unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#23605: /dev/urandom not seeded across reboots
@ 2016-05-23 17:58 Leo Famulari
  2016-05-24  7:05 ` Taylan Ulrich Bayırlı/Kammer
                   ` (2 more replies)
  0 siblings, 3 replies; 26+ messages in thread
From: Leo Famulari @ 2016-05-23 17:58 UTC (permalink / raw)
  To: 23605

[-- Attachment #1: Type: text/plain, Size: 1391 bytes --]

I realized that we don't seem to be saving any of the entropy in the
kernel's random pool [0] across reboots.

This means that for some period after boot, /dev/urandom may not be safe
to use. From random(4):

---
If  a seed file is saved across reboots as recommended below (all major
Linux distributions have done this since 2000 at least),
[/dev/urandom's] output is cryptographically  secure against  attackers
without  local  root access as soon as it is reloaded in the boot
sequence, and perfectly adequate for network encryption session  keys.
---

I interpret that text to mean that, without use of a seed file,
urandom's output is *not* adequate for network encryption session keys
(SSH, TLS, etc) until enough entropy has been gathered. I don't know how
long that takes.

I've attached my not-yet-working attempt at a urandom-seed-service. I
tried to get it working on my own but I need the assistance of some more
experienced Guix hackers :)

I've also attached a stand-alone Guile script to illustrate what the
effect of the service should be. This script does seem to work. I'm sure
the use of shell tools could be replaced by Guile.

After applying my patch and attempting `guix system vm ...`, I get the
attached backtrace.

Does anyone have advice about the service? Am I wrong that we need to
seed /dev/urandom to make it work properly?

[0] See the man page for random(4).

[-- Attachment #2: random.scm --]
[-- Type: text/plain, Size: 1315 bytes --]

;;; Carry some entropy across reboots. Adapted from examples in random(4).

;;; We assume Linux >= 2.6, where the poolsize is always 4096 bits (according to
;;; random(4). Otherwise, the example in random(4) reads the 'poolsize' file and
;;; creates a seed of equal size.

;;; This should be run during system shutdown.  It saves some random state as a
;;; seed for /dev/urandom, to be used on the next boot.
(define (urandom-shutdown seed)
  (touch seed)
  (chmod seed #o600)
  (write-seed seed))

;;; This should be run at boot, before starting anything that needs random
;;; numbers (sshd, TLS server, etc).
(define (urandom-boot seed)
  (and (if (file-exists? seed)
         (zero? (system (string-append "cat " seed " > /dev/urandom")))
         (touch seed))
       (chmod seed #o600)
       (write-seed seed)))

;;; On Debian, '/var/lib/urandom/random-seed'.
;;; random(4) suggests '/var/run/random-seed'.
(define seed "/tmp/random-seed")

(define (write-seed seed)
    (zero? (system* "dd" "if=/dev/urandom" (string-append "of=" seed)
                    "count=1" "bs=512"))) ;; If Linux is not >= 2.6, then 'bs'
                                          ;; must be calculated as shown in
                                          ;; random(4).

(define (touch file)
  (close-port (open-file file "a0b")))

[-- Attachment #3: urandom-seed.patch --]
[-- Type: text/x-diff, Size: 3184 bytes --]

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 96bf8da..4a85ed0 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -32,7 +32,7 @@
   #:use-module ((gnu packages linux)
                 #:select (eudev kbd e2fsprogs lvm2 fuse alsa-utils crda gpm))
   #:use-module ((gnu packages base)
-                #:select (canonical-package glibc))
+                #:select (canonical-package glibc coreutils)) ; coreutils for `dd`, `cat`.
   #:use-module (gnu packages package-management)
   #:use-module (gnu packages lsh)
   #:use-module (gnu packages lsof)
@@ -93,6 +93,8 @@
             gpm-service-type
             gpm-service
 
+            urandom-seed-service
+
             %base-services))
 
 ;;; Commentary:
@@ -1200,6 +1202,47 @@ extra rules from the packages listed in @var{rules}."
   "Return a service that uses @var{device} as a swap device."
   (service swap-service-type device))
 
+(define %urandom-seed-activation
+  ;; Activation gexp for the urandom seed
+  #~(begin
+      (use-modules (guix build utils))
+
+      (mkdir-p "/var/run")
+      (close-port (open-file "/var/run/urandom-seed" "a0b"))
+      (chmod "/var/run/urandom-seed" #o600)))
+
+(define (urandom-seed-shepherd-service)
+  "Return a shepherd service for the /dev/urandom seed."
+  (list (shepherd-service
+         (documentation "Preserve entropy across reboots for /dev/urandom.")
+         (provision '(urandom-seed))
+         (requirement '(user-processes)) ; whatever provides file-system /var
+         (start #~(lambda _
+                    (exec-command
+                      (zero?
+                        (system (string-append "cat "
+                                               "/var/run/urandom-seed"
+                                               " > /dev/urandom"))))))
+         (stop #~(lambda _
+                   (exec-command
+                     (zero?
+                       (system* "dd" "if=/dev/urandom"
+                                (string-append "of=" "/var/run/urandom-seed")
+                                "count=1" "bs=512"))))))))
+
+(define urandom-seed-service-type
+  (service-type (name 'urandom-seed)
+                (extensions
+                 (list (service-extension shepherd-root-service-type
+                                          urandom-seed-shepherd-service)
+                       (service-extension activation-service-type
+                                          (const %urandom-seed-activation))
+                       ;; Add urandom-seed to the system profile
+                       ;; Where is profile-service-type defined?
+                       (service-extension profile-service-type list)))))
+
+(define (urandom-seed-service)
+  (service urandom-seed-service-type '()))
 
 (define-record-type* <gpm-configuration>
   gpm-configuration make-gpm-configuration gpm-configuration?
@@ -1281,6 +1324,7 @@ This is the GNU operating system, welcome!\n\n")))
           (static-networking-service "lo" "127.0.0.1"
                                      #:provision '(loopback))
           (syslog-service)
+          (urandom-seed-service)
           (guix-service)
           (nscd-service)
 

[-- Attachment #4: backtrace --]
[-- Type: text/plain, Size: 1571 bytes --]

$ ./pre-inst-env guix system vm --no-grafts ~/work/guix/doc/os-config-bare-bones.texi 
Backtrace:
In ice-9/boot-9.scm:
1724: 19 [%start-stack load-stack ...]
1729: 18 [#<procedure 1503ea0 ()>]
In unknown file:
   ?: 17 [primitive-load "/home/leo/work/guix/scripts/guix"]
In guix/ui.scm:
1197: 16 [run-guix-command system "vm" ...]
In ice-9/boot-9.scm:
 157: 15 [catch srfi-34 #<procedure 3fa0880 at guix/ui.scm:421:2 ()> ...]
 157: 14 [catch system-error ...]
In guix/scripts/system.scm:
 882: 13 [#<procedure 3ed9210 at guix/scripts/system.scm:874:2 ()>]
 788: 12 [process-action vm # #]
In guix/store.scm:
1163: 11 [run-with-store # ...]
In guix/scripts/system.scm:
 800: 10 [#<procedure 46827e0 at guix/scripts/system.scm:792:8 (state)> #]
 564: 9 [perform-action vm # # ...]
In gnu/system/vm.scm:
 496: 8 [system-qemu-image/shared-store-script # # # ...]
In gnu/system.scm:
 601: 7 [operating-system-derivation # # #f]
In gnu/services.scm:
 573: 6 [loop #]
In srfi/srfi-1.scm:
 578: 5 [map #<procedure loop (sink)> (# # #)]
In gnu/services.scm:
 573: 4 [loop #<<service> type: # parameters: #>]
In srfi/srfi-1.scm:
 578: 3 [map #<procedure loop (sink)> (# # #)]
In gnu/services.scm:
 573: 2 [loop #<<service> type: # parameters: ()>]
In srfi/srfi-1.scm:
 578: 1 [map #<procedure 50635e0 at gnu/services.scm:562:4 (service)> (# # # # ...)]
In ice-9/eval.scm:
 416: 0 [urandom-seed-shepherd-service ()]

ice-9/eval.scm:416:20: In procedure urandom-seed-shepherd-service:
ice-9/eval.scm:416:20: Wrong number of arguments to #<procedure urandom-seed-shepherd-service ()>

