[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#923675: debian-installer: consider using haveged to gather entropy

Control: tag -1 patch pending

Hi,

Ben Hutchings <ben@decadent.org.uk> (2019-04-17):
> Ideally it would only be used if there isn't a hardware RNG available.
> Currently we don't include any hardware RNG modules in udebs, but that
> can be changed.  So please first check that:
> 
> * /sys/devices/virtual/misc/hw_random/rng_current is absent or
>   contains "none"
> * (x86 only) /proc/cpuinfo does not mention rdrand (I can't find an
>   arch-independent way to check for this, and Linux doesn't yet
>   support an equivalent feature on any other architecture)
> 
> Something like this should work:
> 
> if [ "$(cat /sys/devices/virtual/misc/hw_random/rng_current 2>/dev/null || echo none)" = none ] \
>    && ! grep -q '^flags\b.*\brdrand\b' /proc/cpuinfo; then
>     # use software entropy daemon
> fi

Many thanks for your input and for the suggested implementation.

I've tweaked it a little so that we log whether haveged is available,
and whether it should be started, in case we need to investigate:
  https://salsa.debian.org/installer-team/rootskel/blob/master/src/lib/debian-installer-startup.d/S50entropy-source


I think I've tested all cases:
 - when haveged-udeb hasn't been added to src:debian-installer's
   pkg-lists yet
 - with the default Skylake-Client in libvirt, which leads to an rdrand
   CPU flag;
 - with a core2duo CPU instead, which has no such flag;
 - with the same CPU, but with a VirtIO RNG enabled, and those extra
   kernel modules in my netboot-gtk image:
     lib/modules/4.19.0-4-amd64/kernel/drivers/char/hw_random/rng-core.ko
     lib/modules/4.19.0-4-amd64/kernel/drivers/char/hw_random/virtio-rng.ko
     lib/modules/4.19.0-4-amd64/kernel/drivers/virtio/virtio.ko
     lib/modules/4.19.0-4-amd64/kernel/drivers/virtio/virtio_ring.ko
   which leads to a virtio_rng.0 in …/hw_random/rng_current.


So I've just uploaded a new version of rootskel (1.129), and pushed a
new commit to debian-installer:
  https://salsa.debian.org/installer-team/debian-installer/commit/c470001925d067b42cdf613339634f4d54ed01b6

The haveged-udeb addition was already uploaded and also ACCEPTED from
NEW. I'll keep an eye on the daily builds.


Cheers,
-- 
Cyril Brulebois (kibi@debian.org)            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

Attachment: signature.asc
Description: PGP signature

Reply to: