* Fixing problems installing IPFire on systems without randomness
@ 2020-04-29 19:33 Michael Tremer
2020-04-29 19:33 ` [PATCH 1/2] random: Launch rngd earlier in the boot process Michael Tremer
2020-04-29 19:33 ` [PATCH 2/2] random: Initialise the kernel's PRNG earlier Michael Tremer
0 siblings, 2 replies; 3+ messages in thread
From: Michael Tremer @ 2020-04-29 19:33 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 635 bytes --]
This is a small patchset trying to fix problems with setting up
IPFire on systems like PC Engines APU boards.
When running through setup, the admin password cannot be set because
htpasswd(8) now calls the get_random() syscall which locks for forever
when the kernel's CPRNG has not been initialised, yet.
These patches start rngd before that and pause the boot process
until enough randomness is available.
This is not a great solution, but a good hotfix right now.
We will have to revisit this soon and hopefully get rid of
the loopy script which has its own flaws.
I am happy to listen to any creative ideas :)
Best,
-Michael
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 1/2] random: Launch rngd earlier in the boot process
2020-04-29 19:33 Fixing problems installing IPFire on systems without randomness Michael Tremer
@ 2020-04-29 19:33 ` Michael Tremer
2020-04-29 19:33 ` [PATCH 2/2] random: Initialise the kernel's PRNG earlier Michael Tremer
1 sibling, 0 replies; 3+ messages in thread
From: Michael Tremer @ 2020-04-29 19:33 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 4733 bytes --]
We should initialise the kernel's PRNG as early as we can.
Starting rngd very early will seed the random number generator
when RDRAND or other hardware random number generators are available.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
config/rootfiles/common/aarch64/initscripts | 2 +-
config/rootfiles/common/armv5tel/initscripts | 2 +-
config/rootfiles/common/i586/initscripts | 2 +-
config/rootfiles/common/x86_64/initscripts | 2 +-
lfs/initscripts | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts
index 54f6f92a3..d6f13224a 100644
--- a/config/rootfiles/common/aarch64/initscripts
+++ b/config/rootfiles/common/aarch64/initscripts
@@ -193,6 +193,7 @@ etc/rc.d/rcsysinit.d/S44smt
etc/rc.d/rcsysinit.d/S45udev_retry
etc/rc.d/rcsysinit.d/S50cleanfs
etc/rc.d/rcsysinit.d/S60setclock
+etc/rc.d/rcsysinit.d/S65rngd
etc/rc.d/rcsysinit.d/S70console
etc/rc.d/rcsysinit.d/S71pakfire
etc/rc.d/rcsysinit.d/S73swconfig
@@ -200,7 +201,6 @@ etc/rc.d/rcsysinit.d/S74cloud-init
etc/rc.d/rcsysinit.d/S75firstsetup
etc/rc.d/rcsysinit.d/S80localnet
etc/rc.d/rcsysinit.d/S85firewall
-etc/rc.d/rcsysinit.d/S92rngd
#etc/sysconfig
etc/sysconfig/createfiles
etc/sysconfig/firewall.local
diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts
index 54f6f92a3..d6f13224a 100644
--- a/config/rootfiles/common/armv5tel/initscripts
+++ b/config/rootfiles/common/armv5tel/initscripts
@@ -193,6 +193,7 @@ etc/rc.d/rcsysinit.d/S44smt
etc/rc.d/rcsysinit.d/S45udev_retry
etc/rc.d/rcsysinit.d/S50cleanfs
etc/rc.d/rcsysinit.d/S60setclock
+etc/rc.d/rcsysinit.d/S65rngd
etc/rc.d/rcsysinit.d/S70console
etc/rc.d/rcsysinit.d/S71pakfire