^ permalink raw reply related	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-23 17:58 bug#23605: /dev/urandom not seeded across reboots Leo Famulari
@ 2016-05-24  7:05 ` Taylan Ulrich Bayırlı/Kammer
  2016-05-24 16:16   ` Leo Famulari
  2016-05-24 12:24 ` Ludovic Courtès
  2016-05-28  1:05 ` Leo Famulari
  2 siblings, 1 reply; 26+ messages in thread
From: Taylan Ulrich Bayırlı/Kammer @ 2016-05-24  7:05 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 23605

Leo Famulari <leo@famulari.name> writes:

> I realized that we don't seem to be saving any of the entropy in the
> kernel's random pool [0] across reboots.
>
> This means that for some period after boot, /dev/urandom may not be safe
> to use. From random(4):
>
> ---
> If  a seed file is saved across reboots as recommended below (all major
> Linux distributions have done this since 2000 at least),
> [/dev/urandom's] output is cryptographically  secure against  attackers
> without  local  root access as soon as it is reloaded in the boot
> sequence, and perfectly adequate for network encryption session  keys.
> ---
>
> I interpret that text to mean that, without use of a seed file,
> urandom's output is *not* adequate for network encryption session keys
> (SSH, TLS, etc) until enough entropy has been gathered. I don't know how
> long that takes.
>
> I've attached my not-yet-working attempt at a urandom-seed-service. I
> tried to get it working on my own but I need the assistance of some more
> experienced Guix hackers :)
>
> I've also attached a stand-alone Guile script to illustrate what the
> effect of the service should be. This script does seem to work. I'm sure
> the use of shell tools could be replaced by Guile.
>
> After applying my patch and attempting `guix system vm ...`, I get the
> attached backtrace.
>
> Does anyone have advice about the service? Am I wrong that we need to
> seed /dev/urandom to make it work properly?
>
> [0] See the man page for random(4).

Yes, this is necessary under Linux if you want urandom to be random
enough immediately after boot, and all the distros do it as part of
their init.

There's also an interesting implication here about the very first time
you boot the system and don't have a urandom seed file from the last
shutdown yet.  I don't know how this is typically handled, given that
for instance it's quite possible that a user might generate SSH keys
shortly after their first boot of a system.

I heard BSD kernels are smarter: /dev/random and urandom are the same
file and behave as follows: after boot, until there's enough entropy,
they block (behave like Linux /dev/random), and once there's enough
entropy they never block (behave like Linux /dev/urandom).  No idea how
the Hurd does it.

Taylan

^ permalink raw reply	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-23 17:58 bug#23605: /dev/urandom not seeded across reboots Leo Famulari
  2016-05-24  7:05 ` Taylan Ulrich Bayırlı/Kammer
@ 2016-05-24 12:24 ` Ludovic Courtès
  2016-05-25 16:38   ` Leo Famulari
  2016-05-28  1:12   ` Leo Famulari
  2016-05-28  1:05 ` Leo Famulari
  2 siblings, 2 replies; 26+ messages in thread
From: Ludovic Courtès @ 2016-05-24 12:24 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 23605

Leo Famulari <leo@famulari.name> skribis:

> I realized that we don't seem to be saving any of the entropy in the
> kernel's random pool [0] across reboots.
>
> This means that for some period after boot, /dev/urandom may not be safe
> to use. From random(4):

Good catch!

Some comments:

> +(define %urandom-seed-activation
> +  ;; Activation gexp for the urandom seed
> +  #~(begin
> +      (use-modules (guix build utils))
> +
> +      (mkdir-p "/var/run")
> +      (close-port (open-file "/var/run/urandom-seed" "a0b"))

Or simply ‘open-output-file’.

Maybe do:

  (define %random-seed-file
    "/var/run/random-seed")

to avoid repeating the file name everywhere.

> +         (start #~(lambda _
> +                    (exec-command
> +                      (zero?
> +                        (system (string-append "cat "
> +                                               "/var/run/urandom-seed"
> +                                               " > /dev/urandom"))))))

Instead of spawning ‘cat’, we can do:

  (when (file-exists? #$%random-seed-file)
    (call-with-input-file #$%random-seed-file
      (lambda (seed)
        (call-with-output-file "/dev/urandom"
          (lambda (random)
            (dump-port seed random))))))
  #t   ;service successfully “started”

> +         (stop #~(lambda _
> +                   (exec-command
> +                     (zero?
> +                       (system* "dd" "if=/dev/urandom"
> +                                (string-append "of=" "/var/run/urandom-seed")
> +                                "count=1" "bs=512"))))))))

Likewise, I would suggest using:

  (let ((buf (make-bytevector 512)))
    (call-with-input-file "/dev/urandom"
      (lambda (random)
        (get-bytevector-n! random buf 512)))
    …)

Thanks for looking into it!

Ludo’.

^ permalink raw reply	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-24  7:05 ` Taylan Ulrich Bayırlı/Kammer
@ 2016-05-24 16:16   ` Leo Famulari
  2016-05-24 16:26     ` Thompson, David
  0 siblings, 1 reply; 26+ messages in thread
From: Leo Famulari @ 2016-05-24 16:16 UTC (permalink / raw)
  To: Taylan Ulrich Bayırlı/Kammer; +Cc: 23605

On Tue, May 24, 2016 at 09:05:21AM +0200, Taylan Ulrich Bayırlı/Kammer wrote:
> Leo Famulari <leo@famulari.name> writes:
> > Does anyone have advice about the service? Am I wrong that we need to
> > seed /dev/urandom to make it work properly?
> 
> Yes, this is necessary under Linux if you want urandom to be random
> enough immediately after boot, and all the distros do it as part of
> their init.
> 
> There's also an interesting implication here about the very first time
> you boot the system and don't have a urandom seed file from the last
> shutdown yet.  I don't know how this is typically handled, given that
> for instance it's quite possible that a user might generate SSH keys
> shortly after their first boot of a system.

When I boot a GuixSD VM for the first time [0], it requires me to dance
on the keyboard until it has collected ~200 bits of entropy. I assumed
this is to properly bootstrap the CSPRNG in /dev/urandom, but I'm not
sure.

[0] I don't remember if I had to do this on bare metal.

^ permalink raw reply	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-24 16:16   ` Leo Famulari
@ 2016-05-24 16:26     ` Thompson, David
  2016-05-24 17:23       ` Leo Famulari
  2016-05-25 21:53       ` Ludovic Courtès
  0 siblings, 2 replies; 26+ messages in thread
From: Thompson, David @ 2016-05-24 16:26 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 23605

On Tue, May 24, 2016 at 12:16 PM, Leo Famulari <leo@famulari.name> wrote:
> On Tue, May 24, 2016 at 09:05:21AM +0200, Taylan Ulrich Bayırlı/Kammer wrote:
>> Leo Famulari <leo@famulari.name> writes:
>> > Does anyone have advice about the service? Am I wrong that we need to
>> > seed /dev/urandom to make it work properly?
>>
>> Yes, this is necessary under Linux if you want urandom to be random
>> enough immediately after boot, and all the distros do it as part of
>> their init.
>>
>> There's also an interesting implication here about the very first time
>> you boot the system and don't have a urandom seed file from the last
>> shutdown yet.  I don't know how this is typically handled, given that
>> for instance it's quite possible that a user might generate SSH keys
>> shortly after their first boot of a system.
>
> When I boot a GuixSD VM for the first time [0], it requires me to dance
> on the keyboard until it has collected ~200 bits of entropy. I assumed
> this is to properly bootstrap the CSPRNG in /dev/urandom, but I'm not
> sure.

This is just an annoying feature of GNU lsh.  I want to switch my
machines to OpenSSH sometime, partly due to this.

- Dave

^ permalink raw reply	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-24 16:26     ` Thompson, David
@ 2016-05-24 17:23       ` Leo Famulari
  2016-05-24 17:29         ` Thompson, David
  2016-05-25 21:53       ` Ludovic Courtès
  1 sibling, 1 reply; 26+ messages in thread
From: Leo Famulari @ 2016-05-24 17:23 UTC (permalink / raw)
  To: Thompson, David; +Cc: 23605

On Tue, May 24, 2016 at 12:26:29PM -0400, Thompson, David wrote:
> On Tue, May 24, 2016 at 12:16 PM, Leo Famulari <leo@famulari.name> wrote:
> > On Tue, May 24, 2016 at 09:05:21AM +0200, Taylan Ulrich Bayırlı/Kammer wrote:
> >> Leo Famulari <leo@famulari.name> writes:
> >> > Does anyone have advice about the service? Am I wrong that we need to
> >> > seed /dev/urandom to make it work properly?
> >>
> >> Yes, this is necessary under Linux if you want urandom to be random
> >> enough immediately after boot, and all the distros do it as part of
> >> their init.
> >>
> >> There's also an interesting implication here about the very first time
> >> you boot the system and don't have a urandom seed file from the last
> >> shutdown yet.  I don't know how this is typically handled, given that
> >> for instance it's quite possible that a user might generate SSH keys
> >> shortly after their first boot of a system.
> >
> > When I boot a GuixSD VM for the first time [0], it requires me to dance
> > on the keyboard until it has collected ~200 bits of entropy. I assumed
> > this is to properly bootstrap the CSPRNG in /dev/urandom, but I'm not
> > sure.
> 
> This is just an annoying feature of GNU lsh.  I want to switch my
> machines to OpenSSH sometime, partly due to this.

Well, it seems that this feature might be protecting us against using
weak SSH session keys on first boot, if it's doing what I think it's
doing...

^ permalink raw reply	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-24 17:23       ` Leo Famulari
@ 2016-05-24 17:29         ` Thompson, David
  0 siblings, 0 replies; 26+ messages in thread
From: Thompson, David @ 2016-05-24 17:29 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 23605

On Tue, May 24, 2016 at 1:23 PM, Leo Famulari <leo@famulari.name> wrote:
> On Tue, May 24, 2016 at 12:26:29PM -0400, Thompson, David wrote:
>> On Tue, May 24, 2016 at 12:16 PM, Leo Famulari <leo@famulari.name> wrote:
>> > On Tue, May 24, 2016 at 09:05:21AM +0200, Taylan Ulrich Bayırlı/Kammer wrote:
>> >> Leo Famulari <leo@famulari.name> writes:
>> >> > Does anyone have advice about the service? Am I wrong that we need to
>> >> > seed /dev/urandom to make it work properly?
>> >>
>> >> Yes, this is necessary under Linux if you want urandom to be random
>> >> enough immediately after boot, and all the distros do it as part of
>> >> their init.
>> >>
>> >> There's also an interesting implication here about the very first time
>> >> you boot the system and don't have a urandom seed file from the last
>> >> shutdown yet.  I don't know how this is typically handled, given that
>> >> for instance it's quite possible that a user might generate SSH keys
>> >> shortly after their first boot of a system.
>> >
>> > When I boot a GuixSD VM for the first time [0], it requires me to dance
>> > on the keyboard until it has collected ~200 bits of entropy. I assumed
>> > this is to properly bootstrap the CSPRNG in /dev/urandom, but I'm not
>> > sure.
>>
>> This is just an annoying feature of GNU lsh.  I want to switch my
>> machines to OpenSSH sometime, partly due to this.
>
> Well, it seems that this feature might be protecting us against using
> weak SSH session keys on first boot, if it's doing what I think it's
> doing...

It impedes automated provisioning of servers, which OpenSSH does not do.

- Dave

^ permalink raw reply	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-24 12:24 ` Ludovic Courtès
@ 2016-05-25 16:38   ` Leo Famulari
  2016-05-25 16:54     ` Ludovic Courtès
  2016-05-28  1:12   ` Leo Famulari
  1 sibling, 1 reply; 26+ messages in thread
From: Leo Famulari @ 2016-05-25 16:38 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 23605

[-- Attachment #1: Type: text/plain, Size: 1796 bytes --]

On Tue, May 24, 2016 at 02:24:59PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> > +      (mkdir-p "/var/run")
> > +      (close-port (open-file "/var/run/urandom-seed" "a0b"))
> 
> Or simply ‘open-output-file’.

Done in the attached diff.

> Maybe do:
> 
>   (define %random-seed-file
>     "/var/run/random-seed")

Done.

> > +         (start #~(lambda _
> > +                    (exec-command
> > +                      (zero?
> > +                        (system (string-append "cat "
> > +                                               "/var/run/urandom-seed"
> > +                                               " > /dev/urandom"))))))
> 
> Instead of spawning ‘cat’, we can do:
> 
>   (when (file-exists? #$%random-seed-file)
>     (call-with-input-file #$%random-seed-file
>       (lambda (seed)
>         (call-with-output-file "/dev/urandom"
>           (lambda (random)
>             (dump-port seed random))))))
>   #t   ;service successfully “started”

I think I've done this correctly, as attached, but I can't test it yet
since I still get an error: "service: Wrong number of arguments in form
(service urandom-seed-service-type)".

> > +         (stop #~(lambda _
> > +                   (exec-command
> > +                     (zero?
> > +                       (system* "dd" "if=/dev/urandom"
> > +                                (string-append "of=" "/var/run/urandom-seed")
> > +                                "count=1" "bs=512"))))))))
> 
> Likewise, I would suggest using:
> 
>   (let ((buf (make-bytevector 512)))
>     (call-with-input-file "/dev/urandom"
>       (lambda (random)
>         (get-bytevector-n! random buf 512)))
>     …)

I tried to fill in the …, but again, I'm struggling here :p

More advice requested! :)

[-- Attachment #2: urandom-seed-service.patch --]
[-- Type: text/x-diff, Size: 3074 bytes --]

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 96bf8da..b26fee1 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -93,6 +93,8 @@
             gpm-service-type
             gpm-service
 
+            urandom-seed-service
+
             %base-services))
 
 ;;; Commentary:
@@ -1200,6 +1202,55 @@ extra rules from the packages listed in @var{rules}."
   "Return a service that uses @var{device} as a swap device."
   (service swap-service-type device))
 
