mirror of
https://github.com/Telecominfraproject/OpenNetworkLinux.git
synced 2025-12-25 17:27:01 +00:00
e12e40f335
We start using Linux RNG from initrd with low entropy pools and random data quality might not be good. Kernel warns us about the problem with following messages in dmesg(1): [ 4.786307] random: onl-mounts: uninitialized urandom read (16 bytes read, 46 bits of entropy available) [ 5.307536] random: onl-mounts: uninitialized urandom read (16 bytes read, 83 bits of entropy available) [ 5.354480] random: blkid: uninitialized urandom read (6 bytes read, 89 bits of entropy available) [ 5.366963] random: blkid: uninitialized urandom read (6 bytes read, 90 bits of entropy available) [ 5.379385] random: blkid: uninitialized urandom read (6 bytes read, 90 bits of entropy available) [ 5.391910] random: blkid: uninitialized urandom read (6 bytes read, 90 bits of entropy available) [ 5.546389] random: onl-pki: uninitialized urandom read (16 bytes read, 96 bits of entropy available) [ 8.881398] random: mktemp: uninitialized urandom read (6 bytes read, 109 bits of entropy available) [ 9.026771] random: swiget: uninitialized urandom read (16 bytes read, 109 bits of entropy available) Since main rootfs isn't mounted we can't load entropy saved from previous runtime by systemd-random-seed (for systemd) and /etc/init.d/urandom (for sysvinit). Moreover even if we able to load this data, direct write to /dev/urandom or /dev/random does not change entropy count according to random(4) man page and /proc/sys/kernel/random/entropy_avail contents after loading data to /dev/urandom or /dev/random. To address this we should generate pseudo random data suitable for use as RNG seed based on frequently changed information in system and use some cryptographic grade hash to hide this info from RNG. Use MIT licensed initrng.py Python implementation for Linux RNG early init to seed RNG before executing onl-mounts and other stuff from early userspace in initramfs. Signed-off-by: Sergey Popovich <sergey.popovich@ordnance.co>