mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-27 11:20:58 +01:00
Move the process of storing entropy from /dev/random and reseeding with
it at boot time closer to the way we want it to be in the final version. * Move the default directory to /var/db/entropy * Run the entropy saving cron job every 11 minutes. This seems to be a better default, although still bikeshed material. * Feed /dev/random some cheesy "entropy" from various commands and files before the disks are mounted. This gives /dev/random a better chance of running without blocking early. * Move the reseeding with previously stored entropy to the point immediately after the disks are mounted. * Make the harvesting script a little safer in regards to the possibility of accidentally overwriting something other than a regular file.
This commit is contained in:
parent
41bf790205
commit
3bbfa62b63
@ -8,11 +8,11 @@ HOME=/var/log
|
||||
#
|
||||
#minute hour mday month wday who command
|
||||
#
|
||||
# save some entropy so that /dev/random can reseed on boot
|
||||
*/3 * * * * operator /usr/libexec/save-entropy
|
||||
#
|
||||
*/5 * * * * root /usr/libexec/atrun
|
||||
#
|
||||
# save some entropy so that /dev/random can reseed on boot
|
||||
*/11 * * * * operator /usr/libexec/save-entropy
|
||||
#
|
||||
# rotate log files every hour, if necessary
|
||||
0 * * * * root newsyslog
|
||||
#
|
||||
|
@ -324,7 +324,7 @@ start_vinum="" # set to YES to start vinum
|
||||
unaligned_print="YES" # print unaligned access warnings on the alpha (or NO).
|
||||
entropy_file="/entropy" # Set to NO to disable caching entropy through reboots.
|
||||
# /var/db/entropy is preferred if / is not available.
|
||||
entropy_dir="/.entropy" # Set to NO to disable caching entropy via cron.
|
||||
entropy_dir="/var/db/entropy" # Set to NO to disable caching entropy via cron.
|
||||
entropy_save_sz="2048" # Size of the entropy cache files.
|
||||
entropy_save_num="8" # Number of entropy cache files to save.
|
||||
|
||||
|
@ -5,10 +5,6 @@
|
||||
|
||||
/set type=dir uname=root gname=wheel mode=0755
|
||||
.
|
||||
/set type=dir uname=operator gname=operator mode=0700
|
||||
.entropy
|
||||
..
|
||||
/set type=dir uname=root gname=wheel mode=0755
|
||||
bin
|
||||
..
|
||||
boot
|
||||
|
@ -24,6 +24,10 @@
|
||||
..
|
||||
..
|
||||
db mode=0755
|
||||
/set type=dir uname=operator gname=operator mode=0700
|
||||
entropy
|
||||
..
|
||||
/set type=dir uname=root gname=wheel
|
||||
pkg mode=0755
|
||||
..
|
||||
..
|
||||
|
87
etc/rc
87
etc/rc
@ -71,6 +71,13 @@ elif [ -r /etc/rc.conf ]; then
|
||||
. /etc/rc.conf
|
||||
fi
|
||||
|
||||
feed_dev_random() {
|
||||
if [ -f "${1}" -a -r "${1}" -a -s "${1}" ]; then
|
||||
echo "Using ${1} as an entropy file"
|
||||
cat "${1}" | dd of=/dev/random bs=8k 2>/dev/null
|
||||
fi
|
||||
}
|
||||
|
||||
chkdepend() {
|
||||
svc=$1
|
||||
svc_var=$2
|
||||
@ -100,15 +107,15 @@ chkdepend NFS nfs_server_enable portmap portmap_enable
|
||||
chkdepend NIS nis_server_enable portmap portmap_enable
|
||||
chkdepend NIS nis_client_enable portmap portmap_enable
|
||||
|
||||
# First pass at entropy recovery so the rebooting /dev/random can reseed.
|
||||
# First pass at reseeding /dev/random.
|
||||
#
|
||||
feed_dev_random() {
|
||||
if [ -f "${1}" -a -r "${1}" -a -s "${1}" ]; then
|
||||
echo "Using ${1} as an entropy file"
|
||||
cat ${1} > /dev/random 2> /dev/random &&
|
||||
entropy_reseeded=yes
|
||||
fi
|
||||
}
|
||||
# XXX temporary until we can get the entropy
|
||||
# harvesting rate up
|
||||
# Entropy below is not great,
|
||||
# but better than nothing.
|
||||
( ps -efauxww; sysctl -a; date; df -ib; dmesg; ps -efauxww; ) \
|
||||
| dd of=/dev/random bs=8k 2>/dev/null
|
||||
cat /bin/ls | dd of=/dev/random bs=8k 2>/dev/null
|
||||
|
||||
case ${entropy_file} in
|
||||
[Nn][Oo] | '')
|
||||
@ -120,21 +127,6 @@ case ${entropy_file} in
|
||||
;;
|
||||
esac
|
||||
|
||||
case ${entropy_dir} in
|
||||
[Nn][Oo])
|
||||
;;
|
||||
*)
|
||||
entropy_dir=${entropy_dir:-/.entropy}
|
||||
if [ -d "${entropy_dir}" ]; then
|
||||
if [ -w /dev/random ]; then
|
||||
for seedfile in ${entropy_dir}/*; do
|
||||
feed_dev_random "${seedfile}"
