Re: Stretch => Buster: Entropy during boot
Hi.
On Fri, Oct 16, 2020 at 03:49:27PM +0300, Andrei POPESCU wrote:
> On Vi, 16 oct 20, 12:28:13, Jesper Dybdal wrote:
> > The Buster release notes warn about a possibly insufficient entropy source
> > during boot and recommends installing "haveged" on systems with that
> > problem.
> >
> > I run a few Stretch systems on old processors that do not support the RDRAND
> > instruction.
> >
> > Can I simply install "haveged" on the Stretch systems *before* the upgrade
> > to Buster to avoid problems during the upgrade?
>
> Short version: I wouldn't bother unless it's a problem in practice.
Some may consider a rebooted server that does not answer by SSH a problem.
> In my understanding using haveged is less secure than "real" entropy.
It's correct. The only source of entropy haveged considers is
PRNG-based. You need a good and proper hardware random number generator,
or, if you trust NSA - at least that RDRAND Intel instruction.
> The lack of entropy is mostly an issue for systems you access via SSH
> with very few other things "going on".
Or you have an LVM2 configured. Or you're using the encryption.
Or it's the web- or e-mail server. Let's not disregard a VPN server.
There are many ways a server can consume an entropy, some of them are
applicable for the desktops of course.
> E.g. a PINE A64 did exhibit some problems with a minimal buster install
> and no or very limited connections.
On Exsynos 5422 that "problem" (rather - whoever thought is way a good
idea to add getrand syscall to libc) adds 30 seconds to every boot just
because LVM2 needs some good random numbers for some transcendent
reason.
> They disappeared as soon as I connected more stuff to it (ethernet,
> USB HDD rack, etc.) because the kernel can use any kind of activity as
> a source of entropy.
It can help with SSH I suppose. It surely cannot help if you're blocked
at initramfs (see above).
> If you have local access to the system simply pressing keys on the
> keyboard will provide entropy and eventually allow the system to reach
> the login prompt.
Surely you agree that if you have many servers such workaround is
tedious at best.
Reco
Reply to: