On Tue, 2019-04-16 at 23:45 +0200, Cyril Brulebois wrote:
[...]
> My initial thought would be to launch it on demand when one is about to
> get to wget calls that needs HTTPS; but we could probably benefit from
> it in case HTTP is requested but redirections to HTTPS happens… There
> are also the obvious keypair generations mentioned above. But then over
> time maybe some other operations could be needing entropy (the
> cryptsetup case is discussed in a separate thread[1]).
>
> 1. https://lists.debian.org/debian-boot/2019/04/msg00153.html
>
> So it might be best to start it unconditionally at start-up?
Ideally it would only be used if there isn't a hardware RNG available.
Currently we don't include any hardware RNG modules in udebs, but that
can be changed. So please first check that:
* /sys/devices/virtual/misc/hw_random/rng_current is absent or
contains "none"
* (x86 only) /proc/cpuinfo does not mention rdrand (I can't find an
arch-independent way to check for this, and Linux doesn't yet
support an equivalent feature on any other architecture)
Something like this should work:
if [ "$(cat /sys/devices/virtual/misc/hw_random/rng_current 2>/dev/null || echo none)" = none ] \
&& ! grep -q '^flags\b.*\brdrand\b' /proc/cpuinfo; then
# use software entropy daemon
fi
Ben.
--
Ben Hutchings
Make three consecutive correct guesses and you will be considered
an expert.
Attachment:
signature.asc
Description: This is a digitally signed message part