Why almost every command is trying to read urandom?

Michael Conrad mconrad at intellitree.com
Tue Nov 12 21:12:03 UTC 2019 

On 11/12/19 2:47 PM, Mauro Condarelli wrote:
> In a recent kernel(5.x) / Buildroot / Busybox for an embedded system 
> (mips/MT7628, if it matters) I see TONS of:
> |random: mount: uninitialized urandom read (4 bytes read) random: 
> fsck.vfat: uninitialized urandom read (4 bytes read) random: tar: 
> uninitialized urandom read (4 bytes read) (Complete startup log below) |

I hadn't noticed before, but I just checked and my busybox 1.11 is doing 
this (reading /dev/urandom on every single applet startup) but I have a 
later busybox 1.30 which does not.

    strace busybox echo 2>&1 | grep rand

> This stops when, after a while (up to 10min later!!) I finally see: |[ 
> 562.001438] random: crng init done |
>
> Two questions:
>
>  1. why does it take so long to initialize /dev/urandom?
>  2. for what reason |mount| or |tar| should try to use it in the first
>     place?
>
> Note: I did NOT have this problem with older kernels (3.x).
>
1. /dev/random needs to "collect entropy" from unpredictable things like 
scheduler timing, human input devices, etc. /dev/urandom is then a 
less-secure source of random which gets initialized from /dev/random 
once the kernel is confident that /dev/random is random enough.  There 
are various places throughout the kernel code that feed entropy into the 
random pool, so changing kernels can change how fast it initializes.  
Busybox doesn't really have anything to do with this.  There might be 
some kernel options you need to explore to get things to initialize 
faster; but making it initialize faster might also be less secure.  You 
also have the option of writing some init script to preserve entropy 
from the previous boot and seed it after the reboot (by writing to 
/dev/random)

2. For one of the copies of busybox I have on hand, it appears that it 
initializes srand() at the startup of every single applet.  I don't see 
a reference to /dev/urandom in the current busybox source that would 
have this effect, so either busybox fixed it, or the behavior was coming 
from a particular libc used to build busybox.  My busybox with that 
behavior is statically linked, and I don't recall which libc it was.  
Since you just got yours out of a Buildroot, you should be able to 
investigate that easier.

-Mike


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/busybox/attachments/20191112/36969f64/attachment.html>

More information about the busybox mailing list