[systemd-devel] Why we need to read/save random seed?
Reindl Harald
h.reindl at thelounge.net
Wed Jun 17 08:38:46 PDT 2015
Am 17.06.2015 um 17:08 schrieb cee1:
> 2015-06-17 22:03 GMT+08:00 Lennart Poettering <lennart at poettering.net>:
>> On Wed, 17.06.15 20:21, cee1 (fykcee1 at gmail.com) wrote:
>>>
>>> What I means is:
>>> 1. Load a saved seed to /dev/urandom.
>>> 2. The service read /dev/random, which will block until kernel thinks
>>> there's enough entropy - then the Random Number should be good?
>>> 3. Save the random number returned in step 2 on disk.
>>
>> Blocking at boot for this doesn't really sound like an option. But the
>> kernel does not provide us with any nice notifications about when the
>> RNG pool is complete. If we want to do this kind of polishing, then
>> that'd be great, but we'd need sane notifiers for that, blocking
>> syscalls are not an option.
>
> That don't mean blocking boot, but a service, let's say
> systemd-random-seed.service:
> 1. systemd-random-seed.service loads a seed from disk to /dev/urandom
> 2. systemd-random-seed.service tells systemd "I'm ready" (sd_notify())
> 3. Instead of quitting immediately, systemd-random-seed.service tries
> to read /dev/random, and it blocks ...
> 4. systemd-random-seed.service at last gets a 'good random number',
> and saves it on disk
* the purpose of systemd-random-seed.service is to seed
/dev/random realy at boot so that other services like
sshd, vpn, webservers have a random source
* seed /dev/random *followed* by suck it out again like
has the same result as "systemctl mask systemd-random-seed.service"
because if there is enough entrophy it would not be needed and if
not after suck it out again it's gone
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150617/9b0657aa/attachment.sig>
More information about the systemd-devel
mailing list