svn commit: r239569 - head/etc/rc.d
Doug Barton
dougb at FreeBSD.org
Tue Sep 4 22:46:23 UTC 2012
On 09/04/2012 03:07 PM, Peter Jeremy wrote:
> On 2012-Sep-03 16:00:22 -0700, Doug Barton <dougb at freebsd.org> wrote:
>> The static files are provided as a means to stir the pool to unblock the
>> device at boot time.
>
> As far as I can tell, this is no longer required.
It always has been required in the sense that it improves the quality of
the random bits during and shortly after boot.
> Both the Yarrow and
> Nehemiah Padlock generators initialise to "seeded" and there is no
> provision (other than sysctl) to "unseed" them.
That's a bit of a chimera, and I would prefer that Mark comment on that
if he so desires. :)
> Yarrow will begin
> collecting entropy as soon as the random device receives a MOD_LOAD
> event during kernel startup.
.... assuming all of the defaults, yes. This is another reason I'm not
very concerned about replay attacks.
>> What if, instead of replacing /entropy, we add an additional file in
>> /var/db/entropy at boot time that is numerically 1 higher than
>> $entropy_save_num ?
>
> That sounds like a reasonable idea.
Thanks. I am particularly interested in what David and Arthur have to
say about it.
>> (Note, I have to fix the rotation script to account
>> for this, but I have had "improve the rotation script" on my TODO list
>> for a long time now, and this is a good excuse for me to get a round
>> 'tuit.)
>
> You might like to look at kern/134225 (which is misfiled, sorry).
I just grabbed that, thanks. I wish someone had brought that to my
attention sooner, but there you go. Overall I like the approach, but I
may rework the logic a bit. Thank you for suggesting it.
Doug
More information about the freebsd-security
mailing list