[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: lack of boot-time entropy on arm64 ec2 instances

On Fri, Jan 17, 2020 at 02:32:22PM -0500, Noah Meyerhans wrote:
> On Thu, Jan 09, 2020 at 05:22:17PM -0500, Noah Meyerhans wrote:
> > I've confirmed that 4.19.87 with changes cherry-picked from 50ee7529ec45
> > claims to have entropy at boot:
> > 
> > admin@ip-172-31-49-239:~$ cloud-init analyze blame
> > -- Boot Record 01 --
> >      02.88900s (init-network/config-ssh)
> >      ...
> > 
> > The change applies cleanly to our kernel tree, so this would appear to
> > be a possible solution.
> > 
> > I've opened https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948519
> > against the kernel discuss the entropy issue in general, and will follow
> > up there with a proposal for getting this change backported.
> 
> The kernel team would prefer that any backport of 50ee7529ec45 to stable
> branches happen upstream, which is sensible.  I'll follow up with the
> stable kernel maintainers to see about making this happen, if they're
> willing.
> 
> In the mean time, regardless of where the backport happens, there's no
> possibility of getting this kernel change into 10.3.  So, I'd like to
> revisit my original proposal of adding haveged to the arm64 EC2 image
> configuration.  Haveged is used in debian-installer for buster (but not
> bullseye+, see below), so there is precident for its use within Debian.
> IMO, this is the best option available in the short term.  It results in
> a far better user experience on the instances in question, and is a
> fairly unintrusive change to make.
> 
> Background on haveged in d-i:
> Haveged was added to d-i in commit c47000192 ("Add haveged-udeb [linux]
> to the pkg-lists/base") in response to bug #923675 and is used in
> buster.  More recently, with the addition of the in-kernel entropy
> collection mechanisms we've been discussing here, the removal of haveged
> has been proposed for bullseye.
> https://lists.debian.org/debian-boot/2019/11/msg00077.html  It has not
> yet been removed, though.
> 
> Similarly, I would expect that we would remove haveged from the
> generated buster images once the kernel's entropy jitter-entropy
> collector is available for buster.

Thank you for the legwork on this. I agree that haveged is the way to
proceed at this point.

-- 
Luca Filipozzi
Reply to: