From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: Seeding the Linux RNG at first boot Date: Mon, 11 Dec 2017 11:08:45 -0500 Message-ID: <20171211160845.GA31765@jasmine.lan> References: <20171203003126.GA353@jasmine.lan> <20171204184558.GF30970@jasmine.lan> <87wp20ydlj.fsf@fastmail.com> <20171206182711.GB2612@jasmine.lan> <87indickmd.fsf@gnu.org> <20171207234749.GA22844@jasmine.lan> <87mv2p62v9.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="r5Pyd7+fXNt84Ff3" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:46055) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eOQdQ-00045i-P3 for guix-devel@gnu.org; Mon, 11 Dec 2017 11:08:53 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eOQdM-00078J-KV for guix-devel@gnu.org; Mon, 11 Dec 2017 11:08:52 -0500 Content-Disposition: inline In-Reply-To: <87mv2p62v9.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?iso-8859-1?Q?Court=E8s?= Cc: guix-devel@gnu.org --r5Pyd7+fXNt84Ff3 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Dec 11, 2017 at 10:16:42AM +0100, Ludovic Court=C3=A8s wrote: > Leo Famulari skribis: > > At the same time we handle the random seed, we could also try reading > > from /dev/hwrng and, if the read is successful, copy some bytes into > > /dev/urandom. We'd have to try reading and handle failure since we > > always create /dev/hwrng regardless of whether the Linux kernel module > > is loaded or not. >=20 > OK. Okay, I'll work on adding this to the urandom-seed-service. > > If one always passes the same value to --entropy-seed, it will not > > negatively affect the reproducibility of the image ;) > > > > This would not be something we do for the official release image, but > > merely an optional tool. >=20 > Yeah it=E2=80=99d be OK to add this as an option. >=20 > When the option is present, =E2=80=98guix system=E2=80=99 would hook into= the VM > creation code somehow, or to extend =E2=80=98activation-service-type=E2= =80=99 with code > to create the file. >=20 > Maybe we could provide a more generic --copy-file=3DSOURCE[=3DDEST] optio= n? > Like --copy-file=3D./my-seed=3D/var/lib/random-seed or > --copy-file=3D$HOME/.ssh/authorized_keys. >=20 > Thoughts? That sounds good to me. I'll try implementing it. --r5Pyd7+fXNt84Ff3 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlourY0ACgkQJkb6MLrK fwiaiBAAyMLIOEGwEEe8vDZuK92LJ/PZKd5UmHORIFeAE/uTb1vqOE/pWsmYzywg 6/n8U9vl3sxrks8HpwqO9GdkELuseY+caCbZa0ndwCY4X84Q/EmryIITUQvze7tC qRK17gLQnI6sXQdn5o/3i85+Dfxbp4aQIsH1Ba/NdX0rf3MjSJvWfKAgXcfoD3Hf LCcjdIMBAcvfF4Pu09mOVKBGFYUEy/9c7/leAZWsQ5o9OBsXPxdI8d7cE7RJUh+d 5YMLA0GGrumQnZlQcl4czM5vvftC/1kfSD4Bhk74x2ZoGO/ZdasL+o0n2Kodlk0A ERHaIRhs8hb1v5OS4wO/uQtYwxMkgYNa515DDDluaRpV6Fb7Og6atQy/HZhYCiEf g8pq+ykc4PgzFdMD3zUgZmALzhjJQaXgdxyOZni6A5jGRHsIQWoGt/UekH1i0Q84 YCcsAnOIhfsraObnDZbE6nXiGWOPs+SRYj0GTliUWtnuJJGrAWEaqJoaYF+HkYep FG+m1YhORL+AkWP2hCLrMEDYXNioZVjUcK5Tt23vSquuTaPzNp1+cfBY1JDoKvNA Gx7AwquP/XfnCQYzbB1IJ2tZMHFh8Q6LfV+WRsGwipAmR+2hu83HCW3lSaNJam3K amv7piz8gzHABQhMHZA5WBzqErNRLoX8ZQ8ONsjGU1h6AYPUvpI= =Q8KP -----END PGP SIGNATURE----- --r5Pyd7+fXNt84Ff3--