+(define %random-seed-file
+  "/var/run/random-seed")
+
+(define %urandom-seed-activation
+  ;; Activation gexp for the urandom seed
+  #~(begin
+      (use-modules (guix build utils))
+
+      (mkdir-p (dirname %random-seed-file))
+      (close-port (open-output-file %random-seed-file))
+      (chmod %random-seed-file #o600)))
+
+(define (urandom-seed-shepherd-service)
+  "Return a shepherd service for the /dev/urandom seed."
+  (list (shepherd-service
+         (documentation "Preserve entropy across reboots for /dev/urandom.")
+         (provision '(urandom-seed))
+         (requirement '(user-processes)) ; whatever provides file-system /var
+         (start #~(lambda _
+                    (when (file-exists? #$%random-seed-file)
+                      (call-with-input-file #$%random-seed-file
+                        (lambda (seed)
+                          (call-with-output-file "/dev/urandom"
+                            (lambda (urandom)
+                              (dump-port seed urandom))))))
+                    #t))
+         (stop #~(lambda _
+                   (let ((buf (make-bytevector 512)))
+                     (call-with-input-file "/dev/urandom"
+                       (lambda (urandom)
+                         (get-bytevector-n! urandom buf 0 512)
+                           (call-with-output-file #$%random-seed-file
+                             (lambda (seed)
+                               (dump-port buf seed)))
+                       #t))))))))
+
+(define urandom-seed-service-type
+  (service-type (name 'urandom-seed)
+                (extensions
+                 (list (service-extension shepherd-root-service-type
+                                          urandom-seed-shepherd-service)
+                       (service-extension activation-service-type
+                                          (const %urandom-seed-activation))
+                       ;; Add urandom-seed to the system profile
+                       ;; Where is profile-service-type defined?
+                       (service-extension profile-service-type list)))))
+
+(define (urandom-seed-service)
+  (service urandom-seed-service-type))
 
 (define-record-type* <gpm-configuration>
   gpm-configuration make-gpm-configuration gpm-configuration?
@@ -1281,6 +1332,7 @@ This is the GNU operating system, welcome!\n\n")))
           (static-networking-service "lo" "127.0.0.1"
                                      #:provision '(loopback))
           (syslog-service)
+          (urandom-seed-service)
           (guix-service)
           (nscd-service)
 

[-- Attachment #3: backtrace --]
[-- Type: text/plain, Size: 691 bytes --]

$ ./pre-inst-env guix system vm --no-substitutes ~/work/guix/doc/os-config-bare-bones.texi                                                                                 ;;; note: source file /home/leo/work/guix/gnu/services/base.scm
;;;       newer than compiled /home/leo/work/guix/gnu/services/base.go
;;; note: source file /home/leo/work/guix/gnu/services/base.scm
;;;       newer than compiled /home/leo/.cache/guile/ccache/2.0-LE-8-2.0/home/leo/work/guix/gnu/services/base.scm.go
ice-9/psyntax.scm:1422:32: In procedure expand-macro:
ice-9/psyntax.scm:1422:32: Syntax error:
gnu/services/base.scm:1253:2: service: Wrong number of arguments in form (service urandom-seed-service-type)

^ permalink raw reply related	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-25 16:38   ` Leo Famulari
@ 2016-05-25 16:54     ` Ludovic Courtès
  2016-05-26 16:47       ` Leo Famulari
  0 siblings, 1 reply; 26+ messages in thread
From: Ludovic Courtès @ 2016-05-25 16:54 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 23605

Leo Famulari <leo@famulari.name> skribis:

> On Tue, May 24, 2016 at 02:24:59PM +0200, Ludovic Courtès wrote:

[...]

>> Instead of spawning ‘cat’, we can do:
>> 
>>   (when (file-exists? #$%random-seed-file)
>>     (call-with-input-file #$%random-seed-file
>>       (lambda (seed)
>>         (call-with-output-file "/dev/urandom"
>>           (lambda (random)
>>             (dump-port seed random))))))
>>   #t   ;service successfully “started”
>
> I think I've done this correctly, as attached, but I can't test it yet
> since I still get an error: "service: Wrong number of arguments in form
> (service urandom-seed-service-type)".

Yes, it’s:

  (service TYPE VALUE)

but I think there’s no meaningful value for this service, so you could
do:

  (service urandom-seed-service-type #f)

[...]

> +(define (urandom-seed-shepherd-service)
> +  "Return a shepherd service for the /dev/urandom seed."
> +  (list (shepherd-service
> +         (documentation "Preserve entropy across reboots for /dev/urandom.")

I think you’ll need to specify that additional modules are needed (for
‘make-bytevector’, ‘put-bytevector’, etc.):

  (shepherd-service
    ;; …
    (modules `((rnrs bytevectors)
               (rnrs io ports)
               ,@%default-modules)))

(See (gnu services shepherd) for the definition of ‘%default-modules’.)

> +         (stop #~(lambda _
> +                   (let ((buf (make-bytevector 512)))
> +                     (call-with-input-file "/dev/urandom"
> +                       (lambda (urandom)
> +                         (get-bytevector-n! urandom buf 0 512)
> +                           (call-with-output-file #$%random-seed-file
                             ^^
Misleading indent here.

> +                             (lambda (seed)
> +                               (dump-port buf seed)))

‘dump-port’ from (guix build utils) takes an input port as its 1st
argument, and an output port as its 2nd argument.  Here BUF is a
bytevector, not a port.

So instead, this should be:

  (lambda (seed)
    (put-bytevector seed buf))

Sounds like you’re pretty much there!  :-)

Thanks,
Ludo’.

^ permalink raw reply	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-24 16:26     ` Thompson, David
  2016-05-24 17:23       ` Leo Famulari
@ 2016-05-25 21:53       ` Ludovic Courtès
  1 sibling, 0 replies; 26+ messages in thread
From: Ludovic Courtès @ 2016-05-25 21:53 UTC (permalink / raw)
  To: Thompson, David; +Cc: 23605

"Thompson, David" <dthompson2@worcester.edu> skribis:

> On Tue, May 24, 2016 at 12:16 PM, Leo Famulari <leo@famulari.name> wrote:

[...]

>> When I boot a GuixSD VM for the first time [0], it requires me to dance
>> on the keyboard until it has collected ~200 bits of entropy. I assumed
>> this is to properly bootstrap the CSPRNG in /dev/urandom, but I'm not
>> sure.
>
> This is just an annoying feature of GNU lsh.  I want to switch my
> machines to OpenSSH sometime, partly due to this.

It’s actually ‘lsh-make-seed’ that does that (info "(lsh)
lsh-make-seed"), and it’s invoked from our ‘lsh-service’ when
#:initialize? is #t (the default).

It’s possible to set #:initialize? to #f, but then you still need to
create (or provide) the random seed at some point.  At the time people
felt that having it default to #t would be less surprising.

> It impedes automated provisioning of servers, which OpenSSH does not do.

Maybe OpenSSH assumes that the kernel-provided randomness is good
enough?

Ludo’.

^ permalink raw reply	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-25 16:54     ` Ludovic Courtès
@ 2016-05-26 16:47       ` Leo Famulari
  2016-05-28 13:57         ` Ludovic Courtès
  0 siblings, 1 reply; 26+ messages in thread
From: Leo Famulari @ 2016-05-26 16:47 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 23605

[-- Attachment #1: Type: text/plain, Size: 950 bytes --]

On Wed, May 25, 2016 at 06:54:58PM +0200, Ludovic Courtès wrote:
> 
> Yes, it’s:
> 
>   (service TYPE VALUE)
> 
> but I think there’s no meaningful value for this service, so you could
> do:
> 
>   (service urandom-seed-service-type #f)

I'm struggling to make this work. Do I need to alter the definition of
urandom-seed-shepherd-service to accept the boolean?

