Bug#923675: debian-installer: consider using haveged to gather entropy

To: 923675@bugs.debian.org
Cc: Cyril Brulebois <kibi@debian.org>
Subject: Bug#923675: debian-installer: consider using haveged to gather entropy
From: Jonathan Carter <jonathan@jonathancarter.org>
Date: Wed, 17 Apr 2019 08:17:59 +0200
Message-id: <[🔎] 3e857eac-13c1-7b17-7c20-f6990a7f00d0@jonathancarter.org>
Reply-to: Jonathan Carter <jonathan@jonathancarter.org>, 923675@bugs.debian.org
In-reply-to: <[🔎] 20190416214508.hkt5ltqzrkbjyqgh@mraw.org>
References: <[🔎] fbe0ab5e-1be0-38cf-6853-32553714aa98@debian.org> <155163358557.7325.3024603748667534580.reportbug@armor.home> <[🔎] 20190416101930.GA13044@hjemme.reinholdtsen.name> <[🔎] 6f528091216846607daed9aad0daef894fe3b0ea.camel@decadent.org.uk> <[🔎] 20190416115736.GA15857@hjemme.reinholdtsen.name> <155163358557.7325.3024603748667534580.reportbug@armor.home> <[🔎] 103efb6d919cd76d9e5ad2b71eac1c8cf0f76fda.camel@decadent.org.uk> <155163358557.7325.3024603748667534580.reportbug@armor.home> <[🔎] 20190416203710.q5mirddvxtpac6g3@mraw.org> <155163358557.7325.3024603748667534580.reportbug@armor.home> <[🔎] 20190416214508.hkt5ltqzrkbjyqgh@mraw.org> <155163358557.7325.3024603748667534580.reportbug@armor.home>

On 2019/04/16 23:45, Cyril Brulebois wrote:
> I'm no cryptographer so I cannot judge haveged from that angle.

Ditto here, but...

> But from a /proc/sys/kernel/random/entropy_avail standpoint, starting
> the haveged daemon inside d-i, a couple of screens after the graphical
> installer start-up, I'm getting a bump from ~150 to ~2500.
> 
> This needs to be polished before submitting the addition of haveged-udeb
> and of course proper integration needs to happen, with real tests… For
> wget, we're hitting #926315, but it was luckily closed a couple hours
> ago; arm devices that need so much time to generate a keypair should get
> a nice improvement…

Yeah debian-live was unusable without haveged (as in, some sessions
wouldn't start up for hours unless users pounded on the keyboard for a
while). Some people quickly get hand-wavy about haveged, but it seems
like the theory of how it works is reasonably solid and I really tried
to find evidence of it being harmful or not generating enough randomness
in typical use cases, but couldn't find anything, so we went ahead and
included it in the live media and it seems to work for us there.

Debian's official documentation probably just needs a section explaining
what haveged is and that if someone needs to create a mass amount of
keys for commercial applications or such then it's really recommended
that they get a decent hardware RNG or use an external service to seed that.

-Jonathan

Reply to:

References:
- Bug#923675: Add related bug #916690 info
  - From: Daniel Lange <DLange@debian.org>
- Bug#923675: Add related bug #916690 info
  - From: Petter Reinholdtsen <pere@hungry.com>
- Bug#923675: Add related bug #916690 info
  - From: Ben Hutchings <ben@decadent.org.uk>
- Bug#923675: Add related bug #916690 info
  - From: Petter Reinholdtsen <pere@hungry.com>
- Bug#923675: Add related bug #916690 info
  - From: Ben Hutchings <ben@decadent.org.uk>
- Bug#923675: Add related bug #916690 info
  - From: Cyril Brulebois <kibi@debian.org>
- Bug#923675: debian-installer: consider using haveged to gather entropy
  - From: Cyril Brulebois <kibi@debian.org>

Prev by Date: Bug#923675: debian-installer: consider using haveged to gather entropy
Next by Date: Help needed: outstanding Debian live bugs
Previous by thread: Bug#923675: debian-installer: consider using haveged to gather entropy
Next by thread: Bug#923675: debian-installer: consider using haveged to gather entropy
Index(es):
- Date
- Thread