[Tails-dev] How to seed urandom (or not)?

Nachricht löschen

Nachricht beantworten
Autor: intrigeri
Datum:  
To: tails-dev, David Goulet
Neue Treads: Re: [Tails-dev] How to seed urandom (or not)?
Betreff: [Tails-dev] How to seed urandom (or not)?
Hi,

[For full context, and to avoid rehashing previous discussion, please
read https://labs.riseup.net/code/issues/7642.]

Mostly quoting my last comment there:

The long-term plan, for persistence users, is #7675 ("Persist entropy
pool seeds"). However, it covers neither the short term, nor people
using Tails without persistence. It seems that our options are:

1. keep things as-is => urandom is seeded by date +%s.%N + a publicly
known value
2. drop the publicly known value => urandom is seeded by date +%s.%N
only
3. disable (at least the relevant part of) the urandom initscript =>
urandom is only seeded by the kernel, somehow

Solution 2 doesn't look any better than solution 1 to me, so the
choice seems to be between solution 1 and 3.

I think it mainly depends on whether haveged (and rngd) will
contribute to the pool used by urandom, which is still unclear to me
(see note 12 on the ticket).

Does anyone know for sure the answer to this question (pointers to the
relevant code might help)? Or shall I go ask Linux randomness experts,
such as hpa and the rngd / haveged authors?

Cheers,
--
intrigeri