Hi. On Fri, Oct 16, 2020 at 03:49:27PM +0300, Andrei POPESCU wrote: > On Vi, 16 oct 20, 12:28:13, Jesper Dybdal wrote: > > The Buster release notes warn about a possibly insufficient entropy source > > during boot and recommends installing "haveged" on systems with that > > problem. > > > > I run a few Stretch systems on old processors that do not support the RDRAND > > instruction. > > > > Can I simply install "haveged" on the Stretch systems *before* the upgrade > > to Buster to avoid problems during the upgrade? > > Short version: I wouldn't bother unless it's a problem in practice.
Some may consider a rebooted server that does not answer by SSH a problem. > In my understanding using haveged is less secure than "real" entropy. It's correct. The only source of entropy haveged considers is PRNG-based. You need a good and proper hardware random number generator, or, if you trust NSA - at least that RDRAND Intel instruction. > The lack of entropy is mostly an issue for systems you access via SSH > with very few other things "going on". Or you have an LVM2 configured. Or you're using the encryption. Or it's the web- or e-mail server. Let's not disregard a VPN server. There are many ways a server can consume an entropy, some of them are applicable for the desktops of course. > E.g. a PINE A64 did exhibit some problems with a minimal buster install > and no or very limited connections. On Exsynos 5422 that "problem" (rather - whoever thought is way a good idea to add getrand syscall to libc) adds 30 seconds to every boot just because LVM2 needs some good random numbers for some transcendent reason. > They disappeared as soon as I connected more stuff to it (ethernet, > USB HDD rack, etc.) because the kernel can use any kind of activity as > a source of entropy. It can help with SSH I suppose. It surely cannot help if you're blocked at initramfs (see above). > If you have local access to the system simply pressing keys on the > keyboard will provide entropy and eventually allow the system to reach > the login prompt. Surely you agree that if you have many servers such workaround is tedious at best. Reco
