Re: where to set/override entropy $random_file location?

[RVP <rvp%SDF.ORG@localhost>]

On Mon, 13 Oct 2025, Steve Rikli wrote:

> Ah, I hadn't considered that. After briefly looking at FreeBSD's cron
> for regular entropy regeneration, I wondered if perhaps that duty needs
> to be part of NetBSD /etc/security script at all.

Or, a different script called from /etc/security. A first cut is:

---START---
#!/bin/sh
#
# Check if /boot.cfg & /etc/rc.conf entropy files match.

emsg() {
	printf 1>&2 "$@"
}

# Check /boot.cfg default values.
#
# Treat differing rndseed= values as bogus, rather than as overrides.
#
boot_default_matches=$(
  sed -ne '\|^START /boot.cfg|,\|^END /boot.cfg|p' $0 |
  sed -nEe 's/^rndseed=(.+)$/\1/p' |
  sort -u
# /boot.cfg | sort -u
)

if [ -z "$boot_default_matches" ]
then	emsg "NOTE: no default rndseed= values found.\n"
	nc=0
else	nc=$(echo "$boot_default_matches" | wc -l)
fi

case $((nc + 0)) in
0)	;;
1)	boot_rndseed=$boot_default_matches
	;;
*)	emsg "ERROR: rndseed= values aren't the same:\n\n"
	emsg "$boot_default_matches\n"
	exit 1
	;;
esac


# Check /boot.cfg menu= values.
#
# Menu entries values override default values (and, only the 1st one in a line).
# No way to know which entry we've booted from, so choke on differing
# rndseed values.
#
boot_menu_matches=$(
  sed -ne '\|^START /boot.cfg|,\|^END /boot.cfg|p' $0 |
  sed -nEe 's/^menu=.+[:;]rndseed[[:blank:]]+([^;]+).+$/\1/p' | sort -u
# /boot.cfg | sort -u
)

if [ -z "$boot_menu_matches" ]
then	emsg "NOTE: no menu rndseed values found.\n"
	nm=0
else	nm=$(echo "$boot_menu_matches" | wc -l)
fi

case $((nm + 0)) in
0)	;;
1)	boot_rndseed=$boot_menu_matches
	;;
*)	emsg "ERROR: rndseed menu values aren't the same:\n\n"
	emsg "$boot_menu_matches\n"
	exit 1
	;;
esac


# Compare default and menu rndseed values.
#
# if [ \( $nc -eq 1 -a $nm -eq 1 \) -a "$boot_default_matches" != "$boot_menu_matches" ]
# then	emsg "ERROR: mismatch in /boot.cfg:\n\n"
# 	emsg 'default:\t%s\n' "$boot_default_matches"
# 	emsg 'menu:\t%s\n' "$boot_menu_matches"
# 	exit 1
# fi


# Compare /boot.cfg & /etc/rc.conf entropy files.
#

# read line <<EoF
# $(fgrep random_file= /etc/rc.conf)
# EoF
# echo "$line"
# eval $line; unset line

matches=$(
  sed -ne '\|^START /etc/rc.conf|,\|^END /etc/rc.conf|p' $0 |
  fgrep random_file=
)
# matches=$(fgrep random_file= /etc/rc.conf)
eval "$matches"; unset matches

if [ -z "$boot_rndseed" -a -z "$random_file" ]
then	emsg "ERROR: no entropy file set anywhere.\n"
	exit 1
fi

if [ "${boot_rndseed:-$random_file}" != "${random_file:-$boot_rndseed}" ]
then	emsg "ERROR: mismatch:\n\n"
	emsg 'boot.cfg:\t%s\n' "$boot_rndseed"
	emsg '/etc/rc.conf:\t%s\n' "$random_file"
	exit 1
fi

echo "${0##*/}: /boot.cfg & /etc/rc.conf entropy files are consistent."
exit 0




#
# Test data
#

START /boot.cfg
menu=Boot normally:rndseed /etc/entropy-file;gop 0;boot
menu=Boot GENERIC:gop 0;rndseed 	/etc/entropy-file;boot /netbsd.GENERIC
# menu=Boot KASLR:gop 0;rndseed /var/db/entropy-file;pkboot /netbsd.KASLR
menu=Boot DIAG:gop 0;boot /netbsd.DIAG -vx
menu=Boot single user:boot -s
menu=Drop to boot prompt:prompt
default=1
timeout=60
clear=1
rndseed=/var/db/entropy-file
# rndseed=/etc/entropy-file
userconf=disable i915drmkms*
# userconf=disable dwiic*
# userconf=disable sdhc*
# kconsdev=pc

END /boot.cfg




START /etc/rc.conf

foo=FOO
bar=BAR
# random_file=/non-existent
# random_file=/var/db/entropy-file
random_file=/etc/entropy-file

END /etc/rc.conf
---END---

-RVP