* [Buildroot] [PATCH] initscripts: Make installation of S20urandom optional. @ 2020-07-18 22:44 christoph.muellner at theobroma-systems.com 2020-07-19 8:05 ` Thomas Petazzoni 0 siblings, 1 reply; 9+ messages in thread From: christoph.muellner at theobroma-systems.com @ 2020-07-18 22:44 UTC (permalink / raw) To: buildroot From: Christoph M?llner <christoph.muellner@theobroma-systems.com> S20urandom is a nice script. However, there are systems, which cannot make use of that script for some reasons (e.g. systems that only have read-only partitions). So let's install S20urandom only if configured to do so (with default y to keep backwards-compatibility). Signed-off-by: Christoph M?llner <christoph.muellner@theobroma-systems.com> Change-Id: I85f3fafd4c2b1c3f25eee32e4c311613fcc0294e --- package/initscripts/Config.in | 10 ++++++++++ package/initscripts/{init.d => }/S20urandom | 0 package/initscripts/initscripts.mk | 8 ++++++++ 3 files changed, 18 insertions(+) rename package/initscripts/{init.d => }/S20urandom (100%) diff --git a/package/initscripts/Config.in b/package/initscripts/Config.in index 82cbd5c678..f60d4da4e6 100644 --- a/package/initscripts/Config.in +++ b/package/initscripts/Config.in @@ -2,3 +2,13 @@ config BR2_PACKAGE_INITSCRIPTS bool help The basics startup scripts for both SysV and Busybox + +if BR2_PACKAGE_INITSCRIPTS + +config BR2_PACKAGE_INITSCRIPTS_URANDOM + bool "Initscript to preserve random seeed between reboots" + default y + help + An init script, that preserves the random seed between reboots. + +endif diff --git a/package/initscripts/init.d/S20urandom b/package/initscripts/S20urandom similarity index 100% rename from package/initscripts/init.d/S20urandom rename to package/initscripts/S20urandom diff --git a/package/initscripts/initscripts.mk b/package/initscripts/initscripts.mk index cfee155570..d5f20f469d 100644 --- a/package/initscripts/initscripts.mk +++ b/package/initscripts/initscripts.mk @@ -4,6 +4,14 @@ # ################################################################################ +define INITSCRIPTS_INSTALL_URANDOM + $(INSTALL) -D -m 0755 package/initscripts/S20urandom $(TARGET_DIR)/etc/init.d/ +endef + +ifeq ($(BR2_PACKAGE_INITSCRIPTS_URANDOM),y) +INITSCRIPTS_INSTALL_TARGET_HOOKS += INITSCRIPTS_INSTALL_URANDOM +endif + define INITSCRIPTS_INSTALL_TARGET_CMDS mkdir -p $(TARGET_DIR)/etc/init.d $(INSTALL) -D -m 0755 package/initscripts/init.d/* $(TARGET_DIR)/etc/init.d/ -- 2.26.2 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH] initscripts: Make installation of S20urandom optional. 2020-07-18 22:44 [Buildroot] [PATCH] initscripts: Make installation of S20urandom optional christoph.muellner at theobroma-systems.com @ 2020-07-19 8:05 ` Thomas Petazzoni 2020-07-19 11:49 ` Yann E. MORIN 0 siblings, 1 reply; 9+ messages in thread From: Thomas Petazzoni @ 2020-07-19 8:05 UTC (permalink / raw) To: buildroot Hello Christoph, On Sun, 19 Jul 2020 00:44:44 +0200 christoph.muellner at theobroma-systems.com wrote: > From: Christoph M?llner <christoph.muellner@theobroma-systems.com> > > S20urandom is a nice script. However, there are systems, which > cannot make use of that script for some reasons (e.g. systems that > only have read-only partitions). > > So let's install S20urandom only if configured to do so > (with default y to keep backwards-compatibility). > > Signed-off-by: Christoph M?llner <christoph.muellner@theobroma-systems.com> Hm, indeed it saves to /var/lib/random-seed, which we do not seem to symlink to a tmpfs place when the rootfs is read-only. I'm not entirely sure we want to add yet another option for this, or if we want to fix it so that it "works" even in read-only rootfs scenarios. I don't have a very clear opinion on how to handle that. Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH] initscripts: Make installation of S20urandom optional. 2020-07-19 8:05 ` Thomas Petazzoni @ 2020-07-19 11:49 ` Yann E. MORIN 2020-07-19 12:09 ` Peter Seiderer 0 siblings, 1 reply; 9+ messages in thread From: Yann E. MORIN @ 2020-07-19 11:49 UTC (permalink / raw) To: buildroot Thomas, Christoph, Al, On 2020-07-19 10:05 +0200, Thomas Petazzoni spake thusly: > On Sun, 19 Jul 2020 00:44:44 +0200 > christoph.muellner at theobroma-systems.com wrote: > > > From: Christoph M?llner <christoph.muellner@theobroma-systems.com> > > > > S20urandom is a nice script. However, there are systems, which > > cannot make use of that script for some reasons (e.g. systems that > > only have read-only partitions). > > > > So let's install S20urandom only if configured to do so > > (with default y to keep backwards-compatibility). > > > > Signed-off-by: Christoph M?llner <christoph.muellner@theobroma-systems.com> > > Hm, indeed