Laurent Bercot wrote in
<em5107a42e-fcba-4af6-83b7-b85f77db9...@133c92ad.com>:
|
|>|IIRC writing to /dev/urandom doesn't do what you want it to do.
|>|You have to use an ioctl() to actually set entropy.
|>
|>And that is the sad point about it.
|>Kernel hackers should stand up to allow it again!
|
| As Ted Ts'o said[1], and Donenfeld agreed[2], the problem is that
|any user can write to /dev/urandom, including malicious users, so
|you cannot credit what they write.
Well i was talking on unlocking the thing upon boot. Only root
there is.
And then you could easily look who is the writer, or require
CAP_SYS_ADMIN or whatever when deciding whether "entropy" is to be
counted or not. That is just a check that is done a thousand
times in the kernel, i would think.
Actually, if i recall correctly, it is only for unlocking after
the rewrite anyway since entropy is not counted no more? At least
the IOCTL which gives the number does not change no more.
The thing is plain. Unix "everything is a file" ("except when it
isn't"; except on Plan9, where it is) is broken by that for no
reason. I did not read the files it is too late, but i would have
stood up and have done it like that.
| I tend to trust people who do the work rather than those who stand on
|cardboard boxes.
| Still, since it's related to boot sequence things and I want to be a
|reliable source on boot sequences, I actually studied the thing when
|it came up, and understood the issue enough to come up with my own
|conclusion - and my own conclusion is still that the person who did the
|work, i.e. Jason, is right about this.
|
| I'm sorry. I like the idea of writing stuff to /dev/urandom and have
|it count, too. It's just not a good idea for security. That's just the
|way it is. And it would be nice if all the work and ink that already
|went into it, including mine, could actually be useful to all the people
|who don't care about any of this and just want their systems to work
|and be secure - so it would be nice if disinformation and bad ideas
|stopped being spread.
What a sheer nonsense. Sorry.
|[1]: https://lwn.net/ml/linux-kernel/yjqvemckzcu1p...@mit.edu/
|[2]: https://lwn.net/ml/linux-kernel/yjqbcqbyhcopg...@zx2c4.com/
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
