From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mout.kundenserver.de ([212.227.126.187]) by metis.ext.pengutronix.de with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1dT2r1-0002PE-Jq for ptxdist@pengutronix.de; Thu, 06 Jul 2017 11:13:43 +0200 Received: from idefix.home.lespocky.de ([80.129.193.252]) by mrelayeu.kundenserver.de (mreue005 [212.227.15.167]) with ESMTPSA (Nemesis) id 0M5tNd-1ddXKa34K9-00xpNh for ; Thu, 06 Jul 2017 11:13:37 +0200 Received: from falbala.home.lespocky.de ([192.168.243.94]) by idefix.home.lespocky.de with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.82) (envelope-from ) id 1dT2qm-0005fR-KZ for ptxdist@pengutronix.de; Thu, 06 Jul 2017 11:13:37 +0200 Date: Thu, 6 Jul 2017 11:13:26 +0200 From: Alexander Dahl Message-ID: <20170706091326.GD27745@falbala.home.lespocky.de> References: <20170629214926.2295-1-r.schwebel@pengutronix.de> <20170630071917.GF27745@falbala.home.lespocky.de> <20170630121607.sgwh5z7njnhaliid@pengutronix.de> MIME-Version: 1.0 In-Reply-To: <20170630121607.sgwh5z7njnhaliid@pengutronix.de> Subject: Re: [ptxdist] [PATCH] haveged: add entropy daemon List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: multipart/mixed; boundary="===============0176883444==" Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de --===============0176883444== Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="RHnfto7yGd+QdmRl" Content-Disposition: inline --RHnfto7yGd+QdmRl Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, On Fri, Jun 30, 2017 at 02:16:07PM +0200, Michael Olbrich wrote: > On Fri, Jun 30, 2017 at 09:19:18AM +0200, Alexander Dahl wrote: > > Besides: is there any way to have this random generator stuff > > certainly ready before generating dropbear keys (rc-once)? >=20 > I think /dev/random and getrandom() can block until then. Something could > be built on top of that. However you need to be careful: This may block a > very long time on an idle embedded system. I had a look into dropbearkey now. As far as I understand the code, dropbear just uses /dev/urandom, but tries to feed some entropy into it before doing anything with randomness. The "documentation" in default_options.h suggests /dev/random is used for keygen, but I think it's wrong (our outdated) and only non blocking randomness is used. dropbear can use prngd or egd, but no hint in the code on haveged. The only thing I found on dropbear profiting from haveged is an old ticket in the OpenWRT bugtracker, but they just do the "hopefully wait long enough" thing. [1] So I guess to improve this situation someone may have to talk to upstream dropbear to discuss some possibilies? Greets Alex [1] https://dev.openwrt.org/ticket/9631 --=20 =BBWith the first link, the chain is forged. The first speech censured,=20 the first thought forbidden, the first freedom denied, chains us all=20 irrevocably.=AB (Jean-Luc Picard, quoting Judge Aaron Satie) *** GnuPG-FP: C28E E6B9 0263 95CF 8FAF 08FA 34AD CD00 7221 5CC6 *** --RHnfto7yGd+QdmRl Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCAAGBQJZXf82AAoJEDStzQByIVzG7RkP/joTF+Qe9RYkDs3jDIV+iH3M w0O/1W7piU2InEKtJNOyEjeZFToVM/GcMtOrnxfynlxrbXSAivlyVZ7SH9oRzEHd cdaomcL0keNfwZQuD6gXjClvzy1K/lX25U3IDEa41bUJLuRJd4GeP+7JfPaWY42s 9DW2hC/ksVA/2iAldlzc2DezNSr1XetMQ67Unfqq95riwtHLDW0aI+A8Uw4k9NTX YV9HPtwe4CmcRVG+MgZ1Uofx8RUOEc7M32cOmH4pEiMLKtclX89DvVCKb8igKw2M Goi8vUKa3tcZB9FhDamcxb5kspe9mgg+GstBd+CmXQnYl0BXPKAVm3iJt4+WEqbf XhxO8ETg6HmnECoIdN9TWeh+kj9CAt1grGxZV5lLHSngWp1mrgFkx3JuatbaTimc vmhQGP3ocqbFu0QI8fW/kVflvxHZvk3d1U5vUmd6DDT5MQuGiI+Zr4JkHnw3Ls7m RU/4wikkfhAUy5ROlT4eEK/38d7ObS35jCpwERQjPmauet0QsXcwReCTKkKXiXse e0bX83Kw+txZNJyLfQL1YJHt/KiWncZxl3ynikvYhZSprYVsUpum5NUYwpGz3BlD ZUXrOnj2tEJlm9K4OJ867IUHMMX1xhq/a6921v1twAf72mvfmtfhcY3/jQYHCyga +ehW3UeKOy16lmM2miVy =Xyom -----END PGP SIGNATURE----- --RHnfto7yGd+QdmRl-- --===============0176883444== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KcHR4ZGlzdCBt YWlsaW5nIGxpc3QKcHR4ZGlzdEBwZW5ndXRyb25peC5kZQ== --===============0176883444==--