it saves to /var/lib/random-seed, which we do not seem to > symlink to a tmpfs place when the rootfs is read-only. I'm not entirely > sure we want to add yet another option for this, or if we want to fix > it so that it "works" even in read-only rootfs scenarios. I don't have > a very clear opinion on how to handle that. I too don't think that warrants a kconfig option. I would however believe this script is not interesting at all. In fact, an ambedded device seldom reboots nicely; instead, it is most often a hard-reboot (with a power cycle). In that case, the script would have no chance whatsoever to save the current seed before shutdown, thus on next boot we would restore a seed that would have already been used, thus defeating randomness to begin with; worse, it would give people a sense of security where there would in fact be a hole. If people do not have a good source of randomness in their kernel and/or hardware, they should switch to using things like rng-tools with jitterentropy or the likes, rather than rely on saving and restoring the seed. It is my opinion that we should just drop that startup script altogether and be done with it. Regards, Yann E. MORIN. -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------' ^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH] initscripts: Make installation of S20urandom optional. 2020-07-19 11:49 ` Yann E. MORIN @ 2020-07-19 12:09 ` Peter Seiderer 2020-07-19 12:24 ` Yann E. MORIN 0 siblings, 1 reply; 9+ messages in thread From: Peter Seiderer @ 2020-07-19 12:09 UTC (permalink / raw) To: buildroot Hello *, On Sun, 19 Jul 2020 13:49:50 +0200, "Yann E. MORIN" <yann.morin.1998@free.fr> wrote: > Thomas, Christoph, Al, > > On 2020-07-19 10:05 +0200, Thomas Petazzoni spake thusly: > > On Sun, 19 Jul 2020 00:44:44 +0200 > > christoph.muellner at theobroma-systems.com wrote: > > > > > From: Christoph M?llner <christoph.muellner@theobroma-systems.com> > > > > > > S20urandom is a nice script. However, there are systems, which > > > cannot make use of that script for some reasons (e.g. systems that > > > only have read-only partitions). > > > > > > So let's install S20urandom only if configured to do so > > > (with default y to keep backwards-compatibility). > > > > > > Signed-off-by: Christoph M?llner <christoph.muellner@theobroma-systems.com> > > > > Hm, indeed it saves to /var/lib/random-seed, which we do not seem to > > symlink to a tmpfs place when the rootfs is read-only. I'm not entirely > > sure we want to add yet another option for this, or if we want to fix > > it so that it "works" even in read-only rootfs scenarios. I don't have > > a very clear opinion on how to handle that. > > I too don't think that warrants a kconfig option. > > I would however believe this script is not interesting at all. In fact, > an ambedded device seldom reboots nicely; instead, it is most often a > hard-reboot (with a power cycle). In that case, the script would have no > chance whatsoever to save the current seed before shutdown, thus on next > boot we would restore a seed that would have already been used, thus > defeating randomness to begin with; worse, it would give people a sense > of security where there would in fact be a hole. This is a very limited view of the buildroot use-cases, I believe there are although some, call it 'mid-range' embedded systems, with a proper power-down button shutting down the system before killing the power (or at least the use-case of two of my customer projects)... Regards, Peter > > If people do not have a good source of randomness in their kernel and/or > hardware, they should switch to using things like rng-tools with > jitterentropy or the likes, rather than rely on saving and restoring the > seed. > > It is my opinion that we should just drop that startup script altogether > and be done with it. > > Regards, > Yann E. MORIN. > ^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH] initscripts: Make installation of S20urandom optional. 