svn commit: r346250 - in head: share/man/man4 share/man/man9 sys/dev/random sys/kern sys/libkern sys/sys

Rodney W. Grimes freebsd at gndrsh.dnsmgr.net
Tue Apr 16 15:54:18 UTC 2019 

> On Tue, Apr 16, 2019 at 9:16 AM Ian Lepore <ian at freebsd.org> wrote:
> 
> > On Tue, 2019-04-16 at 07:18 -0600, Warner Losh wrote:
> > > On Tue, Apr 16, 2019, 7:04 AM Emmanuel Vadot <manu at bidouilliste.com>
> > > wrote:
> > >
> > > > On Mon, 15 Apr 2019 17:54:56 -0700
> > > > Conrad Meyer <cem at freebsd.org> wrote:
> > > >
> > > > > On Mon, Apr 15, 2019 at 5:53 PM Conrad Meyer <cem at freebsd.org>
> > > > > wrote:
> > > > > > E.g., the CI infrastructure for
> > > > > > Riscv/Arm is/was generating minimal filesystem images and not
> > > > > > populating /boot/entropy.
> > > > >
> > > > > I should add, I say "is/was" because I have a PR out which may
> > > > > address
> > > > > the problem: https://github.com/freebsd/freebsd-ci/pull/31
> > > > >
> > > > > Best,
> > > > > Conrad
> > > >
> > > >  It's not only CI, all release images (memstick, iso) don't have
> > > > a /boot/entropy.
> > > >  Also all arm/arm64 image don't have this file too.
> > > >  If /boot/entropy is needed and isn't present loader(8) should
> > > > gather
> > > > some entropy and pass this to the kernel for the first boot.
> > > >
> > >
> > > Maybe we need to bootstrap the entropy file as part of buildworld.
> > > I'm not
> > > sure if the loader can find enough...
> > >
> > >
> > Isn't a file full of data which is distributed in identical form to
> > everyone the exact opposite of entropy?
> >
> 
> It's just to bootstrap entropy for installs. The CI stuff doesn't matter if
> that's the same since the CI images aren't exposed to the internet in any
> way that would make it matter.

Incorrect, the CI artifacts are publically avaliable.  I infact have
Makefiles that take any given CI build artifact set and create a VM
from it, I use this for bisecting failures and other testing.

> The normal install would have the same seeds
> of entropy, but diverge from there fairly quickly. The stuff that's used
> early in the install is the don't care sort of things that won't matter in
> the installer (which then creates it's own entropy that's different for
> every install).

I have concerns here, if I use a distribution with a canned entropy
in it to make a file system that is snapshotted, aka frozen in time,
that its entropy would be repeatable.  This file system is never run
through any installer, it is, I believe, how most of the Cloud images
are created.

> Warner
-- 
Rod Grimes                                                 rgrimes at freebsd.org

More information about the svn-src-head mailing list