This is a small patchset trying to fix problems with setting up IPFire on systems like PC Engines APU boards.
When running through setup, the admin password cannot be set because htpasswd(8) now calls the get_random() syscall which locks for forever when the kernel's CPRNG has not been initialised, yet.
These patches start rngd before that and pause the boot process until enough randomness is available.
This is not a great solution, but a good hotfix right now.
We will have to revisit this soon and hopefully get rid of the loopy script which has its own flaws.
I am happy to listen to any creative ideas :)
Best, -Michael
We should initialise the kernel's PRNG as early as we can.
Starting rngd very early will seed the random number generator when RDRAND or other hardware random number generators are available.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/rootfiles/common/aarch64/initscripts | 2 +- config/rootfiles/common/armv5tel/initscripts | 2 +- config/rootfiles/common/i586/initscripts | 2 +- config/rootfiles/common/x86_64/initscripts | 2 +- lfs/initscripts | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts index 54f6f92a3..d6f13224a 100644 --- a/config/rootfiles/common/aarch64/initscripts +++ b/config/rootfiles/common/aarch64/initscripts @@ -193,6 +193,7 @@ etc/rc.d/rcsysinit.d/S44smt etc/rc.d/rcsysinit.d/S45udev_retry etc/rc.d/rcsysinit.d/S50cleanfs etc/rc.d/rcsysinit.d/S60setclock +etc/rc.d/rcsysinit.d/S65rngd etc/rc.d/rcsysinit.d/S70console etc/rc.d/rcsysinit.d/S71pakfire etc/rc.d/rcsysinit.d/S73swconfig @@ -200,7 +201,6 @@ etc/rc.d/rcsysinit.d/S74cloud-init etc/rc.d/rcsysinit.d/S75firstsetup etc/rc.d/rcsysinit.d/S80localnet etc/rc.d/rcsysinit.d/S85firewall -etc/rc.d/rcsysinit.d/S92rngd #etc/sysconfig etc/sysconfig/createfiles etc/sysconfig/firewall.local diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts index 54f6f92a3..d6f13224a 100644 --- a/config/rootfiles/common/armv5tel/initscripts +++ b/config/rootfiles/common/armv5tel/initscripts @@ -193,6 +193,7 @@ etc/rc.d/rcsysinit.d/S44smt etc/rc.d/rcsysinit.d/S45udev_retry etc/rc.d/rcsysinit.d/S50cleanfs etc/rc.d/rcsysinit.d/S60setclock +etc/rc.d/rcsysinit.d/S65rngd etc/rc.d/rcsysinit.d/S70console etc/rc.d/rcsysinit.d/S71pakfire etc/rc.d/rcsysinit.d/S73swconfig @@ -200,7 +201,6 @@ etc/rc.d/rcsysinit.d/S74cloud-init etc/rc.d/rcsysinit.d/S75firstsetup etc/rc.d/rcsysinit.d/S80localnet etc/rc.d/rcsysinit.d/S85firewall -etc/rc.d/rcsysinit.d/S92rngd #etc/sysconfig etc/sysconfig/createfiles etc/sysconfig/firewall.local diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index b32efd786..2db7f1aa3 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -192,13 +192,13 @@ etc/rc.d/rcsysinit.d/S44smt etc/rc.d/rcsysinit.d/S45udev_retry etc/rc.d/rcsysinit.d/S50cleanfs etc/rc.d/rcsysinit.d/S60setclock +etc/rc.d/rcsysinit.d/S65rngd etc/rc.d/rcsysinit.d/S70console etc/rc.d/rcsysinit.d/S71pakfire etc/rc.d/rcsysinit.d/S74cloud-init etc/rc.d/rcsysinit.d/S75firstsetup etc/rc.d/rcsysinit.d/S80localnet