2020-07-19 12:09 ` Peter Seiderer @ 2020-07-19 12:24 ` Yann E. MORIN 2020-07-20 12:26 ` Christoph Müllner 0 siblings, 1 reply; 9+ messages in thread From: Yann E. MORIN @ 2020-07-19 12:24 UTC (permalink / raw) To: buildroot Peter, All, On 2020-07-19 14:09 +0200, Peter Seiderer spake thusly: > On Sun, 19 Jul 2020 13:49:50 +0200, "Yann E. MORIN" <yann.morin.1998@free.fr> wrote: [--SNIP--] > > I would however believe this script is not interesting at all. In fact, > > an ambedded device seldom reboots nicely; instead, it is most often a > > hard-reboot (with a power cycle). In that case, the script would have no > > chance whatsoever to save the current seed before shutdown, thus on next > > boot we would restore a seed that would have already been used, thus > > defeating randomness to begin with; worse, it would give people a sense > > of security where there would in fact be a hole. > > This is a very limited view of the buildroot use-cases, I believe there > are although some, call it 'mid-range' embedded systems, with a proper > power-down button shutting down the system before killing the power > (or at least the use-case of two of my customer projects)... Yeah, but still, is saving-n-restoring the seed the sanest thing to do? If your devices are that well engineered (yeah!), you probably have a good source of randmoness (proably HW, or with rng-tools et al), so don't need to save-n-restore the seed... Even for well-designed devices, that can be sanely powered-off-then-on, there is always the possibility that the power completely goes out, and thus the seed would be re-used. Re-using a seed is one of the worst thing one may do about randomness: it is very, very bad, because it gives people a false sense of security "Hey! I'm saving and restoring the seed, so no two boots will have the same random sequence! Woohoo!" Boom, wrong... So I still stand on my position that we should get rid of S20random. Regards, Yann E. MORIN. -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------' ^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH] initscripts: Make installation of S20urandom optional. 2020-07-19 12:24 ` Yann E. MORIN @ 2020-07-20 12:26 ` Christoph Müllner 2020-07-20 12:30 ` Thomas Petazzoni 2020-07-20 20:42 ` Yann E. MORIN 0 siblings, 2 replies; 9+ messages in thread From: Christoph Müllner @ 2020-07-20 12:26 UTC (permalink / raw) To: buildroot Hi all, On 7/19/20 2:24 PM, Yann E. MORIN wrote: > Peter, All, > > On 2020-07-19 14:09 +0200, Peter Seiderer spake thusly: >> On Sun, 19 Jul 2020 13:49:50 +0200, "Yann E. MORIN" <yann.morin.1998@free.fr> wrote: > [--SNIP--] >>> I would however believe this script is not interesting at all. In fact, >>> an ambedded device seldom reboots nicely; instead, it is most often a >>> hard-reboot (with a power cycle). In that case, the script would have no >>> chance whatsoever to save the current seed before shutdown, thus on next That's not fully correct. save_random_seed() is also called during start. >>> boot we would restore a seed that would have already been used, thus >>> defeating randomness to begin with; worse, it would give people a sense >>> of security where there would in fact be a hole. >> >> This is a very limited view of the buildroot use-cases, I believe there >> are although some, call it 'mid-range' embedded systems, with a proper >> power-down button shutting down the system before killing the power >> (or at least the use-case of two of my customer projects)... > > Yeah, but still, is saving-n-restoring the seed the sanest thing to do? > If your devices are that well engineered (yeah!), you probably have a > good source of randmoness (proably HW, or with rng-tools et al), so > don't need to save-n-restore the seed... > > Even for well-designed devices, that can be sanely powered-off-then-on, > there is always the possibility that the power completely goes out, and > thus the seed would be re-used. > > Re-using a seed is one of the worst thing one may do about randomness: > it is very, very bad, because it gives people a false sense of security > "Hey! I'm saving and restoring the seed, soMatt Weber <matthew.weber@rockwellcollins.com> no two boots will have the > same random sequence! Woohoo!" Boom, wrong... > > So I still stand on my position that we should get rid of S20random. I agree mostly to your argumentation. However, I know that a S20urandom-like mechanism is exactly what I need in systems where I need to start an SSH server in an development image for a system without proper entropy source. I.e. where poor quality of random number does not matter, but a bootup delay of a minute until the kernel RNG is seeded hurts. So I am in favor of being able to remove S20urandom (thus my patch), but I see that users need that and would like to continue to support people that need it out-of-the-box. What about moving S20urandom into a package urandom-scripts (similar to ifupdown-scripts)? If you still insist on dropping the script, then just let me know and I will prepare a patch to do so. Thanks, Christoph ^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH] initscripts: Make installation of S20urandom optional. 