[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: bin/55917: /etc/rc.d/cgd stalls on encrypted swap partitions
The following reply was made to PR bin/55917; it has been noted by GNATS.
From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Subject: Re: bin/55917: /etc/rc.d/cgd stalls on encrypted swap partitions
Date: Sun, 10 Jan 2021 19:14:39 +0000
> Date: Sun, 10 Jan 2021 18:40:43 +0000 (UTC)
> From: schaecsn%gmx.net@localhost
> /etc/rc.d/cgd stalls in cgdconfig -C on encrypted swap partitions
> when following /wiki.netbsd.org/guide/cgd/
Side note: that's an old version of the guide; the one that is
maintained is <https://www.NetBSD.org/docs/guide/en/chap-cgd.html>.
I'm not really sure why we have a snapshot of the guide in the wiki;
we should maybe get rid of it and make it redirect.
> The stall happens only during boot. When invoking /etc/rc.d/cgd
> after completion of the boot process, cgdconfig does not stall. See
> cgdconfig(8) for an explanation:
> urandomkey The method simply reads /dev/urandom and uses the
> resulting bits as the key. This is similar to the
> randomkey method, but it guarantees that cgdconfig
> will not stall waiting for hard-random bits (usef=
> when configuring a cgd for swap at boot time).
> Please replace randomkey with urandomkey in section "Using a
> random-key cgd for swap".
If randomkey stalls at boot when you try to configure cgd, that
indicates that you probably don't have enough entropy to safely
generate an unpredictable key.
So if you switched it to urandomkey on a machine where it hangs with
randomkey, the encrypted swap wouldn't actually provide much security.
That said, in netbsd-current (which will become NetBSD 10), there is a
much better approach: setting vm.swap_encrypt=3D1 with sysctl; we will
probably turn it on by default on some architectures too.
Main Index |
Thread Index |