etc/rc.d/rcsysinit.d/S73swconfig
@@ -200,7 +201,6 @@ etc/rc.d/rcsysinit.d/S74cloud-init
etc/rc.d/rcsysinit.d/S75firstsetup
etc/rc.d/rcsysinit.d/S80localnet
etc/rc.d/rcsysinit.d/S85firewall
-etc/rc.d/rcsysinit.d/S92rngd
#etc/sysconfig
etc/sysconfig/createfiles
etc/sysconfig/firewall.local
diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts
index b32efd786..2db7f1aa3 100644
--- a/config/rootfiles/common/i586/initscripts
+++ b/config/rootfiles/common/i586/initscripts
@@ -192,13 +192,13 @@ etc/rc.d/rcsysinit.d/S44smt
etc/rc.d/rcsysinit.d/S45udev_retry
etc/rc.d/rcsysinit.d/S50cleanfs
etc/rc.d/rcsysinit.d/S60setclock
+etc/rc.d/rcsysinit.d/S65rngd
etc/rc.d/rcsysinit.d/S70console
etc/rc.d/rcsysinit.d/S71pakfire
etc/rc.d/rcsysinit.d/S74cloud-init
etc/rc.d/rcsysinit.d/S75firstsetup
etc/rc.d/rcsysinit.d/S80localnet
etc/rc.d/rcsysinit.d/S85firewall
-etc/rc.d/rcsysinit.d/S92rngd
#etc/sysconfig
etc/sysconfig/createfiles
etc/sysconfig/firewall.local
diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts
index b32efd786..2db7f1aa3 100644
--- a/config/rootfiles/common/x86_64/initscripts
+++ b/config/rootfiles/common/x86_64/initscripts
@@ -192,13 +192,13 @@ etc/rc.d/rcsysinit.d/S44smt
etc/rc.d/rcsysinit.d/S45udev_retry
etc/rc.d/rcsysinit.d/S50cleanfs
etc/rc.d/rcsysinit.d/S60setclock
+etc/rc.d/rcsysinit.d/S65rngd
etc/rc.d/rcsysinit.d/S70console
etc/rc.d/rcsysinit.d/S71pakfire
etc/rc.d/rcsysinit.d/S74cloud-init
etc/rc.d/rcsysinit.d/S75firstsetup
etc/rc.d/rcsysinit.d/S80localnet
etc/rc.d/rcsysinit.d/S85firewall
-etc/rc.d/rcsysinit.d/S92rngd
#etc/sysconfig
etc/sysconfig/createfiles
etc/sysconfig/firewall.local
diff --git a/lfs/initscripts b/lfs/initscripts
index 37ca5cd3f..ba6c9f913 100644
--- a/lfs/initscripts
+++ b/lfs/initscripts
@@ -173,13 +173,13 @@ $(TARGET) :
ln -sf ../init.d/setclock /etc/rc.d/rcsysinit.d/S60setclock
ln -sf ../init.d/setclock /etc/rc.d/rc0.d/K47setclock
ln -sf ../init.d/setclock /etc/rc.d/rc6.d/K47setclock
+ ln -sf ../init.d/rngd /etc/rc.d/rcsysinit.d/S65rngd
ln -sf ../init.d/console /etc/rc.d/rcsysinit.d/S70console
ln -sf ../init.d/pakfire /etc/rc.d/rcsysinit.d/S71pakfire
ln -sf ../init.d/cloud-init /etc/rc.d/rcsysinit.d/S74cloud-init
ln -sf ../init.d/firstsetup /etc/rc.d/rcsysinit.d/S75firstsetup
ln -sf ../init.d/localnet /etc/rc.d/rcsysinit.d/S80localnet
ln -sf ../init.d/firewall /etc/rc.d/rcsysinit.d/S85firewall
- ln -sf ../init.d/rngd /etc/rc.d/rcsysinit.d/S92rngd
ln -sf ../init.d/vnstat /etc/rc.d/rc3.d/S01vnstat
ln -sf ../init.d/vnstat /etc/rc.d/rc0.d/K51vnstat
ln -sf ../init.d/vnstat /etc/rc.d/rc6.d/K51vnstat
--
2.20.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 2/2] random: Initialise the kernel's PRNG earlier
2020-04-29 19:33 Fixing problems installing IPFire on systems without randomness Michael Tremer
2020-04-29 19:33 ` [PATCH 1/2] random: Launch rngd earlier in the boot process Michael Tremer
@ 2020-04-29 19:33 ` Michael Tremer
1 sibling, 0 replies; 3+ messages in thread
From: Michael Tremer @ 2020-04-29 19:33 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 8087 bytes --]
Since more processes depend on good randomness, we need to
make sure that the kernel's PRNG is initialized as early as
possible.