With the attached diff, building a VM fails like this (full backtrace
attached):

[...]
 573: 2 [loop #<<service> type: # parameters: ()>]
In srfi/srfi-1.scm:
 578: 1 [map #<procedure 519cc20 at gnu/services.scm:562:4 (service)> (# # # # ...)]
In gnu/services/base.scm:
1217: 0 [urandom-seed-shepherd-service #f]

gnu/services/base.scm:1217:0: In procedure urandom-seed-shepherd-service:
gnu/services/base.scm:1217:0: Wrong number of arguments to #<procedure urandom-seed-shepherd-service ()>

> Sounds like you’re pretty much there!  :-)

Almost, I hope! Thanks for your help :)

[-- Attachment #2: backtrace --]
[-- Type: text/plain, Size: 1565 bytes --]

Backtrace:
In ice-9/boot-9.scm:
1724: 19 [%start-stack load-stack ...]
1729: 18 [#<procedure 151cea0 ()>]
In unknown file:
   ?: 17 [primitive-load "/home/leo/work/guix/scripts/guix"]
In guix/ui.scm:
1201: 16 [run-guix-command system "vm" "/home/leo/tmp/bare-bones.scm"]
In ice-9/boot-9.scm:
 157: 15 [catch srfi-34 #<procedure 31d2e20 at guix/ui.scm:425:2 ()> ...]
 157: 14 [catch system-error ...]
In guix/scripts/system.scm:
 882: 13 [#<procedure 3f1f7b0 at guix/scripts/system.scm:874:2 ()>]
 788: 12 [process-action vm ("/home/leo/tmp/bare-bones.scm") ...]
In guix/store.scm:
1163: 11 [run-with-store # ...]
In guix/scripts/system.scm:
 800: 10 [#<procedure 3f72660 at guix/scripts/system.scm:792:8 (state)> #]
 564: 9 [perform-action vm # # ...]
In gnu/system/vm.scm:
 496: 8 [system-qemu-image/shared-store-script # # # ...]
In gnu/system.scm:
 601: 7 [operating-system-derivation # # #f]
In gnu/services.scm:
 573: 6 [loop #]
In srfi/srfi-1.scm:
 578: 5 [map #<procedure loop (sink)> (# # #)]
In gnu/services.scm:
 573: 4 [loop #<<service> type: # parameters: #>]
In srfi/srfi-1.scm:
 578: 3 [map #<procedure loop (sink)> (# # #)]
In gnu/services.scm:
 573: 2 [loop #<<service> type: # parameters: ()>]
In srfi/srfi-1.scm:
 578: 1 [map #<procedure 2dbfcc0 at gnu/services.scm:562:4 (service)> (# # # # ...)]
In gnu/services/base.scm:
1217: 0 [urandom-seed-shepherd-service #f]

gnu/services/base.scm:1217:0: In procedure urandom-seed-shepherd-service:
gnu/services/base.scm:1217:0: Wrong number of arguments to #<procedure urandom-seed-shepherd-service ()>

[-- Attachment #3: urandom-seed-service.patch --]
[-- Type: text/x-diff, Size: 3019 bytes --]

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 96bf8da..041768f 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -93,6 +93,8 @@
             gpm-service-type
             gpm-service
 
+            urandom-seed-service
+
             %base-services))
 
 ;;; Commentary:
@@ -1200,6 +1202,57 @@ extra rules from the packages listed in @var{rules}."
   "Return a service that uses @var{device} as a swap device."
   (service swap-service-type device))
 
+(define %random-seed-file
+  "/var/run/random-seed")
+
+(define %urandom-seed-activation
+  ;; Activation gexp for the urandom seed
+  #~(begin
+      (use-modules (guix build utils))
+
+      (mkdir-p (dirname %random-seed-file))
+      (close-port (open-output-file %random-seed-file))
+      (chmod %random-seed-file #o600)))
+
+(define (urandom-seed-shepherd-service)
+  "Return a shepherd service for the /dev/urandom seed."
+  (shepherd-service
+    (documentation "Preserve entropy across reboots for /dev/urandom.")
+    (provision '(urandom-seed))
+    (requirement '(user-processes)) ; whatever provides file-systems /var and /dev
+    (start #~(lambda _
+               (when (file-exists? #$%random-seed-file)
+                 (call-with-input-file #$%random-seed-file
+                   (lambda (seed)
+                     (call-with-output-file "/dev/urandom"
+                       (lambda (urandom)
+                         (dump-port seed urandom))))))
+               #t))
+    (stop #~(lambda _
+              (let ((buf (make-bytevector 512)))
+                (call-with-input-file "/dev/urandom"
+                  (lambda (urandom)
+                    (get-bytevector-n! urandom buf 0 512)
+                    (call-with-output-file #$%random-seed-file
+                      (lambda (seed)
+                        (put-bytevector seed buf)))
+                    #t)))))
+    (modules `((rnrs bytevectors)
+               (rnrs io ports)
+               ,@%default-modules))))
+
+(define urandom-seed-service-type
+  (service-type (name 'urandom-seed)
+                (extensions
+                 (list (service-extension shepherd-root-service-type
+                                          urandom-seed-shepherd-service)
+                       (service-extension activation-service-type
+                                          (const %urandom-seed-activation))
+                       ;; Add urandom-seed to the system profile
+                       (service-extension profile-service-type list)))))
+
+(define (urandom-seed-service)
+  (service urandom-seed-service-type #f))
 
 (define-record-type* <gpm-configuration>
   gpm-configuration make-gpm-configuration gpm-configuration?
@@ -1281,6 +1334,7 @@ This is the GNU operating system, welcome!\n\n")))
           (static-networking-service "lo" "127.0.0.1"
                                      #:provision '(loopback))
           (syslog-service)
+          (urandom-seed-service)
           (guix-service)
           (nscd-service)
 

^ permalink raw reply related	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-23 17:58 bug#23605: /dev/urandom not seeded across reboots Leo Famulari
  2016-05-24  7:05 ` Taylan Ulrich Bayırlı/Kammer
  2016-05-24 12:24 ` Ludovic Courtès
@ 2016-05-28  1:05 ` Leo Famulari
  2016-05-28  1:11   ` Ben Woodcroft
  2 siblings, 1 reply; 26+ messages in thread
From: Leo Famulari @ 2016-05-28  1:05 UTC (permalink / raw)
  To: 23605

[-- Attachment #1: Type: text/plain, Size: 1096 bytes --]

Okay, I finally have some code that works! (attached)

I tested it by using `inotifywait -m /dev/urandom` [0] to see that
/dev/urandom was indeed being open and closed for writing when running
`herd {start, stop} urandom-seed`. If you can suggest a way to see
exactly what is being written to /dev/urandom, I would like to verify it
more fully.

If you test it, don't be surprised that the random-seed is empty the
first time you start the service. It is `touch`-ed at boot but filled
during shutdown.

The big caveat is that the only way I could make it work was to use the
old service API. I just couldn't figure out how to use the extensible
service API for a service that takes to arguments.

If this is a problem, then your help is wanted!

I also had to change the location of %random-seed-file from
/var/run/random-seed to /var/lib/random-seed, because /var/run is
cleared upon reboot. This is specified in the FHS standard [1]. Debian
puts it at /var/lib/urandom/random-seed.

[0] From the inotify-tools package

[1]
http://www.pathname.com/fhs/pub/fhs-2.3.html#VARRUNRUNTIMEVARIABLEDATA

[-- Attachment #2: 0001-services-Add-urandom-seed-service.patch --]
[-- Type: text/x-diff, Size: 4532 bytes --]

From 8d41d37e2d0f8a0edf7ab9d659d1a2c9315965c1 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Sun, 8 May 2016 03:08:46 -0400
Subject: [PATCH] services: Add urandom-seed-service.