etc/rc.d/rcsysinit.d/S85firewall -etc/rc.d/rcsysinit.d/S92rngd #etc/sysconfig etc/sysconfig/createfiles etc/sysconfig/firewall.local diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts index b32efd786..2db7f1aa3 100644 --- a/config/rootfiles/common/x86_64/initscripts +++ b/config/rootfiles/common/x86_64/initscripts @@ -192,13 +192,13 @@ etc/rc.d/rcsysinit.d/S44smt etc/rc.d/rcsysinit.d/S45udev_retry etc/rc.d/rcsysinit.d/S50cleanfs etc/rc.d/rcsysinit.d/S60setclock +etc/rc.d/rcsysinit.d/S65rngd etc/rc.d/rcsysinit.d/S70console etc/rc.d/rcsysinit.d/S71pakfire etc/rc.d/rcsysinit.d/S74cloud-init etc/rc.d/rcsysinit.d/S75firstsetup etc/rc.d/rcsysinit.d/S80localnet etc/rc.d/rcsysinit.d/S85firewall -etc/rc.d/rcsysinit.d/S92rngd #etc/sysconfig etc/sysconfig/createfiles etc/sysconfig/firewall.local diff --git a/lfs/initscripts b/lfs/initscripts index 37ca5cd3f..ba6c9f913 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -173,13 +173,13 @@ $(TARGET) : ln -sf ../init.d/setclock /etc/rc.d/rcsysinit.d/S60setclock ln -sf ../init.d/setclock /etc/rc.d/rc0.d/K47setclock ln -sf ../init.d/setclock /etc/rc.d/rc6.d/K47setclock + ln -sf ../init.d/rngd /etc/rc.d/rcsysinit.d/S65rngd ln -sf ../init.d/console /etc/rc.d/rcsysinit.d/S70console ln -sf ../init.d/pakfire /etc/rc.d/rcsysinit.d/S71pakfire ln -sf ../init.d/cloud-init /etc/rc.d/rcsysinit.d/S74cloud-init ln -sf ../init.d/firstsetup /etc/rc.d/rcsysinit.d/S75firstsetup ln -sf ../init.d/localnet /etc/rc.d/rcsysinit.d/S80localnet ln -sf ../init.d/firewall /etc/rc.d/rcsysinit.d/S85firewall - ln -sf ../init.d/rngd /etc/rc.d/rcsysinit.d/S92rngd ln -sf ../init.d/vnstat /etc/rc.d/rc3.d/S01vnstat ln -sf ../init.d/vnstat /etc/rc.d/rc0.d/K51vnstat ln -sf ../init.d/vnstat /etc/rc.d/rc6.d/K51vnstat
Since more processes depend on good randomness, we need to make sure that the kernel's PRNG is initialized as early as possible.
For systems without a HWRNG, we will need to fall back to our noisy loop and wait until we have enough randomness.
This patch also removes saving and restoring the seed. This is no longer useful because the kernel's PRNG only takes any input after it has successfully been seeded from other sources.
Hence adding this seed does not increase its randomness.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/rootfiles/common/aarch64/initscripts | 4 +--- config/rootfiles/common/armv5tel/initscripts | 4 +--- config/rootfiles/common/i586/initscripts | 4 +--- config/rootfiles/common/x86_64/initscripts | 4 +--- lfs/initscripts | 4 +--- src/initscripts/system/random | 21 +------------------- 6 files changed, 6 insertions(+), 35 deletions(-)
diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts index d6f13224a..8d945f7a5 100644 --- a/config/rootfiles/common/aarch64/initscripts +++ b/config/rootfiles/common/aarch64/initscripts @@ -104,7 +104,6 @@ etc/rc.d/rc0.d/K08fcron etc/rc.d/rc0.d/K28apache etc/rc.d/rc0.d/K30sshd #etc/rc.d/rc0.d/K34client175 -etc/rc.d/rc0.d/K45random etc/rc.d/rc0.d/K47setclock etc/rc.d/rc0.d/K49cyrus-sasl etc/rc.d/rc0.d/K51vnstat @@ -124,7 +123,6 @@ etc/rc.d/rc0.d/S80mountfs etc/rc.d/rc0.d/S90swap etc/rc.d/rc0.d/S99halt #etc/rc.d/rc3.d -etc/rc.d/rc3.d/S00random etc/rc.d/rc3.d/S01vnstat etc/rc.d/rc3.d/S10sysklogd etc/rc.d/rc3.d/S11unbound @@ -157,7 +155,6 @@ etc/rc.d/rc6.d/K08fcron etc/rc.d/rc6.d/K28apache etc/rc.d/rc6.d/K30sshd #etc/rc.d/rc6.d/K34client175 -etc/rc.d/rc6.d/K45random etc/rc.d/rc6.d/K47setclock etc/rc.d/rc6.d/K49cyrus-sasl etc/rc.d/rc6.d/K51vnstat @@ -194,6 +191,7 @@ etc/rc.d/rcsysinit.d/S45udev_retry etc/rc.d/rcsysinit.d/S50cleanfs etc/rc.d/rcsysinit.d/S60setclock etc/rc.d/rcsysinit.d/S65rngd +etc/rc.d/rcsysinit.d/S66random etc/rc.d/rcsysinit.d/S70console etc/rc.d/rcsysinit.d/S71pakfire etc/rc.d/rcsysinit.d/S73swconfig diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts index d6f13224a..8d945f7a5 100644 --- a/config/rootfiles/common/armv5tel/initscripts +++ b/config/rootfiles/common/armv5tel/initscripts @@ -104,7 +104,6 @@ etc/rc.d/rc0.d/K08fcron etc/rc.d/rc0.d/K28apache etc/rc.d/rc0.d/K30sshd #etc/rc.d/rc0.d/K34client175 -etc/rc.d/rc0.d/K45random etc/rc.d/rc0.d/K47setclock etc/rc.d/rc0.d/K49cyrus-sasl etc/rc.d/rc0.d/K51vnstat @@ -124,7 +123,6 @@ etc/rc.d/rc0.d/S80mountfs etc/rc.d/rc0.d/S90swap etc/rc.d/rc0.d/S99halt #etc/rc.d/rc3.d -etc/rc.d/rc3.d/S00random etc/rc.d/rc3.d/S01vnstat etc/rc.d/rc3.d/S10sysklogd etc/rc.d/rc3.d/S11unbound @@ -157,7 +155,6 @@ etc/rc.d/rc6.d/K08fcron etc/rc.d/rc6.d/K28apache etc/rc.d/rc6.d/K30sshd #etc/rc.d/rc6.d/K34client175 -etc/rc.d/rc6.d/K45random etc/rc.d/rc6.d/K47setclock etc/rc.d/rc6.d/K49cyrus-sasl etc/rc.d/rc6.d/K51vnstat @@ -194,6 +191,7 @@ etc/rc.d/rcsysinit.d/S45udev_retry etc/rc.d/rcsysinit.d/S50cleanfs etc/rc.d/rcsysinit.d/S60setclock etc/rc.d/rcsysinit.d/S65rngd +etc/rc.d/rcsysinit.d/S66random etc/rc.d/rcsysinit.d/S70console etc/rc.d/rcsysinit.d/S71pakfire etc/rc.d/rcsysinit.d/S73swconfig diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index 2db7f1aa3..996925b7a 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -103,7 +103,6 @@ etc/rc.d/rc0.d/K08fcron etc/rc.d/rc0.d/K28apache etc/rc.d/rc0.d/K30sshd #etc/rc.d/rc0.d/K34client175 -etc/rc.d/rc0.d/K45random etc/rc.d/rc0.d/K47setclock etc/rc.d/rc0.d/K49cyrus-sasl etc/rc.d/rc0.d/K51vnstat @@ -123,7 +122,6 @@ etc/rc.d/rc0.d/S80mountfs etc/rc.d/rc0.d/S90swap etc/rc.d/rc0.d/S99halt #etc/rc.d/rc3.d -etc/rc.d/rc3.d/S00random etc/rc.d/rc3.d/S01vnstat etc/rc.d/rc3.d/S10sysklogd etc/rc.d/rc3.d/S12acpid @@ -156,7 +154,6 @@ etc/rc.d/rc6.d/K08fcron etc/rc.d/rc6.d/K28apache etc/rc.d/rc6.d/K30sshd #etc/rc.d/rc6.d/K34client175 -etc/rc.d/rc6.d/K45random etc/rc.d/rc6.d/K47setclock etc/rc.d/rc6.d/K49cyrus-sasl etc/rc.d/rc6.d/K51vnstat @@ -193,6 +190,7 @@ etc/rc.d/rcsysinit.d/S45udev_retry etc/rc.d/rcsysinit.d/S50cleanfs etc/rc.d/rcsysinit.d/S60setclock etc/rc.d/rcsysinit.d/S65rngd +etc/rc.d/rcsysinit.d/S66random etc/rc.d/rcsysinit.d/S70console etc/rc.d/rcsysinit.d/S71pakfire etc/rc.d/rcsysinit.d/S74cloud-init diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts index 2db7f1aa3..996925b7a 