[PATCH] openssh: Allow enable/disable of rng-tools recommendation on sshd

[PATCH] openssh: Allow enable/disable of rng-tools recommendation on sshd

[Otavio Salvador]

We are adding a new PACKAGECONFIG option ('rng-tools') to control if we
wish the openssh-sshd to RRECOMMENDS the 'rng-tools' package. We are
enabling it by default so there is no behavior change.

Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
---

 meta/recipes-connectivity/openssh/openssh_8.3p1.bb | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-connectivity/openssh/openssh_8.3p1.bb b/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
index fad321898c..e007328704 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
@@ -42,12 +42,15 @@ SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket"
 
 inherit autotools-brokensep ptest
 
-PACKAGECONFIG ??= ""
+PACKAGECONFIG ??= "rng-tools"
 PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5"
 PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns"
 PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
 PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat"
 
+# Add RRECOMMENDS to rng-tools for sshd package
+PACKAGECONFIG[rng-tools] = ""
+
 EXTRA_AUTORECONF += "--exclude=aclocal"
 
 # login path is hardcoded in sshd
@@ -149,7 +152,10 @@ FILES_${PN}-keygen = "${bindir}/ssh-keygen"
 
 RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
 RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
-RRECOMMENDS_${PN}-sshd_append_class-target = " rng-tools"
+RRECOMMENDS_${PN}-sshd_append_class-target = "\
+    ${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \
+"
+
 # gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies
 RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils"
 
-- 
2.28.0

Re: [OE-core] [PATCH] openssh: Allow enable/disable of rng-tools recommendation on sshd

[Jack Mitchell]

On 24/09/2020 20:58, Otavio Salvador wrote:
> We are adding a new PACKAGECONFIG option ('rng-tools') to control if we
> wish the openssh-sshd to RRECOMMENDS the 'rng-tools' package. We are
> enabling it by default so there is no behavior change.
> 
> Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
> ---
> 
>  meta/recipes-connectivity/openssh/openssh_8.3p1.bb | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/meta/recipes-connectivity/openssh/openssh_8.3p1.bb b/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
> index fad321898c..e007328704 100644
> --- a/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
> @@ -42,12 +42,15 @@ SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket"
>  
>  inherit autotools-brokensep ptest
>  
> -PACKAGECONFIG ??= ""
> +PACKAGECONFIG ??= "rng-tools"
>  PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5"
>  PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns"
>  PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
>  PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat"
>  
> +# Add RRECOMMENDS to rng-tools for sshd package
> +PACKAGECONFIG[rng-tools] = ""
> +
>  EXTRA_AUTORECONF += "--exclude=aclocal"
>  
>  # login path is hardcoded in sshd
> @@ -149,7 +152,10 @@ FILES_${PN}-keygen = "${bindir}/ssh-keygen"
>  
>  RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
>  RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
> -RRECOMMENDS_${PN}-sshd_append_class-target = " rng-tools"
> +RRECOMMENDS_${PN}-sshd_append_class-target = "\
> +    ${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \
> +"
> +
>  # gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies
>  RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils"
>  
> 

While rng-tools has also been causing havoc with my images as it seems
ARM soc support for whatever underlying generator it uses is spotty,
this seems to be an abuse of packageconfig. Would something like:

BAD_RECOMMENDATIONS_pn-openssh = "rng-tools"

Not perform the same function?

Regards,
Jack.

Re: [OE-core] [PATCH] openssh: Allow enable/disable of rng-tools recommendation on sshd

[Ross Burton]

On Fri, 25 Sep 2020 at 09:51, Jack Mitchell <ml@embed.me.uk> wrote:
> While rng-tools has also been causing havoc with my images as it seems
> ARM soc support for whatever underlying generator it uses is spotty,
> this seems to be an abuse of packageconfig. Would something like:
>
> BAD_RECOMMENDATIONS_pn-openssh = "rng-tools"
>
> Not perform the same function?

It would, but I don't see this being an abuse of PACKAGECONFIG at all.
It's a configuration option that is configuring the package.

Ross

Re: [OE-core] [PATCH] openssh: Allow enable/disable of rng-tools recommendation on sshd

[Ross Burton]

On Thu, 24 Sep 2020 at 20:58, Otavio Salvador <otavio.salvador@gmail.com> wrote:
> We are adding a new PACKAGECONFIG option ('rng-tools') to control if we
> wish the openssh-sshd to RRECOMMENDS the 'rng-tools' package. We are
> enabling it by default so there is no behavior change.

Is this fundamentally because many targets now have hardware RNGs that
the kernel is using, and so rng-tools serves no purpose?

This was originally added with data from iMX6 (oe-core
9b01375236e19e3366c58877c4154d7c71632984) and I'm curious if this
followup is related to other improvements that have been made to iMX6
since. Is there a better user space tool, or is the kernel using the
hardware RNG out of the box?

I ask because I'm strongly tempted to argue that we should be assuming
that a RNG is available and let BSPs turn this on if required.

Ross

Re: [OE-core] [PATCH] openssh: Allow enable/disable of rng-tools recommendation on sshd

[Richard Purdie]

On Fri, 2020-09-25 at 10:58 +0100, Ross Burton wrote:
> On Thu, 24 Sep 2020 at 20:58, Otavio Salvador <
> otavio.salvador@gmail.com> wrote:
> > We are adding a new PACKAGECONFIG option ('rng-tools') to control
> > if we
> > wish the openssh-sshd to RRECOMMENDS the 'rng-tools' package. We
> > are
> > enabling it by default so there is no behavior change.
> 
> Is this fundamentally because many targets now have hardware RNGs
> that
> the kernel is using, and so rng-tools serves no purpose?
> 
> This was originally added with data from iMX6 (oe-core
> 9b01375236e19e3366c58877c4154d7c71632984) and I'm curious if this
> followup is related to other improvements that have been made to iMX6
> since. Is there a better user space tool, or is the kernel using the
> hardware RNG out of the box?
> 
> I ask because I'm strongly tempted to argue that we should be
> assuming
> that a RNG is available and let BSPs turn this on if required.

BSPs probably shouldn't be changing openssh configuration individually.
I have merged the patch since I think it is good that we have a
configuration option for it though. Its more appropriate for a DISTRO
to set.

How we could make this configurable on a machine basis is an open
question...

Cheers,

Richard

Re: [OE-core] [PATCH] openssh: Allow enable/disable of rng-tools recommendation on sshd

[Jack Mitchell]

On 25/09/2020 10:58, Ross Burton wrote:
> On Thu, 24 Sep 2020 at 20:58, Otavio Salvador <otavio.salvador@gmail.com> wrote:
>> We are adding a new PACKAGECONFIG option ('rng-tools') to control if we
>> wish the openssh-sshd to RRECOMMENDS the 'rng-tools' package. We are
>> enabling it by default so there is no behavior change.
> 
> Is this fundamentally because many targets now have hardware RNGs that
> the kernel is using, and so rng-tools serves no purpose?
> 
> This was originally added with data from iMX6 (oe-core
> 9b01375236e19e3366c58877c4154d7c71632984) and I'm curious if this
> followup is related to other improvements that have been made to iMX6
> since. Is there a better user space tool, or is the kernel using the
> hardware RNG out of the box?
> 

While I haven't had the time to explore the issue fully on my boards,
the issue I have specifically is that when the board is powered for a
short amount of time, systemd gets stuck on shutting down as rngd is
blocking for (I assume) a certain amount of entropy for it to enter the
ready state. Whether this is down to the specific hardware rng support
on my board, or possibly the lack of it being enabled I haven't dug into
yet.

> I ask because I'm strongly tempted to argue that we should be assuming
> that a RNG is available and let BSPs turn this on if required.
> 
> Ross
> 
> 
> 
> 
> 

Re: [OE-core] [PATCH] openssh: Allow enable/disable of rng-tools recommendation on sshd

[Otavio Salvador]

Em sex., 25 de set. de 2020 às 06:58, Ross Burton <ross@burtonini.com> escreveu:
> On Thu, 24 Sep 2020 at 20:58, Otavio Salvador <otavio.salvador@gmail.com> wrote:
> > We are adding a new PACKAGECONFIG option ('rng-tools') to control if we
> > wish the openssh-sshd to RRECOMMENDS the 'rng-tools' package. We are
> > enabling it by default so there is no behavior change.
>
> Is this fundamentally because many targets now have hardware RNGs that
> the kernel is using, and so rng-tools serves no purpose?
>
> This was originally added with data from iMX6 (oe-core
> 9b01375236e19e3366c58877c4154d7c71632984) and I'm curious if this
> followup is related to other improvements that have been made to iMX6
> since. Is there a better user space tool, or is the kernel using the
> hardware RNG out of the box?

Exactly, we can use it from the kernel and most of time it is of no-use.

> I ask because I'm strongly tempted to argue that we should be assuming
> that a RNG is available and let BSPs turn this on if required.

I added this enabled by default so we can backport it to Dunfell (as
it won't change the current behavior). For master, we can turn it off
and let distro to enable it if need.

I'd like to get this one merged first (and send the backport request)
and then I can send a patch to disable it.

-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9 9981-7854          Mobile: +1 (347) 903-9750

Re: [OE-core] [PATCH] openssh: Allow enable/disable of rng-tools recommendation on sshd

[Khem Raj]

On Fri, Sep 25, 2020 at 2:58 AM Ross Burton <ross@burtonini.com> wrote:
>
> On Thu, 24 Sep 2020 at 20:58, Otavio Salvador <otavio.salvador@gmail.com> wrote:
> > We are adding a new PACKAGECONFIG option ('rng-tools') to control if we
> > wish the openssh-sshd to RRECOMMENDS the 'rng-tools' package. We are
> > enabling it by default so there is no behavior change.
>
> Is this fundamentally because many targets now have hardware RNGs that
> the kernel is using, and so rng-tools serves no purpose?
>
> This was originally added with data from iMX6 (oe-core
> 9b01375236e19e3366c58877c4154d7c71632984) and I'm curious if this
> followup is related to other improvements that have been made to iMX6
> since. Is there a better user space tool, or is the kernel using the
> hardware RNG out of the box?
>

perhaps haveged is an option to consider.

> I ask because I'm strongly tempted to argue that we should be assuming
> that a RNG is available and let BSPs turn this on if required.
>
> Ross
>
> 
>