svn commit: r345744 - in head/libexec: rc/rc.d save-entropy
Conrad Meyer
cem at FreeBSD.org
Tue Sep 3 14:06:15 UTC 2019
Author: cem
Date: Sun Mar 31 04:57:50 2019
New Revision: 345744
URL: https://svnweb.freebsd.org/changeset/base/345744
Log:
random(4): Attempt to persist entropy promptly
The goal of saving entropy in Fortuna is two-fold: (1) to provide early
availability of the random device (unblocking) on next boot; and (2), to
have known, high-quality entropy available for that initial seed. We know
it is high quality because it's output taken from Fortuna.
The FS&K paper makes it clear that Fortuna unblocks when enough bits have
been input that the output //may// be safely seeded. But they emphasize
that the quality of various entropy sources is unknown, and a saved entropy
file is essential for both availability and ensuring initial
unpredictability.
In FreeBSD we persist entropy using two mechanisms:
1. The /etc/rc.d/random shutdown() function, which is used for ordinary
shutdowns and reboots; and,
2. A cron job that runs every dozen minutes or so to persist new entropy, in
case the system suffers from power loss or a crash (bypassing the
ordinary shutdown path).
Filesystems are free to cache dirty data indefinitely, with arbitrary flush
policy. Fsync must be used to ensure the data is persisted, especially for
the cron job save-entropy, whose entire goal is power loss and crash safe
entropy persistence.
Ordinary shutdown may not need the fsync because unmount should flush out
the dirty entropy file shortly afterwards. But it is always possible power
loss or crash occurs during the short window after rc.d/random shutdown runs
and before the filesystem is unmounted, so the additional fsync there seems
harmless.
PR: 230876
Reviewed by: delphij, markj, markm
Approved by: secteam (delphij)
Differential Revision: https://reviews.freebsd.org/D19742
Modified:
head/libexec/rc/rc.d/random
head/libexec/save-entropy/save-entropy.sh
Modified: head/libexec/rc/rc.d/random
==============================================================================
--- head/libexec/rc/rc.d/random Sun Mar 31 04:24:51 2019 (r345743)
+++ head/libexec/rc/rc.d/random Sun Mar 31 04:57:50 2019 (r345744)
@@ -25,7 +25,8 @@ save_dev_random()
for f ; do
debug "saving entropy to $f"
dd if=/dev/random of="$f" bs=4096 count=1 status=none &&
- chmod 600 "$f"
+ chmod 600 "$f" &&
+ fsync "$f" "$(dirname "$f")"
done
umask ${oumask}
}
@@ -120,6 +121,9 @@ random_stop()
dd if=/dev/random of=${entropy_file_confirmed} \
bs=4096 count=1 2> /dev/null ||
warn 'write failed (unwriteable file or full fs?)'
+ fsync "${entropy_file_confirmed}" \
+ "$(dirname "${entropy_file_confirmed}")" \
+ 2> /dev/null
echo '.'
;;
esac
@@ -145,6 +149,9 @@ random_stop()
dd if=/dev/random of=${entropy_boot_file_confirmed} \
bs=4096 count=1 2> /dev/null ||
warn 'write failed (unwriteable file or full fs?)'
+ fsync "${entropy_boot_file_confirmed}" \
+ "$(dirname "${entropy_boot_file_confirmed}")" \
+ 2> /dev/null
echo '.'
;;
esac
Modified: head/libexec/save-entropy/save-entropy.sh
==============================================================================
--- head/libexec/save-entropy/save-entropy.sh Sun Mar 31 04:24:51 2019 (r345743)
+++ head/libexec/save-entropy/save-entropy.sh Sun Mar 31 04:57:50 2019 (r345744)
@@ -90,5 +90,6 @@ while [ ${n} -ge 1 ]; do
done
dd if=/dev/random of=saved-entropy.1 bs=${entropy_save_sz} count=1 2>/dev/null
+fsync saved-entropy.1 "."
exit 0
More information about the svn-src-all
mailing list