* gnu/services/base.scm (urandom-seed-service): New procedure.
(%random-seed-file, urandom-seed-service-type): New variables.
(%urandom-seed-shepherd-service): New procedure.
* doc/guix.texi (Base Services): Document it.
---
 doc/guix.texi         | 10 ++++++++++
 gnu/services/base.scm | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 61 insertions(+), 1 deletion(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index bb75425..34a51a8 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -7355,6 +7355,16 @@ Return a service that runs the Guix build daemon according to
 Run @var{udev}, which populates the @file{/dev} directory dynamically.
 @end deffn
 
+@deffn {Scheme Procedure} urandom-seed-service @var{#f}
+Save some entropy in @var{%random-seed-file} to seed @file{/dev/urandom}
+when rebooting.
+@end deffn
+
+@deftp {Data Type} %random-seed-file
+This is where some random bytes are saved by @var{urandom-seed-service}
+to seed @file{/dev/urandom} when rebooting.
+@end deftp
+
 @deffn {Scheme Procedure} console-keymap-service @var{files} ...
 @cindex keyboard layout
 Return a service to load console keymaps from @var{files} using
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 96bf8da..329a989 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -3,6 +3,7 @@
 ;;; Copyright © 2015, 2016 Alex Kost <alezost@gmail.com>
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
+;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -93,6 +94,8 @@
             gpm-service-type
             gpm-service
 
+            urandom-seed-service
+
             %base-services))
 
 ;;; Commentary:
@@ -422,6 +425,53 @@ stopped before 'kill' is called."
 
 \f
 ;;;
+;;; Preserve entropy to seed /dev/urandom on boot.
+;;;
+
+(define %random-seed-file
+  "/var/lib/random-seed")
+
+(define %urandom-seed-shepherd-service
+  (shepherd-service
+    (documentation "Preserve entropy across reboots for /dev/urandom.")
+    (provision '(urandom-seed))
+    (requirement '(user-processes))
+    (start #~(lambda _
+               ;; "Activation"
+               (mkdir-p (dirname #$%random-seed-file))
+               (close-port (open-file #$%random-seed-file "a0b"))
+               (chmod #$%random-seed-file #o600)
+               ;; On boot, write random seed into /dev/urandom
+               (when (file-exists? #$%random-seed-file)
+                 (call-with-input-file #$%random-seed-file
+                   (lambda (seed)
+                     (call-with-output-file "/dev/urandom"
+                       (lambda (urandom)
+                         (dump-port seed urandom))))))
+               #t))
+    (stop #~(lambda _
+              ;; During shutdown, write from /dev/urandom into random seed
+              (let ((buf (make-bytevector 512)))
+                (call-with-input-file "/dev/urandom"
+                  (lambda (urandom)
+                    (get-bytevector-n! urandom buf 0 512)
+                    (call-with-output-file #$%random-seed-file
+                      (lambda (seed)
+                        (put-bytevector seed buf)))
+                    #t)))))
+    (modules `((rnrs bytevectors)
+               (rnrs io ports)
+               ,@%default-modules))))
+
+(define urandom-seed-service-type
+  (shepherd-service-type 'urandom-seed
+                         (const %urandom-seed-shepherd-service)))
+
+(define (urandom-seed-service)
+  (service urandom-seed-service-type #f))
+
+\f
+;;;
 ;;; System-wide environment variables.
 ;;;
 
@@ -1200,7 +1250,6 @@ extra rules from the packages listed in @var{rules}."
   "Return a service that uses @var{device} as a swap device."
   (service swap-service-type device))
 
-
 (define-record-type* <gpm-configuration>
   gpm-configuration make-gpm-configuration gpm-configuration?
   (gpm      gpm-configuration-gpm)                ;package
@@ -1283,6 +1332,7 @@ This is the GNU operating system, welcome!\n\n")))
           (syslog-service)
           (guix-service)
           (nscd-service)
+          (urandom-seed-service)
 
           ;; The LVM2 rules are needed as soon as LVM2 or the device-mapper is
           ;; used, so enable them by default.  The FUSE and ALSA rules are
-- 
2.8.3


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-28  1:05 ` Leo Famulari
@ 2016-05-28  1:11   ` Ben Woodcroft
  2016-05-28  1:45     ` Leo Famulari
  0 siblings, 1 reply; 26+ messages in thread
From: Ben Woodcroft @ 2016-05-28  1:11 UTC (permalink / raw)
  To: Leo Famulari, 23605

Hi Leo,

On 28/05/16 11:05, Leo Famulari wrote:
> Okay, I finally have some code that works! (attached)
Is your patch incomplete?

ben

^ permalink raw reply	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-24 12:24 ` Ludovic Courtès
  2016-05-25 16:38   ` Leo Famulari
@ 2016-05-28  1:12   ` Leo Famulari
  2016-05-28 13:51     ` Ludovic Courtès
  1 sibling, 1 reply; 26+ messages in thread
From: Leo Famulari @ 2016-05-28  1:12 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 23605

On Tue, May 24, 2016 at 02:24:59PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> 
> > I realized that we don't seem to be saving any of the entropy in the
> > kernel's random pool [0] across reboots.
> >
> > This means that for some period after boot, /dev/urandom may not be safe
> > to use. From random(4):
> 
> Good catch!
> 
> Some comments:
> 
> > +(define %urandom-seed-activation
> > +  ;; Activation gexp for the urandom seed
> > +  #~(begin
> > +      (use-modules (guix build utils))
> > +
> > +      (mkdir-p "/var/run")
> > +      (close-port (open-file "/var/run/urandom-seed" "a0b"))
> 
> Or simply ‘open-output-file’.

I don't see a way to use (open-output-file) in "append" mode as with
(open-file).  Without that, the file is cleared before it is read in the
following lines.

^ permalink raw reply	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-28  1:11   ` Ben Woodcroft
@ 2016-05-28  1:45     ` Leo Famulari
  2016-05-28  9:40       ` Ben Woodcroft
  0 siblings, 1 reply; 26+ messages in thread
From: Leo Famulari @ 2016-05-28  1:45 UTC (permalink / raw)
  To: Ben Woodcroft; +Cc: 23605

On Sat, May 28, 2016 at 11:11:20AM +1000, Ben Woodcroft wrote:
> Hi Leo,
> 
> On 28/05/16 11:05, Leo Famulari wrote:
> > Okay, I finally have some code that works! (attached)
> Is your patch incomplete?

What do you mean? Does it not apply to your source tree?

Otherwise, I expect that it's incomplete in the sense that it will
require some more revision before being merged into the master branch on
Savannah.

Your comments are welcome :)

^ permalink raw reply	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-28  1:45     ` Leo Famulari
@ 2016-05-28  9:40       ` Ben Woodcroft
  0 siblings, 0 replies; 26+ messages in thread
From: Ben Woodcroft @ 2016-05-28  9:40 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 23605



On 28/05/16 11:45, Leo Famulari wrote:
> On Sat, May 28, 2016 at 11:11:20AM +1000, Ben Woodcroft wrote:
>> Hi Leo,
>>
>> On 28/05/16 11:05, Leo Famulari wrote:
>>> Okay, I finally have some code that works! (attached)
>> Is your patch incomplete?
> What do you mean? Does it not apply to your source tree?

Oh, nevermind, sorry for the noise. Thunderbird was tripping up on the 
strange character and not showing me the full diff.
ben

^ permalink raw reply	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-28  1:12   ` Leo Famulari
@ 2016-05-28 13:51     ` Ludovic Courtès
  0 siblings, 0 replies; 26+ messages in thread
From: Ludovic Courtès @ 2016-05-28 13:51 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 23605

Leo Famulari <leo@famulari.name> skribis:

> On Tue, May 24, 2016 at 02:24:59PM +0200, Ludovic Courtès wrote:
>> Leo Famulari <leo@famulari.name> skribis:
>> 
>> > I realized that we don't seem to be saving any of the entropy in the
>> > kernel's random pool [0] across reboots.
>> >
>> > This means that for some period after boot, /dev/urandom may not be safe
>> > to use. From random(4):
>> 
>> Good catch!
>> 
>> Some comments:
>> 
>> > +(define %urandom-seed-activation
>> > +  ;; Activation gexp for the urandom seed
>> > +  #~(begin
>> > +      (use-modules (guix build utils))
>> > +
>> > +      (mkdir-p "/var/run")
>> > +      (close-port (open-file "/var/run/urandom-seed" "a0b"))
>> 
>> Or simply ‘open-output-file’.
>
> I don't see a way to use (open-output-file) in "append" mode as with
> (open-file).  Without that, the file is cleared before it is read in the
> following lines.

