svn commit: r346250 - in head: share/man/man4 share/man/man9 sys/dev/random sys/kern sys/libkern sys/sys
Warner Losh
imp at bsdimp.com
Tue Sep 3 14:07:49 UTC 2019
On Tue, Apr 16, 2019 at 9:51 AM Conrad Meyer <cem at freebsd.org> wrote:
> Hi Warner,
>
> On Tue, Apr 16, 2019 at 8:47 AM Warner Losh <imp at bsdimp.com> wrote:
> > On Tue, Apr 16, 2019 at 9:16 AM Ian Lepore <ian at freebsd.org> wrote:
> >> Isn't a file full of data which is distributed in identical form to
> >> everyone the exact opposite of entropy?
>
> Ian has the right idea.
>
> > It's just to bootstrap entropy for installs. The CI stuff doesn't matter
> if that's the same since the CI images aren't exposed to the internet in
> any way that would make it matter. The normal install would have the same
> seeds of entropy, but diverge from there fairly quickly. The stuff that's
> used early in the install is the don't care sort of things that won't
> matter in the installer (which then creates it's own entropy that's
> different for every install).
>
> I agree that it would be safe, although potentially misleading and
> potentially dangerous, to create a fake entropy file for the installer
> images. We need to be careful *not* to embed such files in .img files
> which are installed by 'dd' directly to a disk or flash or VM, for
> example. It would be catastrophic to distribute the same entropy file
> to all FreeBSD AWS images.
>
In that case, we're better off having a MD routine that gets called if
there's no loader-provided entropy pool. It would be responsible for
generating it in a MD defined way. It would handle it or call panic() based
on the requirements of the environment. This would answer the issue with
embedded systems that do not have any writable store (and requiring an NV
store is not even an option to require, so don't go there). It would let
hardware with RNG generate something. It would let hardware without get it
from wherever which may be highly specific to different scenarios or make
the conscious decision not to get it at all vs panic, etc.
What we can't do is just hang if the loader can't provide an entropy pool.
Warner
More information about the svn-src-all
mailing list