2020-07-20 12:26 ` Christoph Müllner @ 2020-07-20 12:30 ` Thomas Petazzoni 2020-07-20 15:22 ` Christoph Müllner 2020-07-20 20:42 ` Yann E. MORIN 1 sibling, 1 reply; 9+ messages in thread From: Thomas Petazzoni @ 2020-07-20 12:30 UTC (permalink / raw) To: buildroot On Mon, 20 Jul 2020 14:26:59 +0200 Christoph M?llner <christoph.muellner@theobroma-systems.com> wrote: > What about moving S20urandom into a package urandom-scripts > (similar to ifupdown-scripts)? This potentially seems like a good idea to me. Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH] initscripts: Make installation of S20urandom optional. 2020-07-20 12:30 ` Thomas Petazzoni @ 2020-07-20 15:22 ` Christoph Müllner 0 siblings, 0 replies; 9+ messages in thread From: Christoph Müllner @ 2020-07-20 15:22 UTC (permalink / raw) To: buildroot On 7/20/20 2:30 PM, Thomas Petazzoni wrote: > On Mon, 20 Jul 2020 14:26:59 +0200 > Christoph M?llner <christoph.muellner@theobroma-systems.com> wrote: > >> What about moving S20urandom into a package urandom-scripts >> (similar to ifupdown-scripts)? > > This potentially seems like a good idea to me. I've prepared such a patch here: http://lists.busybox.net/pipermail/buildroot/2020-July/287370.html Thanks, Christoph ^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH] initscripts: Make installation of S20urandom optional. 2020-07-20 12:26 ` Christoph Müllner 2020-07-20 12:30 ` Thomas Petazzoni @ 2020-07-20 20:42 ` Yann E. MORIN 1 sibling, 0 replies; 9+ messages in thread From: Yann E. MORIN @ 2020-07-20 20:42 UTC (permalink / raw) To: buildroot Christoph, All, On 2020-07-20 14:26 +0200, Christoph M?llner spake thusly: > On 7/19/20 2:24 PM, Yann E. MORIN wrote: > > On 2020-07-19 14:09 +0200, Peter Seiderer spake thusly: > >> On Sun, 19 Jul 2020 13:49:50 +0200, "Yann E. MORIN" <yann.morin.1998@free.fr> wrote: > > [--SNIP--] > >>> I would however believe this script is not interesting at all. In fact, > >>> an ambedded device seldom reboots nicely; instead, it is most often a > >>> hard-reboot (with a power cycle). In that case, the script would have no > >>> chance whatsoever to save the current seed before shutdown, thus on next > That's not fully correct. > save_random_seed() is also called during start. Right. But if the entropy pool is so poor at boot that you need to save-restore the seed at each boot, the probability that the new seed you save back at startup is very predicatble as it is saved right just after loading the old one, and since you don't have much entropy to start with, that defeat the very purpose of saving and restoring the seed. [--SNIP--] > I agree mostly to your argumentation. > > However, I know that a S20urandom-like mechanism is exactly > what I need in systems where I need to start an SSH server > in an development image for a system without proper entropy source. > I.e. where poor quality of random number does not matter, but > a bootup delay of a minute until the kernel RNG is seeded hurts. Then you do not need to save-n-restore the seed; instead, you need a better source of entropy availabe early at boot. And that is exactly what rng-tools and jitterentropy-library, or haveged or others, are supposed to provide: a strong source of entopy even in the abscence of HW-TRNG. See: package/haveged/ package/jitterentropy-library/ https://lwn.net/Articles/802360/ (in kernel-land) > So I am in favor of being able to remove S20urandom (thus my patch), > but I see that users need that and would like to continue to support > people that need it out-of-the-box. I don't think people need to "save and restore the seed". Really, what people really need is "strong entropy in early boot". Saving and restoring the seed is only one technique to do so, and a poor one at that, because it is fraught with corner cases that break that assumption. Instead, solutions exists that are more robust: using rng-tools with jitternetropy, or haveged. Or a recent kernel (5.3+) that already uses (some kind of) jitterentropy to seed /dev/random. > What about moving S20urandom into a package urandom-scripts > (similar to ifupdown-scripts)? That would be the least of all evils about this! ;-) I'm going to have a look at your patch now. Thanks for your persistence! (pun intended! ;-] ) Regards, Yann E. MORIN. -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------' ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2020-07-20 20:42 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-07-18 22:44 [Buildroot] [PATCH] initscripts: Make installation of S20urandom optional christoph.muellner at theobroma-systems.com 2020-07-19 8:05 ` Thomas Petazzoni 2020-07-19 11:49 ` Yann E. MORIN 2020-07-19 12:09 ` Peter Seiderer 2020-07-19 12:24 ` Yann E. MORIN 2020-07-20 12:26 ` Christoph Müllner 2020-07-20 12:30 ` Thomas Petazzoni 2020-07-20 15:22 ` Christoph Müllner 2020-07-20 20:42 ` Yann E. MORIN
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.