[OpenWrt-Devel] [PATCH] openssl: Fix longer booting times by unblocking getrandom

Etienne Champetier champetier.etienne at gmail.com
Fri Mar 15 14:24:33 EDT 2019


Hi Petr,

Le ven. 15 mars 2019 à 13:01, Petr Štetiar <ynezz at true.cz> a écrit :
>
> Etienne Champetier <champetier.etienne at gmail.com> [2019-03-15 10:46:09]:
>
> Hi,
>
> > Just a side note, on first boot we save a random seed using getrandom()
> > https://github.com/openwrt/openwrt/blob/master/package/base-files/files/etc/init.d/urandom_seed
> > https://github.com/openwrt/openwrt/blob/master/package/base-files/files/sbin/urandom_seed
> >
> > And we restore it in preinit
> > https://github.com/openwrt/openwrt/blob/master/package/base-files/files/lib/preinit/81_urandom_seed
>
> Well, it seems like we're writing the /etc/urandom.seed to the /dev/urandom
> which doesn't help with initialization of CRNG, just seeding the /dev/urandom.
>
> > So even if kernel PRNG is considered not initialized, in reality it
> > is, so starting from second boot we are ~ok
>
> Nope, see bellow.
>
> 1st boot:
>
>  [    3.944674] urandom-seed: Seed file not found (/etc/urandom.seed)
>  [   75.120166] random: fast init done
>  [  140.917418] random: crng init done
>
> 2nd boot:
>
>  [    3.938414] urandom-seed: Seeding with /etc/urandom.seed
>  [   22.440981] random: fast init done
>  [  135.737309] random: crng init done

I was not precise enough, writing to /dev/urandom do add entropy to
the internal CSPRNG state, but the kernel count it as 0 because he
doesn't trust it
So after urandom-seed you are ~ok from a security stand point, but yes
getrandom() still blocks

>
> -- ynezz

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list