100644 --- a/config/rootfiles/common/x86_64/initscripts +++ b/config/rootfiles/common/x86_64/initscripts @@ -103,7 +103,6 @@ etc/rc.d/rc0.d/K08fcron etc/rc.d/rc0.d/K28apache etc/rc.d/rc0.d/K30sshd #etc/rc.d/rc0.d/K34client175 -etc/rc.d/rc0.d/K45random etc/rc.d/rc0.d/K47setclock etc/rc.d/rc0.d/K49cyrus-sasl etc/rc.d/rc0.d/K51vnstat @@ -123,7 +122,6 @@ etc/rc.d/rc0.d/S80mountfs etc/rc.d/rc0.d/S90swap etc/rc.d/rc0.d/S99halt #etc/rc.d/rc3.d -etc/rc.d/rc3.d/S00random etc/rc.d/rc3.d/S01vnstat etc/rc.d/rc3.d/S10sysklogd etc/rc.d/rc3.d/S12acpid @@ -156,7 +154,6 @@ etc/rc.d/rc6.d/K08fcron etc/rc.d/rc6.d/K28apache etc/rc.d/rc6.d/K30sshd #etc/rc.d/rc6.d/K34client175 -etc/rc.d/rc6.d/K45random etc/rc.d/rc6.d/K47setclock etc/rc.d/rc6.d/K49cyrus-sasl etc/rc.d/rc6.d/K51vnstat @@ -193,6 +190,7 @@ etc/rc.d/rcsysinit.d/S45udev_retry etc/rc.d/rcsysinit.d/S50cleanfs etc/rc.d/rcsysinit.d/S60setclock etc/rc.d/rcsysinit.d/S65rngd +etc/rc.d/rcsysinit.d/S66random etc/rc.d/rcsysinit.d/S70console etc/rc.d/rcsysinit.d/S71pakfire etc/rc.d/rcsysinit.d/S74cloud-init diff --git a/lfs/initscripts b/lfs/initscripts index ba6c9f913..242de60e5 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -126,9 +126,6 @@ $(TARGET) : ln -sf ../init.d/unbound /etc/rc.d/rc0.d/K86unbound ln -sf ../init.d/unbound /etc/rc.d/rc3.d/S11unbound ln -sf ../init.d/unbound /etc/rc.d/rc6.d/K86unbound - ln -sf ../init.d/random /etc/rc.d/rc0.d/K45random - ln -sf ../init.d/random /etc/rc.d/rc3.d/S00random - ln -sf ../init.d/random /etc/rc.d/rc6.d/K45random ln -sf ../../sysconfig/rc.local /etc/rc.d/rc3.d/S98rc.local ln -sf ../init.d/client175 /etc/rc.d/rc0.d/K34client175 ln -sf ../init.d/client175 /etc/rc.d/rc3.d/S66client175 @@ -174,6 +171,7 @@ $(TARGET) : ln -sf ../init.d/setclock /etc/rc.d/rc0.d/K47setclock ln -sf ../init.d/setclock /etc/rc.d/rc6.d/K47setclock ln -sf ../init.d/rngd /etc/rc.d/rcsysinit.d/S65rngd + ln -sf ../init.d/random /etc/rc.d/rcsysinit.d/S66random ln -sf ../init.d/console /etc/rc.d/rcsysinit.d/S70console ln -sf ../init.d/pakfire /etc/rc.d/rcsysinit.d/S71pakfire ln -sf ../init.d/cloud-init /etc/rc.d/rcsysinit.d/S74cloud-init diff --git a/src/initscripts/system/random b/src/initscripts/system/random index 1f825cd18..489c7dac9 100644 --- a/src/initscripts/system/random +++ b/src/initscripts/system/random @@ -22,29 +22,10 @@ case "$1" in sync rm -f /var/tmp/random-tmpfile done; - - boot_mesg "\rInitializing kernel random number generator..." - if [ -f /var/tmp/random-seed ]; then - /bin/cat /var/tmp/random-seed >/dev/urandom - fi - touch /var/tmp/random-seed - chmod 600 /var/tmp/random-seed - /bin/dd if=/dev/urandom of=/var/tmp/random-seed \ - count=1 bs=$poolsize &>/dev/null - evaluate_retval - ;; - - stop) - boot_mesg "Saving random seed..." - touch /var/tmp/random-seed - chmod 600 /var/tmp/random-seed - /bin/dd if=/dev/urandom of=/var/tmp/random-seed \ - count=1 bs=$poolsize &>/dev/null - evaluate_retval ;;
*) - echo "Usage: $0 {start|stop}" + echo "Usage: $0 {start}" exit 1 ;; esac
-
Michael Tremer