<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le lun. 8 juin 2020 à 10:38, Alexander Dahl <<a href="mailto:post@lespocky.de">post@lespocky.de</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hei hei,<br>
<br>
I'd like to hook in, because I had that topic on my desk lately<br>
(although not with buildroot).<br>
<br>
On Sun, Jun 07, 2020 at 10:36:18PM +0200, Norbert Lange wrote:<br>
> > I mean... if it's not high grade entropy, it shouldn't credit the kernel entropy<br>
> > pool,and if the user is ok with unreliable entropy, systemd-random-seed is<br>
> > probably a faster way to get some.<br>
> <br>
> <br>
> haveged is barely entropy, certainly not more than the kernel<br>
> provides, it is a means to fake entropy. Gets you to boot faster.<br>
<br>
Well, the system can boot faster, because haveged provides entropy<br>
from unpredictable internal CPU states. It's not just another PRNG.<br>
<br></blockquote><div>Oh. I didn't know that... interesting</div><div><br></div><div>So. haveged provides high quality entropy to the kernel. </div><div>That entropy is probably credited (unlike systemd-random-seed)</div><div>So it is even more important that it is ordered before systemd-random-seed.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
> systemd-random-seed needs a filesystem to store stuff, does not credit<br>
> the entropy pool (by default).. and won't help at all when booting the<br>
> first time.<br>
></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <br>
> I think what you have in mind is more like rng-tools, which feed real,<br>
> quality entropy to the kernel.<br>
<br>
rng-tools can not do that by itself, but needs a real HWRNG or<br>
something like jitterentropy-rng (which gets its entropy from CPU<br>
execution timing jitter). So rng-tools alone doesn't help you,<br>
especially if your hardware has no hwrng.<br>
<br>
> The user should pick what he needs, haveged will never give you better<br>
> entropy over the kernel or real HW sources, systemd-random-seed will<br>
> not let you boot faster (by default).<br>
<br>
I'm curious, where do you think the kernel gets entropy from? ;-)<br>
<br>
What you all might find interesting: newer OpenSSL versions, I think<br>
from some 1.1.1 bugfix release onwards block until the kernel has<br>
initialized its crng. The upcoming (not yet released) dropbear will<br>
do that, too. Both don't rely on /dev/urandom for that but on the<br>
getrandom(2) syscall IIRC. Without having looked in systemd source, I<br>
would guess they do something similar?<br>
<br></blockquote><div>Yes it's exactly that. systemd-random-seed will block until urng is ready so</div><div>other services don't have to do that themselves (it makes sense for</div><div>dropbear/openssl to do that themselves anyway, for the non-systemd case,</div><div> but in a systemd-based distro, they won't wait because systemd-random-seed</div><div> will already have done the waiting)</div><div><br></div><div>So at this point, I am more and more convinced that haveged must be </div><div>ordered before systemd-random-seed. Not doing so is incorrect. At best </div><div>it will work by luck and at worst the entropy provided by haveged will arrive</div><div>too late.</div><div><br></div><div>On a read-only filesystem, systemd-random-seed will not read the file and feed</div><div>entropy (which is not credited anyway) but it will still block the boot and thus </div><div>ensure that any "normal" (post sysinit) daemon will have proper urng.</div><div><br></div><div>Please add the Before= it has no ill effect AFAICT and not doing so might </div><div>prevent faster boots in the very cases where you try to avoid it.</div><div><br></div><div>Regards.</div><div>Jeremy</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
So, it's complicated … ;-)<br>
<br>
Greets<br>
Alex<br>
<br>
-- <br>
/"\ ASCII RIBBON | »With the first link, the chain is forged. The first<br>
\ / CAMPAIGN | speech censured, the first thought forbidden, the<br>
X AGAINST | first freedom denied, chains us all irrevocably.«<br>
/ \ HTML MAIL | (Jean-Luc Picard, quoting Judge Aaron Satie)<br>