You’re right, sorry for the confusion.

Ludo’.

^ permalink raw reply	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-26 16:47       ` Leo Famulari
@ 2016-05-28 13:57         ` Ludovic Courtès
  2016-05-28 18:05           ` Leo Famulari
  0 siblings, 1 reply; 26+ messages in thread
From: Ludovic Courtès @ 2016-05-28 13:57 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 23605

Leo Famulari <leo@famulari.name> skribis:

> On Wed, May 25, 2016 at 06:54:58PM +0200, Ludovic Courtès wrote:
>> 
>> Yes, it’s:
>> 
>>   (service TYPE VALUE)
>> 
>> but I think there’s no meaningful value for this service, so you could
>> do:
>> 
>>   (service urandom-seed-service-type #f)

[...]

> gnu/services/base.scm:1217:0: In procedure urandom-seed-shepherd-service:
> gnu/services/base.scm:1217:0: Wrong number of arguments to #<procedure urandom-seed-shepherd-service ()>

[...]

> +(define (urandom-seed-shepherd-service)

[...]

> +(define urandom-seed-service-type
> +  (service-type (name 'urandom-seed)
> +                (extensions
> +                 (list (service-extension shepherd-root-service-type
> +                                          urandom-seed-shepherd-service)

Service extension procedures are called with one argument, which is the
service’s value (info "(guix) Service Reference").

Usually, the service’s value is a configuration object, but in this
case, the service’s value doesn’t matter, so you could simply write:

  (define (urandom-seed-shepherd-service _)
    …)

> +                       ;; Add urandom-seed to the system profile
> +                       (service-extension profile-service-type list)))))

The ‘profile-service-type’ represents the system profile, i.e.,
/run/current-system/profile.  Extending it means adding a package to
it.

But here, IIUC, there’s no package to be added to the profile, so you
should just remove it.

Last round and we’re done!  :-)

Thanks for persevering, and sorry it’s not easier.  Maybe you’ll have
ideas on how to improve the manual and/or the API?

Ludo’.

^ permalink raw reply	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-28 13:57         ` Ludovic Courtès
@ 2016-05-28 18:05           ` Leo Famulari
  2016-05-28 18:10             ` Leo Famulari
                               ` (2 more replies)
  0 siblings, 3 replies; 26+ messages in thread
From: Leo Famulari @ 2016-05-28 18:05 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 23605

[-- Attachment #1: Type: text/plain, Size: 893 bytes --]

On Sat, May 28, 2016 at 03:57:06PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> > On Wed, May 25, 2016 at 06:54:58PM +0200, Ludovic Courtès wrote:
> Usually, the service’s value is a configuration object, but in this
> case, the service’s value doesn’t matter, so you could simply write:
> 
>   (define (urandom-seed-shepherd-service _)
>     …)
> 
> > +                       ;; Add urandom-seed to the system profile
> > +                       (service-extension profile-service-type list)))))
> 
> The ‘profile-service-type’ represents the system profile, i.e.,
> /run/current-system/profile.  Extending it means adding a package to
> it.
> 
> But here, IIUC, there’s no package to be added to the profile, so you
> should just remove it.
> 
> Last round and we’re done!  :-)

Please find my latest patch attached. It seems to work for me!

[-- Attachment #2: 0001-services-Add-urandom-seed-service.patch --]
[-- Type: text/x-diff, Size: 4736 bytes --]

From 18979451b1af7eebaa354c1753ad4c90af288589 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Sat, 28 May 2016 13:41:21 -0400
Subject: [PATCH] services: Add urandom-seed-service.

* gnu/services/base.scm (urandom-seed-service): New procedure.
(%random-seed-file, urandom-seed-service-type): New variables.
(%urandom-seed-shepherd-service): New procedure.
* doc/guix.texi (Base Services): Document it.
---
 doc/guix.texi         | 10 +++++++++
 gnu/services/base.scm | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 70 insertions(+), 1 deletion(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index bb75425..34a51a8 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -7355,6 +7355,16 @@ Return a service that runs the Guix build daemon according to
 Run @var{udev}, which populates the @file{/dev} directory dynamically.
 @end deffn
 
+@deffn {Scheme Procedure} urandom-seed-service @var{#f}
+Save some entropy in @var{%random-seed-file} to seed @file{/dev/urandom}
+when rebooting.
+@end deffn
+
+@deftp {Data Type} %random-seed-file
+This is where some random bytes are saved by @var{urandom-seed-service}
+to seed @file{/dev/urandom} when rebooting.
+@end deftp
+
 @deffn {Scheme Procedure} console-keymap-service @var{files} ...
 @cindex keyboard layout
 Return a service to load console keymaps from @var{files} using
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 96bf8da..032f713 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -93,6 +93,8 @@
             gpm-service-type
             gpm-service
 
+            urandom-seed-service
+
             %base-services))
 
 ;;; Commentary:
@@ -422,6 +424,63 @@ stopped before 'kill' is called."
 
 \f
 ;;;
+;;; Preserve entropy to seed /dev/urandom on boot.
+;;;
+
+(define %random-seed-file
+  "/var/lib/random-seed")
+
+(define %urandom-seed-activation
+  ;; Activation gexp for the urandom seed
+  #~(begin
+      (use-modules (guix build utils))
+
+      (mkdir-p (dirname #$%random-seed-file))
+      (close-port (open-file #$%random-seed-file "a0b"))
+      (chmod #$%random-seed-file #o600)))
+
+(define (urandom-seed-shepherd-service _)
+  "Return a shepherd service for the /dev/urandom seed."
+  (list (shepherd-service
+         (documentation "Preserve entropy across reboots for /dev/urandom.")
+         (provision '(urandom-seed))
+         (requirement '(user-processes))
+         (start #~(lambda _
+                    ;; On boot, write random seed into /dev/urandom.
+                    (when (file-exists? #$%random-seed-file)
+                      (call-with-input-file #$%random-seed-file
+                        (lambda (seed)
+                          (call-with-output-file "/dev/urandom"
+                            (lambda (urandom)
+                              (dump-port seed urandom))))))
+                    #t))
+         (stop #~(lambda _
+                   ;; During shutdown, write from /dev/urandom into random seed.
+                   (let ((buf (make-bytevector 512)))
+                     (call-with-input-file "/dev/urandom"
+                       (lambda (urandom)
+                         (get-bytevector-n! urandom buf 0 512)
+                         (call-with-output-file #$%random-seed-file
+                           (lambda (seed)
+                             (put-bytevector seed buf)))
+                         #t)))))
+         (modules `((rnrs bytevectors)
+                    (rnrs io ports)
+                    ,@%default-modules)))))
+
+(define urandom-seed-service-type
+  (service-type (name 'urandom-seed)
+                (extensions
+                 (list (service-extension shepherd-root-service-type
+                                          urandom-seed-shepherd-service)
+                       (service-extension activation-service-type
+                                          (const %urandom-seed-activation))))))
+
+(define (urandom-seed-service)
+  (service urandom-seed-service-type #f))
+
+\f
+;;;
 ;;; System-wide environment variables.
 ;;;
 
@@ -1200,7 +1259,6 @@ extra rules from the packages listed in @var{rules}."
   "Return a service that uses @var{device} as a swap device."
   (service swap-service-type device))
 
-
 (define-record-type* <gpm-configuration>
   gpm-configuration make-gpm-configuration gpm-configuration?
   (gpm      gpm-configuration-gpm)                ;package
@@ -1281,6 +1339,7 @@ This is the GNU operating system, welcome!\n\n")))
           (static-networking-service "lo" "127.0.0.1"
                                      #:provision '(loopback))
           (syslog-service)
+          (urandom-seed-service)
           (guix-service)
           (nscd-service)
 
-- 
2.8.3


^ permalink raw reply related	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-28 18:05           ` Leo Famulari
@ 2016-05-28 18:10             ` Leo Famulari
  2016-05-28 18:26             ` Leo Famulari
  2016-05-28 20:53             ` Ludovic Courtès
  2 siblings, 0 replies; 26+ messages in thread
From: Leo Famulari @ 2016-05-28 18:10 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 23605

On Sat, May 28, 2016 at 02:05:35PM -0400, Leo Famulari wrote:
> Please find my latest patch attached. It seems to work for me!

