Re: random.seed question

Thu, 26 Nov 2015 09:54:07 -0800 

On 2015-11-26, Paul de Weerd <[email protected]> wrote:
> On Thu, Nov 26, 2015 at 01:30:51PM +0100, Marko Cupa?? wrote:
>
>| The reason why I am asking is the fact that I am preparing pcengines
>| apu box which needs to be read-only because of reduced sdcard wear but
>| also because it is going to be placed in remote environment with
>| frequent power outages (daily manual fscks expected if / is rw).

The wear isn't usually a huge problem imho. The fscks probably are though.

>| Also does the following modification to rc look reasonable (not a
>| patch file, I've just put "+" sign to make change more visible)?
>| 
>| random_seed()
>| {
>| +       # make / read-write in order to make next lines possible
>| +       /sbin/mount -uw /
>|         # push the old seed into the kernel
>|         dd if=/var/db/host.random of=/dev/random bs=65536 count=1
>| status=none chmod 600 /var/db/host.random
>|         # ... and create a future seed
>|         dd if=/dev/random of=/var/db/host.random bs=65536 count=1
>| status=none # and create a seed file for the boot-loader
>|         dd if=/dev/random of=/etc/random.seed bs=512 count=1 status=none
>|         chmod 600 /etc/random.seed
>| +       # make / read-only again
>| +       /sbin/mount -ur /
>| }

If you're going that far, it may make more sense to dd it to/from a raw
partition saved just for the job, and not bother with a filesystem on
it.

> That's an option, but you'd need to carry that along yourself.  You're
> already in unsupported territory (with a ro /) but for your own sanity
> I'd recommend trying to keep such changes to a minimum: this will be
> overwritten when you upgrade and it becomes a maintenance burden.

That's needed anyway, even if you're just doing something as simple as
forcing fsck -y. And for this type of system you really do need something,
startup failure due to unclean shutdown is very common. So you're making
one change anyway...

> I'd recommend sticking something in rc.local or creating an @reboot
> cronjob that updates the /etc/random.seed.  May not be ideal (the
> entropy may not be very strong - I don't know if there is much
> difference between just after boot or just before shutdown in this
> regard), but at least it's easier to carry from release to release.

Yes, there will be much more at shutdown, as the entropy is fed from
many sources.

BTW it appears that neither the APU nor APU2 have RDRAND which might
otherwise mitigate this a bit.

Reply via email to