Re: Stretch => Buster: Entropy during boot

To: debian-user@lists.debian.org
Subject: Re: Stretch => Buster: Entropy during boot
From: Reco <recoverym4n@enotuniq.net>
Date: Fri, 16 Oct 2020 16:31:02 +0300
Message-id: <[🔎] E1kTPp1-0007GG-7C@enotuniq.net>
In-reply-to: <[🔎] 20201016124927.sstcvwv3pq2b26ky@acr13.nuvreauspam>
References: <[🔎] ef27e700-dbd7-79df-1e58-316895c20fcf@dybdal.dk> <[🔎] 20201016124927.sstcvwv3pq2b26ky@acr13.nuvreauspam>

	Hi.

On Fri, Oct 16, 2020 at 03:49:27PM +0300, Andrei POPESCU wrote:
> On Vi, 16 oct 20, 12:28:13, Jesper Dybdal wrote:
> > The Buster release notes warn about a possibly insufficient entropy source
> > during boot and recommends installing "haveged" on systems with that
> > problem.
> > 
> > I run a few Stretch systems on old processors that do not support the RDRAND
> > instruction.
> > 
> > Can I simply install "haveged" on the Stretch systems *before* the upgrade
> > to Buster to avoid problems during the upgrade?
> 
> Short version: I wouldn't bother unless it's a problem in practice.

Some may consider a rebooted server that does not answer by SSH a problem.

> In my understanding using haveged is less secure than "real" entropy.

It's correct. The only source of entropy haveged considers is
PRNG-based. You need a good and proper hardware random number generator,
or, if you trust NSA - at least that RDRAND Intel instruction.

> The lack of entropy is mostly an issue for systems you access via SSH 
> with very few other things "going on".

Or you have an LVM2 configured. Or you're using the encryption.
Or it's the web- or e-mail server. Let's not disregard a VPN server.

There are many ways a server can consume an entropy, some of them are
applicable for the desktops of course.

> E.g. a PINE A64 did exhibit some problems with a minimal buster install 
> and no or very limited connections.

On Exsynos 5422 that "problem" (rather - whoever thought is way a good
idea to add getrand syscall to libc) adds 30 seconds to every boot just
because LVM2 needs some good random numbers for some transcendent
reason.

> They disappeared as soon as I connected more stuff to it (ethernet,
> USB HDD rack, etc.) because the kernel can use any kind of activity as
> a source of entropy.

It can help with SSH I suppose. It surely cannot help if you're blocked
at initramfs (see above).

> If you have local access to the system simply pressing keys on the 
> keyboard will provide entropy and eventually allow the system to reach 
> the login prompt.

Surely you agree that if you have many servers such workaround is
tedious at best.

Reco

Reply to:

References:
- Stretch => Buster: Entropy during boot
  - From: Jesper Dybdal <jd-debian-user@dybdal.dk>
- Re: Stretch => Buster: Entropy during boot
  - From: Andrei POPESCU <andreimpopescu@gmail.com>

Prev by Date: Re: Stretch => Buster: Entropy during boot
Next by Date: Re: /home as a symlink?
Previous by thread: Re: Stretch => Buster: Entropy during boot
Next by thread: Re: Stretch => Buster: Entropy during boot
Index(es):
- Date
- Thread