services: urandom-seed: Try using a HWRNG to seed the Linux CRNG at boot.
* gnu/services/base.scm (urandom-seed-shepherd-service): Try to read from '/dev/hwrng' at boot, as a supplement to any saved random seed. * doc/guix.texi (Base Services): Document the new feature.master
Leo Famulari
parent
a8db968fa4
commit
9a56cf2b5b
|
|
@ -10025,7 +10025,9 @@ well as in the @var{groups} field of the @var{operating-system} record.
|
||||||
|
|
||||||
@deffn {Scheme Procedure} urandom-seed-service
|
@deffn {Scheme Procedure} urandom-seed-service
|
||||||
Save some entropy in @var{%random-seed-file} to seed @file{/dev/urandom}
|
Save some entropy in @var{%random-seed-file} to seed @file{/dev/urandom}
|
||||||
when rebooting.
|
when rebooting. It also tries to seed @file{/dev/urandom} from
|
||||||
|
@file{/dev/hwrng} while booting, if @file{/dev/hwrng} exists and is
|
||||||
|
readable.
|
||||||
@end deffn
|
@end deffn
|
||||||
|
|
||||||
@defvr {Scheme Variable} %random-seed-file
|
@defvr {Scheme Variable} %random-seed-file
|
||||||
|
|
|
||||||
|
|
@ -516,6 +516,24 @@ stopped before 'kill' is called."
|
||||||
(call-with-output-file "/dev/urandom"
|
(call-with-output-file "/dev/urandom"
|
||||||
(lambda (urandom)
|
(lambda (urandom)
|
||||||
(dump-port seed urandom))))))
|
(dump-port seed urandom))))))
|
||||||
|
|
||||||
|
;; Try writing from /dev/hwrng into /dev/urandom.
|
||||||
|
;; It seems that the file /dev/hwrng always exists, even
|
||||||
|
;; when there is no hardware random number generator
|
||||||
|
;; available. So, we handle a failed read or any other error
|
||||||
|
;; reported by the operating system.
|
||||||
|
(let ((buf (catch 'system-error
|
||||||
|
(lambda ()
|
||||||
|
(call-with-input-file "/dev/hwrng"
|
||||||
|
(lambda (hwrng)
|
||||||
|
(get-bytevector-n hwrng 512))))
|
||||||
|
;; Silence is golden...
|
||||||
|
(const #f))))
|
||||||
|
(when buf
|
||||||
|
(call-with-output-file "/dev/urandom"
|
||||||
|
(lambda (urandom)
|
||||||
|
(put-bytevector urandom buf)))))
|
||||||
|
|
||||||
;; Immediately refresh the seed in case the system doesn't
|
;; Immediately refresh the seed in case the system doesn't
|
||||||
;; shut down cleanly.
|
;; shut down cleanly.
|
||||||
(call-with-input-file "/dev/urandom"
|
(call-with-input-file "/dev/urandom"
|
||||||
|
|
|
||||||
Reference in New Issue