For systems without a HWRNG, we will need to fall back to our
noisy loop and wait until we have enough randomness.
This patch also removes saving and restoring the seed. This
is no longer useful because the kernel's PRNG only takes any
input after it has successfully been seeded from other sources.
Hence adding this seed does not increase its randomness.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
config/rootfiles/common/aarch64/initscripts | 4 +---
config/rootfiles/common/armv5tel/initscripts | 4 +---
config/rootfiles/common/i586/initscripts | 4 +---
config/rootfiles/common/x86_64/initscripts | 4 +---
lfs/initscripts | 4 +---
src/initscripts/system/random | 21 +-------------------
6 files changed, 6 insertions(+), 35 deletions(-)
diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts
index d6f13224a..8d945f7a5 100644
--- a/config/rootfiles/common/aarch64/initscripts
+++ b/config/rootfiles/common/aarch64/initscripts
@@ -104,7 +104,6 @@ etc/rc.d/rc0.d/K08fcron
etc/rc.d/rc0.d/K28apache
etc/rc.d/rc0.d/K30sshd
#etc/rc.d/rc0.d/K34client175
-etc/rc.d/rc0.d/K45random
etc/rc.d/rc0.d/K47setclock
etc/rc.d/rc0.d/K49cyrus-sasl
etc/rc.d/rc0.d/K51vnstat
@@ -124,7 +123,6 @@ etc/rc.d/rc0.d/S80mountfs
etc/rc.d/rc0.d/S90swap
etc/rc.d/rc0.d/S99halt
#etc/rc.d/rc3.d
-etc/rc.d/rc3.d/S00random
etc/rc.d/rc3.d/S01vnstat
etc/rc.d/rc3.d/S10sysklogd
etc/rc.d/rc3.d/S11unbound
@@ -157,7 +155,6 @@ etc/rc.d/rc6.d/K08fcron
etc/rc.d/rc6.d/K28apache
etc/rc.d/rc6.d/K30sshd
#etc/rc.d/rc6.d/K34client175
-etc/rc.d/rc6.d/K45random
etc/rc.d/rc6.d/K47setclock
etc/rc.d/rc6.d/K49cyrus-sasl
etc/rc.d/rc6.d/K51vnstat
@@ -194,6 +191,7 @@ etc/rc.d/rcsysinit.d/S45udev_retry
etc/rc.d/rcsysinit.d/S50cleanfs
etc/rc.d/rcsysinit.d/S60setclock
etc/rc.d/rcsysinit.d/S65rngd
+etc/rc.d/rcsysinit.d/S66random
etc/rc.d/rcsysinit.d/S70console
etc/rc.d/rcsysinit.d/S71pakfire
etc/rc.d/rcsysinit.d/S73swconfig
diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts
index d6f13224a..8d945f7a5 100644
--- a/config/rootfiles/common/armv5tel/initscripts
+++ b/config/rootfiles/common/armv5tel/initscripts
@@ -104,7 +104,6 @@ etc/rc.d/rc0.d/K08fcron
etc/rc.d/rc0.d/K28apache
etc/rc.d/rc0.d/K30sshd
#etc/rc.d/rc0.d/K34client175
-etc/rc.d/rc0.d/K45random
etc/rc.d/rc0.d/K47setclock
etc/rc.d/rc0.d/K49cyrus-sasl
etc/rc.d/rc0.d/K51vnstat
@@ -124,7 +123,6 @@ etc/rc.d/rc0.d/S80mountfs
etc/rc.d/rc0.d/S90swap
etc/rc.d/rc0.d/S99halt
#etc/rc.d/rc3.d
-etc/rc.d/rc3.d/S00random
etc/rc.d/rc3.d/S01vnstat
etc/rc.d/rc3.d/S10sysklogd
etc/rc.d/rc3.d/S11unbound
@@ -157,7 +155,6 @@ etc/rc.d/rc6.d/K08fcron
