diff options
| -rw-r--r-- | etc/crontab | 3 | ||||
| -rw-r--r-- | etc/defaults/rc.conf | 3 | ||||
| -rw-r--r-- | etc/mtree/BSD.root.dist | 4 | ||||
| -rw-r--r-- | etc/rc | 36 | ||||
| -rw-r--r-- | libexec/Makefile | 1 | ||||
| -rw-r--r-- | libexec/save-entropy/Makefile | 10 | ||||
| -rwxr-xr-x | libexec/save-entropy/save-entropy.sh | 82 |
7 files changed, 129 insertions, 10 deletions
diff --git a/etc/crontab b/etc/crontab index 784980c48d63..1f0950efcbbc 100644 --- a/etc/crontab +++ b/etc/crontab @@ -8,6 +8,9 @@ HOME=/var/log # #minute hour mday month wday who command # +# save some entropy so that /dev/random can reseed on boot +*/3 * * * * operator /usr/libexec/save-entropy +# */5 * * * * root /usr/libexec/atrun # # rotate log files every hour, if necessary diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index b76156409d53..7e3d2767c48f 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -324,6 +324,9 @@ start_vinum="" # set to YES to start vinum unaligned_print="YES" # print unaligned access warnings on the alpha (or NO). entropy_file="/entropy" # Set to NO to disable caching entropy through reboots. # /var/db/entropy is preferred if / is not available. +entropy_dir="/.entropy" # Set to NO to disable caching entropy via cron. +entropy_save_sz="2048" # Size of the entropy cache files. +entropy_save_num="8" # Number of entropy cache files to save. ############################################################## ### Define source_rc_confs, the mechanism used by /etc/rc.* ## diff --git a/etc/mtree/BSD.root.dist b/etc/mtree/BSD.root.dist index e6e9a4d64c3a..0fc9833f2040 100644 --- a/etc/mtree/BSD.root.dist +++ b/etc/mtree/BSD.root.dist @@ -5,6 +5,10 @@ /set type=dir uname=root gname=wheel mode=0755 . +/set type=dir uname=operator gname=operator mode=0700 + .entropy + .. +/set type=dir uname=root gname=wheel mode=0755 bin .. boot @@ -102,16 +102,34 @@ chkdepend NIS nis_client_enable portmap portmap_enable # First pass at entropy recovery so the rebooting /dev/random can reseed. # +feed_dev_random() { + if [ -f "${1}" -a -r "${1}" -a -s "${1}" ]; then + echo "Using ${1} as an entropy file" + cat ${1} > /dev/random 2> /dev/random && + entropy_reseeded=yes + fi +} + case ${entropy_file} in [Nn][Oo] | '') ;; *) if [ -w /dev/random ]; then - if [ -f "${entropy_file}" -a -r "${entropy_file}" -a \ - -s "${entropy_file}" ]; then - echo "Using ${entropy_file} as an entropy file" - cat ${entropy_file} > /dev/random 2> /dev/random - entropy_reseeded=yes + feed_dev_random "${entropy_file}" + fi + ;; +esac + +case ${entropy_dir} in +[Nn][Oo]) + ;; +*) + entropy_dir=${entropy_dir:-/.entropy} + if [ -d "${entropy_dir}" ]; then + if [ -w /dev/random ]; then + for seedfile in ${entropy_dir}/*; do + feed_dev_random "${seedfile}" + done fi fi ;; @@ -219,20 +237,18 @@ yes) if [ -w /dev/random ]; then if [ -f "${entropy_file}" -a -r "${entropy_file}" -a \ -s "${entropy_file}" ]; then - echo "Using ${entropy_file} as an entropy file" - cat ${entropy_file} > /dev/random 2> /dev/random + feed_dev_random "${entropy_file}" elif [ "${entropy_file}" != /var/db/entropy -a \ -f /var/db/entropy -a -r /var/db/entropy -a \ -s /var/db/entropy ]; then - echo 'Using /var/db/entropy as an entropy file' - cat /var/db/entropy > /dev/random 2> /dev/random + feed_dev_random /var/db/entropy else echo "Can't use ${entropy_file} as an entropy file, trying other sources" # XXX temporary until we can get the entropy # harvesting rate up # Entropy below is not great, # but better than nothing. - (ps -gauxwww; iostat; vmstat; sysctl -a; + (ps -gauxwww; sysctl -a; dmesg) | /bin/dd of=/dev/random bs=8k 2>/dev/null ( for i in /etc /var/run ; do cd $i ; ls -al ; cat * diff --git a/libexec/Makefile b/libexec/Makefile index c051e13ff89e..6ee31ed4ab73 100644 --- a/libexec/Makefile +++ b/libexec/Makefile @@ -22,6 +22,7 @@ SUBDIR= atrun \ rpc.rwalld \ rpc.sprayd \ rshd \ + save-entropy \ talkd \ tftpd \ xtend \ diff --git a/libexec/save-entropy/Makefile b/libexec/save-entropy/Makefile new file mode 100644 index 000000000000..c3de2caaf45c --- /dev/null +++ b/libexec/save-entropy/Makefile @@ -0,0 +1,10 @@ +# $FreeBSD$ + +NOMAN= noman + +beforeinstall: + ${INSTALL} -c -o operator -g operator -m 500 \ + ${.CURDIR}/save-entropy.sh ${DESTDIR}${BINDIR}/save-entropy + +.include <bsd.prog.mk> + diff --git a/libexec/save-entropy/save-entropy.sh b/libexec/save-entropy/save-entropy.sh new file mode 100755 index 000000000000..4a84fd741959 --- /dev/null +++ b/libexec/save-entropy/save-entropy.sh @@ -0,0 +1,82 @@ +#!/bin/sh +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ + +# This script is called by cron to store bits of randomness which are +# then used to seed /dev/random on boot. + +PATH=/bin:/usr/bin + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/rc.conf ]; then + . /etc/defaults/rc.conf + source_rc_confs +elif [ -r /etc/rc.conf ]; then + . /etc/rc.conf +fi + +case ${entropy_dir} in +[Nn][Oo]) + exit 0 + ;; +*) + entropy_dir=${entropy_dir:-/.entropy} + ;; +esac + +entropy_save_sz=${entropy_save_sz:-2048} +entropy_save_num=${entropy_save_num:-8} +entropy_save_jot=$(($entropy_save_num - 1)) + +if [ ! -d "${entropy_dir}" ]; then + umask 077 + mkdir "${entropy_dir}" || { + logger -is The entropy directory "${entropy_dir}" does not \ +exist, and cannot be created. Therefore no entropy can be saved. ; + exit 1;} + /usr/sbin/chown operator:operator "${entropy_dir}" + chmod 0700 "${entropy_dir}" +fi + +rm -f "${entropy_dir}/saved-entropy.${entropy_save_num}" + +umask 377 + +for file_num in `jot ${entropy_save_jot} ${entropy_save_jot} 1`; do + if [ -f "${entropy_dir}/saved-entropy.${file_num}" ]; then + new_num=$(($file_num + 1)) + mv "${entropy_dir}/saved-entropy.${file_num}" \ + "${entropy_dir}/saved-entropy.${new_num}" + fi +done + +dd if=/dev/random of="${entropy_dir}/saved-entropy.1" \ + bs=2048 count=1 2> /dev/null + +exit 0 + |