Control: retitle -1 debian-installer: consider using haveged to gather entropy Cyril Brulebois <kibi@debian.org> (2019-04-16): > The former was on my list of things to try; thanks for mentioning the > latter. I'm no cryptographer so I cannot judge haveged from that angle. But from a /proc/sys/kernel/random/entropy_avail standpoint, starting the haveged daemon inside d-i, a couple of screens after the graphical installer start-up, I'm getting a bump from ~150 to ~2500. This needs to be polished before submitting the addition of haveged-udeb and of course proper integration needs to happen, with real tests… For wget, we're hitting #926315, but it was luckily closed a couple hours ago; arm devices that need so much time to generate a keypair should get a nice improvement… My initial thought would be to launch it on demand when one is about to get to wget calls that needs HTTPS; but we could probably benefit from it in case HTTP is requested but redirections to HTTPS happens… There are also the obvious keypair generations mentioned above. But then over time maybe some other operations could be needing entropy (the cryptsetup case is discussed in a separate thread[1]). 1. https://lists.debian.org/debian-boot/2019/04/msg00153.html So it might be best to start it unconditionally at start-up? Cheers, -- Cyril Brulebois (kibi@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant
Attachment:
signature.asc
Description: PGP signature