I forgot to add a copyright line for myself in this version. I'll put it
in for the next patch or when merging.

^ permalink raw reply	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-28 18:05           ` Leo Famulari
  2016-05-28 18:10             ` Leo Famulari
@ 2016-05-28 18:26             ` Leo Famulari
  2016-05-28 20:41               ` Leo Famulari
  2016-05-28 20:53             ` Ludovic Courtès
  2 siblings, 1 reply; 26+ messages in thread
From: Leo Famulari @ 2016-05-28 18:26 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 23605

On Sat, May 28, 2016 at 02:05:35PM -0400, Leo Famulari wrote:
> Please find my latest patch attached. It seems to work for me!

I'm currently reconfiguring my GuixSD system with this patch to make
sure bad things don't happen the first time the user halts and the seed
file does not exist. Or something like that. Just to see what happens.

So far, I tested this by generating VM images.

^ permalink raw reply	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-28 18:26             ` Leo Famulari
@ 2016-05-28 20:41               ` Leo Famulari
  0 siblings, 0 replies; 26+ messages in thread
From: Leo Famulari @ 2016-05-28 20:41 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 23605

On Sat, May 28, 2016 at 02:26:23PM -0400, Leo Famulari wrote:
> On Sat, May 28, 2016 at 02:05:35PM -0400, Leo Famulari wrote:
> > Please find my latest patch attached. It seems to work for me!
> 
> I'm currently reconfiguring my GuixSD system with this patch to make
> sure bad things don't happen the first time the user halts and the seed
> file does not exist. Or something like that. Just to see what happens.

No problems. After reconfiguring, the service is started and there is a
zero-byte file at /var/lib/random-seed.

^ permalink raw reply	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-28 18:05           ` Leo Famulari
  2016-05-28 18:10             ` Leo Famulari
  2016-05-28 18:26             ` Leo Famulari
@ 2016-05-28 20:53             ` Ludovic Courtès
  2016-05-29  0:00               ` Leo Famulari
  2 siblings, 1 reply; 26+ messages in thread
From: Ludovic Courtès @ 2016-05-28 20:53 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 23605

Leo Famulari <leo@famulari.name> skribis:

> Please find my latest patch attached. It seems to work for me!

\o/

> From 18979451b1af7eebaa354c1753ad4c90af288589 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Sat, 28 May 2016 13:41:21 -0400
> Subject: [PATCH] services: Add urandom-seed-service.

Add “Fixes <http://bugs.gnu.org/23605>.”

> * gnu/services/base.scm (urandom-seed-service): New procedure.
> (%random-seed-file, urandom-seed-service-type): New variables.
> (%urandom-seed-shepherd-service): New procedure.

Mention the addition to ‘%base-services’ too.

> * doc/guix.texi (Base Services): Document it.

[...]

> +@deftp {Data Type} %random-seed-file

Should be:

  @defvr {Scheme Variable} %random-seed-file

> +This is where some random bytes are saved by @var{urandom-seed-service}

s/This is where/This is the name of the file where/

> +to seed @file{/dev/urandom} when rebooting.

Maybe add “It defaults to @file{/var/run/…}.”

OK with these changes.

Thanks a lot!

Ludo’.

^ permalink raw reply	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-28 20:53             ` Ludovic Courtès
@ 2016-05-29  0:00               ` Leo Famulari
  2016-05-29  0:04                 ` Leo Famulari
  2016-05-29 20:23                 ` Ludovic Courtès
  0 siblings, 2 replies; 26+ messages in thread
From: Leo Famulari @ 2016-05-29  0:00 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: 23605

On Sat, May 28, 2016 at 10:53:08PM +0200, Ludovic Courtès wrote:
> 
> OK with these changes.

Done as a535e12226!

^ permalink raw reply	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-29  0:00               ` Leo Famulari
@ 2016-05-29  0:04                 ` Leo Famulari
  2016-05-29 20:23                 ` Ludovic Courtès
  1 sibling, 0 replies; 26+ messages in thread
From: Leo Famulari @ 2016-05-29  0:04 UTC (permalink / raw)
  To: 23605-done

On Sat, May 28, 2016 at 08:00:58PM -0400, Leo Famulari wrote:
> On Sat, May 28, 2016 at 10:53:08PM +0200, Ludovic Courtès wrote:
> > 
> > OK with these changes.
> 
> Done as a535e12226!

^ permalink raw reply	[flat|nested] 26+ messages in thread

* bug#23605: /dev/urandom not seeded across reboots
  2016-05-29  0:00               ` Leo Famulari
  2016-05-29  0:04                 ` Leo Famulari
@ 2016-05-29 20:23                 ` Ludovic Courtès
  1 sibling, 0 replies; 26+ messages in thread
From: Ludovic Courtès @ 2016-05-29 20:23 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 23605-done

Leo Famulari <leo@famulari.name> skribis:

> On Sat, May 28, 2016 at 10:53:08PM +0200, Ludovic Courtès wrote:
>> 
>> OK with these changes.
>
> Done as a535e12226!

Thank you!

Ludo’.

^ permalink raw reply	[flat|nested] 26+ messages in thread

end of thread, other threads:[~2016-05-29 20:24 UTC | newest]

Thread overview: 26+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-05-23 17:58 bug#23605: /dev/urandom not seeded across reboots Leo Famulari
2016-05-24  7:05 ` Taylan Ulrich Bayırlı/Kammer
2016-05-24 16:16   ` Leo Famulari
2016-05-24 16:26     ` Thompson, David
2016-05-24 17:23       ` Leo Famulari
2016-05-24 17:29         ` Thompson, David
2016-05-25 21:53       ` Ludovic Courtès
2016-05-24 12:24 ` Ludovic Courtès
2016-05-25 16:38   ` Leo Famulari
2016-05-25 16:54     ` Ludovic Courtès
2016-05-26 16:47       ` Leo Famulari
2016-05-28 13:57         ` Ludovic Courtès
2016-05-28 18:05           ` Leo Famulari
2016-05-28 18:10             ` Leo Famulari
2016-05-28 18:26             ` Leo Famulari
2016-05-28 20:41               ` Leo Famulari
2016-05-28 20:53             ` Ludovic Courtès
2016-05-29  0:00               ` Leo Famulari
2016-05-29  0:04                 ` Leo Famulari
2016-05-29 20:23                 ` Ludovic Courtès
2016-05-28  1:12   ` Leo Famulari
2016-05-28 13:51     ` Ludovic Courtès
2016-05-28  1:05 ` Leo Famulari
2016-05-28  1:11   ` Ben Woodcroft
2016-05-28  1:45     ` Leo Famulari
2016-05-28  9:40       ` Ben Woodcroft

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).