Re: [Tails-dev] Create random seed at installation time with…

Nachricht löschen

Nachricht beantworten
Autor: kurono
Datum:  
To: tails-dev
Betreff: Re: [Tails-dev] Create random seed at installation time with Tails Installer
On 07/22/2017 03:13 PM, intrigeri wrote:
> kurono:
>> * The natural place to put it is in the usual seed file, inside the
>> Tails file system (filesystem.squashfs). But this would imply to extract
>> the image, change the file, and create a new image, which would be a lot
>> of extra work. Another disadvantage is that it makes any further file
>> integrity checking impossible.
>
> Ouch, no, let's not do that.
>


ok :)

>> * The other option is to locate it outside of the tails file system,
>
> You mean in the FAT filesystem that Tails Installer creates, right?
> If yes, then this seems like the best option. Another option would be
> somewhere in the GPT (IIRC someone researched that).
>


Yes I meant the FAT filesystem. According to this:
https://labs.riseup.net/code/issues/7675
The conclusion was that the GPT space is too small and "storing it on
the FAT32 filesystem is certainly easier to do and less prone to accidents."

>> let say the "binary" part, and link the random init script to this
>> file, only if we are creating it by the installer.
>
> I guess checking for this file's existence is enough.
>


ok.

>> I don't know if this last option is even possible.
>> Are there already some examples of it? Maybe the syslinux, etc?
>
> Yes, Tails Installer already creates / renames / mangles files in the
> FAT filesystem after extracting the content of the ISO filesystem.
>


ok great. I am still trying to get an idea of how to do this, but I
think we could create a script in
config/chroot_local-includes/lib/live/config/ where the early boot stuff
is done. That script would copy the random-seed from the FAT filesystem,
to the actual
/var/lib/systemd/random-seed file.

> Just curious:
>
> * When do we update the content of this file?


AFAIK, it only has to be updated when shutting down the machine.
The idea is that this file can not be equal for all the Tails
installations and neither all the Tails booting processes.
The idea with the installer was to solve the first problem, but maybe we
also can solve the second.

> * What's the plan for upgrades of the Tails USB stick?


If the upgrade is done with the installer, I guess the process is the
same. If the upgrade is done internally by Tails, it depends if we
manage to implement a solution for the second problem.

Regarding the blueprint I can use the same we already had.
https://tails.boum.org/blueprint/randomness_seeding/
Or should I use other?

cheers,
kurono

>
> Cheers,
>