Re: lack of boot-time entropy on arm64 ec2 instances
On Thu, Jan 09, 2020 at 05:22:17PM -0500, Noah Meyerhans wrote:
> I've confirmed that 4.19.87 with changes cherry-picked from 50ee7529ec45
> claims to have entropy at boot:
>
> admin@ip-172-31-49-239:~$ cloud-init analyze blame
> -- Boot Record 01 --
> 02.88900s (init-network/config-ssh)
> ...
>
> The change applies cleanly to our kernel tree, so this would appear to
> be a possible solution.
>
> I've opened https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948519
> against the kernel discuss the entropy issue in general, and will follow
> up there with a proposal for getting this change backported.
The kernel team would prefer that any backport of 50ee7529ec45 to stable
branches happen upstream, which is sensible. I'll follow up with the
stable kernel maintainers to see about making this happen, if they're
willing.
In the mean time, regardless of where the backport happens, there's no
possibility of getting this kernel change into 10.3. So, I'd like to
revisit my original proposal of adding haveged to the arm64 EC2 image
configuration. Haveged is used in debian-installer for buster (but not
bullseye+, see below), so there is precident for its use within Debian.
IMO, this is the best option available in the short term. It results in
a far better user experience on the instances in question, and is a
fairly unintrusive change to make.
Background on haveged in d-i:
Haveged was added to d-i in commit c47000192 ("Add haveged-udeb [linux]
to the pkg-lists/base") in response to bug #923675 and is used in
buster. More recently, with the addition of the in-kernel entropy
collection mechanisms we've been discussing here, the removal of haveged
has been proposed for bullseye.
https://lists.debian.org/debian-boot/2019/11/msg00077.html It has not
yet been removed, though.
Similarly, I would expect that we would remove haveged from the
generated buster images once the kernel's entropy jitter-entropy
collector is available for buster.
noah
Reply to: