[src/trunk]: src/etc security(5): Check kern.entropy.needed for confident ent...

[riastradh <riastradh%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/4f3d514151ee
branches:  trunk
changeset: 377201:4f3d514151ee
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Fri Jun 30 21:42:29 2023 +0000

description:
security(5): Check kern.entropy.needed for confident entropy.

Don't test whether a non-blocking read from /dev/random would return
data.

For the sake of availability, /dev/random will unblock based on sources
like timer interrupts, which we can't confidently assert anything about
the actual unpredictability of.

Here, the goal is to highlight systems that have neither obtained
entropy from an HWRNG with a confident entropy assessment, nor been
seeded from a source the operator knows about.

XXX pullup-10

diffstat:

 etc/security |  5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

diffs (21 lines):

diff -r 6fd1342ab0d2 -r 4f3d514151ee etc/security
--- a/etc/security      Fri Jun 30 21:42:05 2023 +0000
+++ b/etc/security      Fri Jun 30 21:42:29 2023 +0000
@@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#      $NetBSD: security,v 1.129 2021/11/04 12:40:00 nia Exp $
+#      $NetBSD: security,v 1.130 2023/06/30 21:42:29 riastradh Exp $
 #      from: @(#)security      8.1 (Berkeley) 6/9/93
 #
 
@@ -195,8 +195,7 @@ done | mtree -CM -k all > $SPECIALSPEC |
 # Check for enough entropy.
 #
 if checkyesno check_entropy; then
-       if ! dd if=/dev/random iflag=nonblock of=/dev/null bs=1 count=1 \
-           msgfmt=quiet 2>/dev/null; then
+       if [ "$(sysctl -nq kern.entropy.needed)" != 0 ]; then
                printf '\n'
                printf 'Entropy:\n'
                printf 'System may need more entropy for cryptography.\n'