Author: robert Date: 2008-10-28 20:02:39 -0600 (Tue, 28 Oct 2008) New Revision: 1481
Modified: branches/Onward/temporary_system/util-linux-ng.txt Log: Added modification to Util-linux-ng to use /dev/random for entropy, primarily for random swap. Modified: branches/Onward/temporary_system/util-linux-ng.txt =================================================================== --- branches/Onward/temporary_system/util-linux-ng.txt 2008-10-27 00:04:14 UTC (rev 1480) +++ branches/Onward/temporary_system/util-linux-ng.txt 2008-10-29 02:02:39 UTC (rev 1481) @@ -5,12 +5,29 @@ bzcat ../util-linux-ng-2.14.1-20081015.diff.bz2 | patch -p1 && -# Loop-AES uses /dev/urandom to create the key for random key swap partitions. -# Generally this is ideal, however swap is activated at a predictable time and -# the kernel entropy may also be predictable when swap is activated. It is -# best to activate swap after /dev/urandom has been seeded, during boot, but -# this needs modification of the LFS boot scripts. +# Loop-AES uses /dev/urandom when generating a random key for swap. Swap is +# mounted very early during boot, and may be predictable. Ideally we would +# have a Random Number Generator Daemon (RNGD) filling /dev/random before swap +# is mounted, so the predictable boot sequence has less affect on /dev/random. +# Using /dev/random for the encrypted swap space key may cause the boot to hang +# while waiting for entropy. If you do not have an RNGD, do not run the +# following command, but consider using /dev/frandom, because frandom uses +# /dev/urandom (sha1 of /dev/random) as a seed and passes it through the arc4 +# cipher, which will make attacks on the encrypted swap more complicated. If +# you have an RNGD, or a reliable /dev/random, run the following command. +# If you use /dev/frandom, it is a good idea to re-seed /dev/frandom (dumping +# one count to /dev/null) to re-seed /dev/erandom, to eliminate the possibility +# of reverse engineering the swap space key. + +# I hope this make sense to some of you, but it works around relationships +# between /dev/random, /dev/urandom, /dev/frandom, and /dev/erandom, and +# their theoretical vulnerabilities. In final, /dev/random is best, with an +# RNGD. + +sed -i.orig 's@/dev/urandom@/dev/random@' \ + ./mount/swapon.c ./mount/lomount.c && + mkdir -v obj/ && cd obj/ && -- http://linuxfromscratch.org/mailman/listinfo/hlfs-book FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
