GNU bug report logs -
#29725
[PATCH 2/2] services: urandom-seed: Try using a HWRNG to seed the Linux CRNG at boot.
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Fri, 15 Dec 2017 20:19:02 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
Leo Famulari <leo <at> famulari.name> skribis:
> * gnu/services/base.scm (urandom-seed-shepherd-service): Try to read from
> '/dev/hwrng' at boot, as a supplement to any saved random seed.
> * doc/guix.texi (Base Services): Document the new feature.
Overall LGTM!
> + ;; Try writing from /dev/hwrng into /dev/urandom.
> + ;; It seems that the file '/dev/hwrng' always exists, even
> + ;; when there is no hardware random number generator
> + ;; available. So, we handle any errors caused by a failed
> + ;; read.
> + (when (file-exists? "/dev/hwrng")
> + (call-with-input-file "/dev/hwrng"
> + (lambda (hwrng)
> + (let ((buf (make-bytevector 512)))
> + (catch #t
> + (lambda ()
> + (get-bytevector-n! hwrng buf 0 512))
> + ;; Silence is golden...
> + (lambda _ (const #f)))
> + (call-with-output-file "/dev/urandom"
> + (lambda (urandom)
> + (put-bytevector urandom buf)))))))
If we fail to read from /dev/hwrng we may end up writing zeros to
/dev/urandom (because ‘buf’ is left uninitialized).
To address that, perhaps this could be formulated like this:
(let ((buf (catch 'system-error
(lambda ()
(call-with-input-file "/dev/hwrng"
(lambda (port)
(get-bytevector-n port 512))))
(const #f))))
(when buf
(call-with-output-file "/dev/urandom"
(lambda (urandom)
(put-bytevector urandom buf)))))
This also removes the need for the ‘file-exists?’ call.
WDYT?
Thanks,
Ludo’.
This bug report was last modified 7 years and 215 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.