[Cryptography] where shall we put the random-seed?
Ralf Senderek
crypto at senderek.ie
Tue Dec 27 12:07:35 EST 2016
On Mon, 26 Dec 2016, John Denker wrote:
> 1) On an ordinary full-featured desktop, laptop, or server system,
> the obvious choice is
> /var/lib/systemd/random-seed (for recent Ubuntu systems), and
> /var/lib/urandom/random-seed (for everybody else)
It seems that we are far ahead in standardisation, as FWICT, all systems
I've looked at have it in /var/lib/systemd/random-seed including Fedora
and CentOS.
> That is where the system startup and shutdown scripts expect to find
> it. The plan is to teach grub to look for it there, and to pass it
> to the kernel, so that it is available from time t=0 onwards during
> the boot-up process.
>
> Open issues include:
At the moment, we have a BIG TIMING issue. This is an excerpt from my
laptop's boot process (kernel 4.8.12-300.fc25.x86_64) :
[root at lap ~]# journalctl -b|grep random
Dez 27 14:54:53 lap.senderek.ie kernel: random: systemd: uninitialized
urandom read (16 bytes read)
Dez 27 14:54:53 lap.senderek.ie kernel: random: systemd: uninitialized
urandom read (16 bytes read)
Dez 27 14:54:53 lap.senderek.ie kernel: random: systemd: uninitialized
urandom read (16 bytes read)
Dez 27 14:54:53 lap.senderek.ie kernel: random: systemd: uninitialized
urandom read (16 bytes read)
Dez 27 14:54:53 lap.senderek.ie kernel: random: systemd: uninitialized
urandom read (16 bytes read)
Dez 27 14:54:53 lap.senderek.ie kernel: random: systemd: uninitialized
urandom read (16 bytes read)
Dez 27 14:54:53 lap.senderek.ie kernel: random: systemd: uninitialized
urandom read (16 bytes read)
Dez 27 14:54:53 lap.senderek.ie kernel: random: systemd: uninitialized
urandom read (16 bytes read)
Dez 27 14:54:53 lap.senderek.ie kernel: random: systemd: uninitialized
urandom read (16 bytes read)
Dez 27 14:54:53 lap.senderek.ie kernel: random: systemd: uninitialized
urandom read (16 bytes read)
Dez 27 14:54:54 lap.senderek.ie kernel: random: fast init done
Dez 27 14:54:56 lap.senderek.ie kernel: random: crng init done
Dez 27 14:54:56 lap.senderek.ie audit[1]: SERVICE_START pid=1 uid=0
auid=4294967295 ses=4294967295 msg='unit=systemd-random-seed
comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
The systemd process that loads the random-seed file starts 3 seconds
after the boot process gets grub's boot parameters at 14:54:53.
To make sure the kernel initializes the RNG at time=0 is yet an
unsolved problem.
--ralf
More information about the cryptography
mailing list