etc/rc.d/rc6.d/K28apache
etc/rc.d/rc6.d/K30sshd
#etc/rc.d/rc6.d/K34client175
-etc/rc.d/rc6.d/K45random
etc/rc.d/rc6.d/K47setclock
etc/rc.d/rc6.d/K49cyrus-sasl
etc/rc.d/rc6.d/K51vnstat
@@ -194,6 +191,7 @@ etc/rc.d/rcsysinit.d/S45udev_retry
etc/rc.d/rcsysinit.d/S50cleanfs
etc/rc.d/rcsysinit.d/S60setclock
etc/rc.d/rcsysinit.d/S65rngd
+etc/rc.d/rcsysinit.d/S66random
etc/rc.d/rcsysinit.d/S70console
etc/rc.d/rcsysinit.d/S71pakfire
etc/rc.d/rcsysinit.d/S73swconfig
diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts
index 2db7f1aa3..996925b7a 100644
--- a/config/rootfiles/common/i586/initscripts
+++ b/config/rootfiles/common/i586/initscripts
@@ -103,7 +103,6 @@ etc/rc.d/rc0.d/K08fcron
etc/rc.d/rc0.d/K28apache
etc/rc.d/rc0.d/K30sshd
#etc/rc.d/rc0.d/K34client175
-etc/rc.d/rc0.d/K45random
etc/rc.d/rc0.d/K47setclock
etc/rc.d/rc0.d/K49cyrus-sasl
etc/rc.d/rc0.d/K51vnstat
@@ -123,7 +122,6 @@ etc/rc.d/rc0.d/S80mountfs
etc/rc.d/rc0.d/S90swap
etc/rc.d/rc0.d/S99halt
#etc/rc.d/rc3.d
-etc/rc.d/rc3.d/S00random
etc/rc.d/rc3.d/S01vnstat
etc/rc.d/rc3.d/S10sysklogd
etc/rc.d/rc3.d/S12acpid
@@ -156,7 +154,6 @@ etc/rc.d/rc6.d/K08fcron
etc/rc.d/rc6.d/K28apache
etc/rc.d/rc6.d/K30sshd
#etc/rc.d/rc6.d/K34client175
-etc/rc.d/rc6.d/K45random
etc/rc.d/rc6.d/K47setclock
etc/rc.d/rc6.d/K49cyrus-sasl
etc/rc.d/rc6.d/K51vnstat
@@ -193,6 +190,7 @@ etc/rc.d/rcsysinit.d/S45udev_retry
etc/rc.d/rcsysinit.d/S50cleanfs
etc/rc.d/rcsysinit.d/S60setclock
etc/rc.d/rcsysinit.d/S65rngd
+etc/rc.d/rcsysinit.d/S66random
etc/rc.d/rcsysinit.d/S70console
etc/rc.d/rcsysinit.d/S71pakfire
etc/rc.d/rcsysinit.d/S74cloud-init
diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts
index 2db7f1aa3..996925b7a 100644
--- a/config/rootfiles/common/x86_64/initscripts
+++ b/config/rootfiles/common/x86_64/initscripts
@@ -103,7 +103,6 @@ etc/rc.d/rc0.d/K08fcron
etc/rc.d/rc0.d/K28apache
etc/rc.d/rc0.d/K30sshd
#etc/rc.d/rc0.d/K34client175
-etc/rc.d/rc0.d/K45random
etc/rc.d/rc0.d/K47setclock
etc/rc.d/rc0.d/K49cyrus-sasl
etc/rc.d/rc0.d/K51vnstat
@@ -123,7 +122,6 @@ etc/rc.d/rc0.d/S80mountfs
etc/rc.d/rc0.d/S90swap
etc/rc.d/rc0.d/S99halt
#etc/rc.d/rc3.d
-etc/rc.d/rc3.d/S00random
etc/rc.d/rc3.d/S01vnstat
etc/rc.d/rc3.d/S10sysklogd
etc/rc.d/rc3.d/S12acpid
@@ -156,7 +154,6 @@ etc/rc.d/rc6.d/K08fcron
etc/rc.d/rc6.d/K28apache
etc/rc.d/rc6.d/K30sshd
#etc/rc.d/rc6.d/K34client175
-etc/rc.d/rc6.d/K45random
etc/rc.d/rc6.d/K47setclock
etc/rc.d/rc6.d/K49cyrus-sasl
etc/rc.d/rc6.d/K51vnstat
@@ -193,6 +190,7 @@ etc/rc.d/rcsysinit.d/S45udev_retry
etc/rc.d/rcsysinit.d/S50cleanfs
etc/rc.d/rcsysinit.d/S60setclock
