Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: nothing contributing entropy in Xen domUs? or dom0!!!



On Wed, 31 Mar 2021, Greg A. Woods wrote:

collect and "estimate" _and_ despite the fact there's a valid-looking
$random_file that was saved and reloaded by /etc/rc.d/random_seed (and
saved again every day by /etc/security):

# ls -l /etc/entropy-file
-rw-------  1 root  wheel  536 Mar 31 04:15 /etc/entropy-file
# rndctl -l
Source                 Bits Type      Flags
/dev/random               0 ???  estimate, collect, v
seed                      0 ???  estimate, collect, v


Does this /etc/entropy-file match what's there in your /boot.cfg?

On my laptop $random_file is left at the default which is:
        /var/db/entropy-file

The kernel loads this file as directed by /boot.cfg:
$ cat /boot.cfg
menu=Boot normally:rndseed /var/db/entropy-file;boot
menu=Boot single user:rndseed /var/db/entropy-file;boot -s
menu=Drop to boot prompt:prompt
default=1
timeout=5
clear=1 $ fgrep seed /var/run/dmesg.boot entropy: entering seed from bootloader with 256 bits of entropy $

You can see this as `seed': $ sudo rndctl -l | egrep 'Source|/random|seed' Source Bits Type Flags /dev/random 0 ??? estimate, collect, v
seed                    256 ???  estimate, collect, v
$

And after running a script to feed true RNs into /dev/random,
that, too, is seeded: $ rndseed.sh
$ sudo rndctl -l | egrep 'Source|/random|seed'
Source Bits Type Flags /dev/random 1024 ??? estimate, collect, v
seed                    256 ???  estimate, collect, v
$ $ cat ~/bin/rndseed.sh
#!/bin/sh

set -eu sudo -v curl -G -s -S -d nbytes=128 -d fmt=bin \
        -d apikey=HB16tJ1vyL8SG3BGaN0bFXG6znB \
        https://www.fourmilab.ch/cgi-bin/Hotbits.api |
sudo dd of=/dev/random msgfmt=quiet
if [ $(expr $(uname -r) : '\([0-9.][0-9.]*\)') != 9.1 ]
then    sudo sysctl -w kern.entropy.consolidate=1
fi
$

Hope that helps.

-RVP

PS. Generate an API key here: https://fourmilab.ch/hotbits/


Home | Main Index | Thread Index | Old Index