service
>     Before=sysinit.target shutdown.target
>
> Regards,
> Peter
>
> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=938939
> [2]
> https://salsa.debian.org/debian/haveged/-/merge_requests/1?commit_id=f92a246e53de88a346a2fb6dc770a624f0660bef
>
> >
> > Regards.
> > Jeremy
> >
> >
> >
> > > So, it's complicated … ;-)
> > >
> > > Greets
> > > Alex
> > >
> > > --
> > > /"\ ASCII RIBBON | »With the first link, the chain is forged. The first
> > > \ / CAMPAIGN     | speech censured, the first thought forbidden, the
> > >  X  AGAINST      | first freedom denied, chains us all irrevocably.«
> > > / \ HTML MAIL    | (Jean-Luc Picard, quoting Judge Aaron Satie)
> > > _______________________________________________
> > > buildroot mailing list
> > > buildroot at busybox.net
> > > http://lists.busybox.net/mailman/listinfo/buildroot
> > >
> >
> >
>
>

-- 
[image: SMILE]  <http://www.smile.eu/>

20 rue des Jardins
92600 Asnières-sur-Seine
*Jérémy ROSEN*
Architecte technique

[image: email] jeremy.rosen at smile.fr
[image: phone]  +33 6 88 25 87 42
[image: url] http://www.smile.eu

[image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
<https://www.facebook.com/smileopensource> [image: LinkedIn]
<https://www.linkedin.com/company/smile> [image: Github]
<https://github.com/Smile-SA>

[image: Découvrez l’univers Smile, rendez-vous sur smile.eu]
<https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200609/2121d8fb/attachment.html>


More information about the buildroot mailing list