Re: misc/59709: inconsistent entropy $random_file locations settings

To: gnats-bugs%netbsd.org@localhost
Subject: Re: misc/59709: inconsistent entropy $random_file locations settings
From: Steve Rikli <sr%genyosha.net@localhost>
Date: Fri, 24 Oct 2025 08:57:28 -0700

PR misc/59709:
  location of the entropy random_file should be defined in one place, rc.conf

changes:
1. add missing random_file variable to /etc/defaults/rc.conf; sysinst already
   creates this setting in /etc/rc.conf but it is not documented

2. add 'checkpoint' verb to /etc/rc.d/random_seed to distinguish from stop_cmd

3. modify /etc/security to call /etc/rc.d/random_seed directly instead of
   running duplicate 'rndctl' code

4. add new random_seed boolean to /etc/defaults/security.conf, remove
   now-unused random_file variable

5. add random_file description to rc.conf(5)

6. add random_seed description to security.conf(5), remove description for
   now-unused random_file

Note that status quo behavior is unchanged:  /etc/security still saves
system entropy periodically by default when run by daily cron. This fix
unifies the command and file location for those system entropy updates.

----
Index: etc/security
===================================================================
RCS file: /cvsroot/src/etc/security,v
retrieving revision 1.132
diff -u -r1.132 security
--- etc/security	21 Jul 2024 14:56:16 -0000	1.132
+++ etc/security	24 Oct 2025 15:42:39 -0000
@@ -1062,11 +1062,10 @@
 	CHANGELIST="$CHANGEFILES $CHANGELIST"
 fi
 
-# Save entropy to ${random_file} if defined, like
-# /etc/rc.d/random_seed.
+# Save entropy if enabled, using /etc/rc.d/random_seed.
 #
-if [ -n "${random_file:-}" ]; then
-	rndctl -S "$random_file"
+if checkyesno random_seed; then
+	/etc/rc.d/random_seed checkpoint
 fi
 
 # Special case backups, including the master password file and
Index: etc/defaults/rc.conf
===================================================================
RCS file: /cvsroot/src/etc/defaults/rc.conf,v
retrieving revision 1.167
diff -u -r1.167 rc.conf
--- etc/defaults/rc.conf	5 Oct 2023 08:19:27 -0000	1.167
+++ etc/defaults/rc.conf	24 Oct 2025 15:42:39 -0000
@@ -387,6 +387,7 @@
 # Entropy load/save to/from /dev/random at startup/shutdown
 #
 random_seed=YES
+random_file=/var/db/entropy-file
 
 # Set to `check' to abort multi-user boot if not enough entropy, or
 # `wait' to wait until enough entropy, or `' (empty) to boot without
Index: etc/defaults/security.conf
===================================================================
RCS file: /cvsroot/src/etc/defaults/security.conf,v
retrieving revision 1.28
diff -u -r1.28 security.conf
--- etc/defaults/security.conf	10 Jan 2021 23:24:25 -0000	1.28
+++ etc/defaults/security.conf	24 Oct 2025 15:42:39 -0000
@@ -48,4 +48,4 @@
 max_loginlen=16
 max_grouplen=16
 
-random_file=/var/db/entropy-file
+random_seed=YES
Index: etc/rc.d/random_seed
===================================================================
RCS file: /cvsroot/src/etc/rc.d/random_seed,v
retrieving revision 1.15
diff -u -r1.15 random_seed
--- etc/rc.d/random_seed	8 Sep 2020 12:52:18 -0000	1.15
+++ etc/rc.d/random_seed	24 Oct 2025 15:42:39 -0000
@@ -21,6 +21,8 @@
 rcvar=$name
 start_cmd="random_load"
 stop_cmd="random_save"
+checkpoint_cmd="random_save"
+extra_commands="checkpoint"
 
 random_file="${random_file:-/var/db/entropy-file}"
 
Index: share/man/man5/rc.conf.5
===================================================================
RCS file: /cvsroot/src/share/man/man5/rc.conf.5,v
retrieving revision 1.194
diff -u -r1.194 rc.conf.5
--- share/man/man5/rc.conf.5	2 Oct 2024 15:56:37 -0000	1.194
+++ share/man/man5/rc.conf.5	24 Oct 2025 15:42:51 -0000
@@ -547,6 +547,12 @@
 .Xr quotacheck 8
 and
 .Xr quotaon 8 .
+.It Sy random_file
+Name of the entropy seed file used at boot.
+Default is
+.Pa /var/db/entropy-file
+as used by
+.Pa /etc/rc.d/random_seed .
 .It Sy random_seed
 Boolean value.
 During boot-up, runs the
Index: share/man/man5/security.conf.5
===================================================================
RCS file: /cvsroot/src/share/man/man5/security.conf.5,v
retrieving revision 1.44
diff -u -r1.44 security.conf.5
--- share/man/man5/security.conf.5	14 Nov 2024 19:57:41 -0000	1.44
+++ share/man/man5/security.conf.5	24 Oct 2025 15:42:51 -0000
@@ -165,6 +165,11 @@
 .It Sy check_pkg_signatures
 Checks the digital signature of all files installed by packages against
 the expected values stored in the packages database.
+.It Sy random_seed
+Save
+.Xr entropy 7
+seed file used at boot, by running 
+.Pa /etc/rc.d/random_seed.
 .El
 .Pp
 The variables described below can be set to modify the tests:
@@ -285,17 +290,6 @@
 and
 .Sy check_changelist
 instead of just keeping a current copy and a backup copy.
-.It Sy random_file
-Name of the entropy seed file used at boot.
-Default is
-.Pa /var/db/entropy-file
-as used by
-.Pa /etc/rc.d/random_seed .
-Set
-.Sy random_file
-to empty to disable saving a seed every time
-.Pa /etc/security
-runs.
 .El
 .Sh FILES
 .Bl -tag -width /etc/defaults/security.conf -compact

References:
- Re: misc/59709: inconsistent entropy $random_file locations settings
  - From: Steve Rikli via gnats

Prev by Date: Re: kern/59719 (emuxki(4) panics during attach)
Next by Date: Re: misc/59709: inconsistent entropy $random_file locations settings
Previous by Thread: Re: misc/59709: inconsistent entropy $random_file locations settings
Next by Thread: Re: misc/59709: inconsistent entropy $random_file locations settings
Indexes:

Home | Main Index | Thread Index | Old Index