|
||||
done
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
# Configure ccd devices.
|
||||
#
|
||||
if [ -r /etc/ccd.conf ]; then
|
||||
@ -224,44 +216,31 @@ if [ -n "${diskless_mount}" -a -r "${diskless_mount}" ]; then
|
||||
sh ${diskless_mount}
|
||||
fi
|
||||
|
||||
# Second attempt at reseeding, if needed.
|
||||
#
|
||||
case ${entropy_reseeded} in
|
||||
yes)
|
||||
# Reseed /dev/random with previously stored entropy.
|
||||
case ${entropy_dir} in
|
||||
[Nn][Oo])
|
||||
;;
|
||||
*)
|
||||
case ${entropy_file} in
|
||||
[Nn][Oo] | '')
|
||||
;;
|
||||
*)
|
||||
entropy_dir=${entropy_dir:-/var/db/entropy}
|
||||
if [ -d "${entropy_dir}" ]; then
|
||||
if [ -w /dev/random ]; then
|
||||
if [ -f "${entropy_file}" -a -r "${entropy_file}" -a \
|
||||
-s "${entropy_file}" ]; then
|
||||
feed_dev_random "${entropy_file}"
|
||||
elif [ "${entropy_file}" != /var/db/entropy -a \
|
||||
-f /var/db/entropy -a -r /var/db/entropy -a \
|
||||
-s /var/db/entropy ]; then
|
||||
feed_dev_random /var/db/entropy
|
||||
else
|
||||
echo "Can't use ${entropy_file} as an entropy file, trying other sources"
|
||||
# XXX temporary until we can get the entropy
|
||||
# harvesting rate up
|
||||
# Entropy below is not great,
|
||||
# but better than nothing.
|
||||
(ps -gauxwww; sysctl -a;
|
||||
dmesg) | /bin/dd of=/dev/random bs=8k 2>/dev/null
|
||||
( for i in /etc /var/run ; do
|
||||
cd $i ; ls -al ; cat *
|
||||
done ) | /bin/dd of=/dev/random bs=8k 2>/dev/null
|
||||
fi
|
||||
for seedfile in ${entropy_dir}/*; do
|
||||
feed_dev_random "${seedfile}"
|
||||
done
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
# Remove these to prevent problems on future reboots
|
||||
rm -f "${entropy_file}" /var/db/entropy
|
||||
case ${entropy_file} in
|
||||
[Nn][Oo] | '')
|
||||
;;
|
||||
*)
|
||||
if [ -w /dev/random ]; then
|
||||
feed_dev_random "${entropy_file}"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
adjkerntz -i
|
||||
|
||||
|
@ -29,6 +29,8 @@
|
||||
# This script is called by cron to store bits of randomness which are
|
||||
# then used to seed /dev/random on boot.
|
||||
|
||||
# Originally developed by Doug Barton, DougB@FreeBSD.org
|
||||
|
||||
PATH=/bin:/usr/bin
|
||||
|
||||
# If there is a global system configuration file, suck it in.
|
||||
@ -45,33 +47,41 @@ case ${entropy_dir} in
|
||||
exit 0
|
||||
;;
|
||||
*)
|
||||
entropy_dir=${entropy_dir:-/.entropy}
|
||||
entropy_dir=${entropy_dir:-/var/db/entropy}
|
||||
;;
|
||||
esac
|
||||
|
||||
entropy_save_sz=${entropy_save_sz:-2048}
|
||||
entropy_save_num=${entropy_save_num:-8}
|
||||
entropy_save_jot=$(($entropy_save_num - 1))
|
||||
|
||||
if [ ! -d "${entropy_dir}" ]; then
|
||||
umask 077
|
||||
mkdir "${entropy_dir}" || {
|
||||
logger -is The entropy directory "${entropy_dir}" does not \
|
||||
logger -is -t "$0" The entropy directory "${entropy_dir}" does not \
|
||||
exist, and cannot be created. Therefore no entropy can be saved. ;
|
||||
exit 1;}
|
||||
/usr/sbin/chown operator:operator "${entropy_dir}"
|
||||
chmod 0700 "${entropy_dir}"
|
||||
fi
|
||||
|
||||
rm -f "${entropy_dir}/saved-entropy.${entropy_save_num}"
|
||||
|
||||
umask 377
|
||||
|
||||
for file_num in `jot ${entropy_save_jot} ${entropy_save_jot} 1`; do
|
||||
if [ -f "${entropy_dir}/saved-entropy.${file_num}" ]; then
|
||||
new_num=$(($file_num + 1))
|
||||
mv "${entropy_dir}/saved-entropy.${file_num}" \
|
||||
"${entropy_dir}/saved-entropy.${new_num}"
|
||||
for file_num in `jot ${entropy_save_num} ${entropy_save_num} 1`; do
|
||||
if [ -e "${entropy_dir}/saved-entropy.${file_num}" ]; then
|
||||
if [ -f "${entropy_dir}/saved-entropy.${file_num}" ]; then
|
||||
new_num=$(($file_num + 1))
|
||||
if [ "${new_num}" -gt "${entropy_save_num}" ]; then
|
||||
rm -f "${entropy_dir}/saved-entropy.${file_num}"
|
||||
else
|
||||
mv "${entropy_dir}/saved-entropy.${file_num}" \
|
||||
"${entropy_dir}/saved-entropy.${new_num}"
|
||||
fi
|
||||
else
|
||||
logger -is -t "$0" \
|
||||
"${entropy_dir}/saved-entropy.${file_num} is not a regular file, and therefore \
|
||||
it will not be rotated. Entropy file harvesting is aborted."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user