On Wed, 24 Apr 2019 at 06:24, Lennart Poettering <mzerq...@0pointer.de> wrote:
> On Mi, 24.04.19 12:02, Nikos Mavrogiannopoulos (n...@redhat.com) wrote: > > > On Thu, Apr 18, 2019 at 10:23 AM Lennart Poettering > > <mzerq...@0pointer.de> wrote: > > > Sure, you can invoke rngd before systemd, in which case it would have > > > to be able to run as PID 1 itself pretty much and then hand over > > > things. > > > > > > But why do that in userspace at all? the "Trust CPU RNG" kernel > > > compile time option shows that these things are trivial to solve if > > > people just want to. Instead of involving rngd at all, why not add a > > > similar option for the TPM RNG (or any other non-CPU hw rng) and then > > > rngd doesn't do anything useful anymore whatsoever? I mean, to my > > > knowledge all those other RNGs already feed into the pool anyway, they > > > just don't get trusted and thus don't add to the entropy > > > estimate. Fixing that should be quite doable and given that > > > CONFIG_RANDOM_TRUST_CPU exists now it shouldn't be politically too > > > hard to argue for a CONFIG_RANDOM_TRUST_TPM either... > > > > I like the part that this is trivial to solve if people want to. > > Making people agree is an order of magnitude harder than fixing any > > code. Nevertheless, without rngd, getrandom() would block in one of > > the first services started by systemd (if it doesn't block in systemd > > itself). > > As mentioned before: systemd itself already needs entropy itself (it > assigns a random 128bit id to each service invocation, dubbed the > "invocation ID" of it, and it generates the machine ID and seeds its > hash table hash functions), hence rngd doesn't cut it anyway, since it > starts after systemd, being a service managed by systemd. If rngd was > supposed to fill up the entropy pool at boot, it would have to run as > initial PID 1 in the initrd, before systemd, and then hand over to > systemd only after the pool is full. But it doesn't, hence rngd is > pointless: it runs too late to be useful. > > useful to systemd and your problems. What people are trying to say is that it is useful to their problems. There are several solutions to try here: 1. Make something like it run sooner so it helps your problems 2. Add something like it into the kernel (which has been a Sisyphus task from what i can tell) 3. Pull it into systemd so it helps your problems and others. 4. Keep this thread going with everyone talking past each other. -- Stephen J Smoogen.
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org