_______________________________________________<br>
buildroot mailing list<br>
<a href="mailto:buildroot@busybox.net" target="_blank">buildroot@busybox.net</a><br>
<a href="http://lists.busybox.net/mailman/listinfo/buildroot" rel="noreferrer" target="_blank">http://lists.busybox.net/mailman/listinfo/buildroot</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><table border="0" style="border-collapse:collapse;border-spacing:0px;color:rgb(51,51,51);font-family:Raleway,regular;font-size:14px;padding:20px"><tbody><tr><td style="padding:0px 30px 0px 0px;font-size:13px;color:rgb(255,128,84);text-align:center"><a href="http://www.smile.eu/" style="background-color:transparent;color:rgb(221,72,20)" target="_blank"><img src="http://ftp.smile.fr/client/Communication/signature/img/Logo-new.png" alt="SMILE" style="border: 0px; vertical-align: middle; max-width: 100%; height: auto;"> </a><br><br><p style="margin:0px 0px 10px">20 rue des Jardins<br>92600 Asnières-sur-Seine</p></td><td style="padding:0px 0px 0px 20px;border-left:1px solid rgb(59,127,254);font-size:13px;color:rgb(255,128,84)"><div style="font-size:14px"><b>Jérémy ROSEN</b></div><div style="color:rgb(59,127,254)">Architecte technique<br></div><br><div style="color:rgb(59,127,254)"><span style="white-space:nowrap"><img src="http://ftp.smile.fr/client/Communication/signature/img/mail.png" alt="email" width="12" height="10" style="border: 0px; vertical-align: middle; margin-right: 5px;"> <a href="mailto:jeremy.rosen@smile.fr" style="background-color:transparent;color:rgb(59,127,254)" target="_blank">jeremy.rosen@smile.fr</a> </span><br><span style="white-space:nowrap"><img src="http://ftp.smile.fr/client/Communication/signature/img/phone.png" alt="phone" width="10" height="10" style="border: 0px; vertical-align: middle; margin-right: 5px;"></span> +33 6 88 25 87 42 <br><span style="white-space:nowrap"><img src="http://ftp.smile.fr/client/Communication/signature/img/web.png" alt="url" width="12" height="12" style="border: 0px; vertical-align: middle; margin-right: 5px;"> <a href="http://www.smile.eu/" style="background-color:transparent;color:rgb(59,127,254)" target="_blank">http://www.smile.eu</a></span></div><br><div><span><a href="https://twitter.com/GroupeSmile" style="background-color:transparent;color:rgb(221,72,20);margin-right:5px" target="_blank"><img src="http://ftp.smile.fr/client/Communication/signature/img/rs-twitter.png" alt="Twitter" style="border: 0px; vertical-align: middle; max-width: 100%; height: auto;"></a></span> <span><a href="https://www.facebook.com/smileopensource" style="background-color:transparent;color:rgb(221,72,20);margin-right:5px" target="_blank"><img src="http://ftp.smile.fr/client/Communication/signature/img/rs-facebook.png" alt="Facebook" style="border: 0px; vertical-align: middle; max-width: 100%; height: auto;"></a></span> <span><a href="https://www.linkedin.com/company/smile" style="background-color:transparent;color:rgb(221,72,20);margin-right:5px" target="_blank"><img src="http://ftp.smile.fr/client/Communication/signature/img/rs-linkedin.png" alt="LinkedIn" style="border: 0px; vertical-align: middle; max-width: 100%; height: auto;"></a></span> <span><a href="https://github.com/Smile-SA" style="background-color:transparent;color:rgb(221,72,20);margin-right:5px" target="_blank"><img src="http://ftp.smile.fr/client/Communication/signature/img/rs-github.png" alt="Github" style="border: 0px; vertical-align: middle; max-width: 100%; height: auto;"></a></span></div></td></tr></tbody></table><br style="color:rgb(51,51,51);font-family:Raleway,regular;font-size:14px"><div style="color:rgb(51,51,51);font-family:Raleway,regular;font-size:14px"><a href="https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature" style="background-color:transparent;color:rgb(221,72,20)" target="_blank"><img src="https://signature.smile.eu/assets/img/bandeaux_signature_mail_yocto.gif.gif" alt="Découvrez l’univers Smile, rendez-vous sur smile.eu" border="0" style="border: 0px; vertical-align: middle;"></a></div></div></div></div></div></div>