etc/rc.d/rcsysinit.d/S65rngd
+etc/rc.d/rcsysinit.d/S66random
etc/rc.d/rcsysinit.d/S70console
etc/rc.d/rcsysinit.d/S71pakfire
etc/rc.d/rcsysinit.d/S74cloud-init
diff --git a/lfs/initscripts b/lfs/initscripts
index ba6c9f913..242de60e5 100644
--- a/lfs/initscripts
+++ b/lfs/initscripts
@@ -126,9 +126,6 @@ $(TARGET) :
ln -sf ../init.d/unbound /etc/rc.d/rc0.d/K86unbound
ln -sf ../init.d/unbound /etc/rc.d/rc3.d/S11unbound
ln -sf ../init.d/unbound /etc/rc.d/rc6.d/K86unbound
- ln -sf ../init.d/random /etc/rc.d/rc0.d/K45random
- ln -sf ../init.d/random /etc/rc.d/rc3.d/S00random
- ln -sf ../init.d/random /etc/rc.d/rc6.d/K45random
ln -sf ../../sysconfig/rc.local /etc/rc.d/rc3.d/S98rc.local
ln -sf ../init.d/client175 /etc/rc.d/rc0.d/K34client175
ln -sf ../init.d/client175 /etc/rc.d/rc3.d/S66client175
@@ -174,6 +171,7 @@ $(TARGET) :
ln -sf ../init.d/setclock /etc/rc.d/rc0.d/K47setclock
ln -sf ../init.d/setclock /etc/rc.d/rc6.d/K47setclock
ln -sf ../init.d/rngd /etc/rc.d/rcsysinit.d/S65rngd
+ ln -sf ../init.d/random /etc/rc.d/rcsysinit.d/S66random
ln -sf ../init.d/console /etc/rc.d/rcsysinit.d/S70console
ln -sf ../init.d/pakfire /etc/rc.d/rcsysinit.d/S71pakfire
ln -sf ../init.d/cloud-init /etc/rc.d/rcsysinit.d/S74cloud-init
diff --git a/src/initscripts/system/random b/src/initscripts/system/random
index 1f825cd18..489c7dac9 100644
--- a/src/initscripts/system/random
+++ b/src/initscripts/system/random
@@ -22,29 +22,10 @@ case "$1" in
sync
rm -f /var/tmp/random-tmpfile
done;
-
- boot_mesg "\rInitializing kernel random number generator..."
- if [ -f /var/tmp/random-seed ]; then
- /bin/cat /var/tmp/random-seed >/dev/urandom
- fi
- touch /var/tmp/random-seed
- chmod 600 /var/tmp/random-seed
- /bin/dd if=/dev/urandom of=/var/tmp/random-seed \
- count=1 bs=$poolsize &>/dev/null
- evaluate_retval
- ;;
-
- stop)
- boot_mesg "Saving random seed..."
- touch /var/tmp/random-seed
- chmod 600 /var/tmp/random-seed
- /bin/dd if=/dev/urandom of=/var/tmp/random-seed \
- count=1 bs=$poolsize &>/dev/null
- evaluate_retval
;;
*)
- echo "Usage: $0 {start|stop}"
+ echo "Usage: $0 {start}"
exit 1
;;
esac
--
2.20.1
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-04-29 19:33 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-29 19:33 Fixing problems installing IPFire on systems without randomness Michael Tremer
2020-04-29 19:33 ` [PATCH 1/2] random: Launch rngd earlier in the boot process Michael Tremer
2020-04-29 19:33 ` [PATCH 2/2] random: Initialise the kernel's PRNG earlier Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox