svn commit: r239569 - head/etc/rc.d

[Peter Jeremy]

On 2012-Sep-03 16:00:22 -0700, Doug Barton <dougb at freebsd.org> wrote:
>The static files are provided as a means to stir the pool to unblock the
>device at boot time.

As far as I can tell, this is no longer required.  Both the Yarrow and
Nehemiah Padlock generators initialise to "seeded" and there is no
provision (other than sysctl) to "unseed" them.  Yarrow will begin
collecting entropy as soon as the random device receives a MOD_LOAD
event during kernel startup.

>Ummm ... I think you have the logic backwards on this. :) We have a
>system, designed with fairly thorough knowledge of how Yarrow works, and
>taking all possible scenarios into account. It's stood the test of time
>for many years now.

Has anyone actually done a security analysis of our random(4)?

>What if, instead of replacing /entropy, we add an additional file in
>/var/db/entropy at boot time that is numerically 1 higher than
>$entropy_save_num ?

That sounds like a reasonable idea.

> (Note, I have to fix the rotation script to account
>for this, but I have had "improve the rotation script" on my TODO list
>for a long time now, and this is a good excuse for me to get a round
>'tuit.)

You might like to look at kern/134225 (which is misfiled, sorry).

-- 
Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-rc/attachments/20120904/910b70e8/attachment.pgp