Re: [OE-core] [PATCH] openssh: Allow enable/disable of rng-tools recommendation on sshd
On Fri, Sep 25, 2020 at 2:58 AM Ross Burton wrote:
>
> On Thu, 24 Sep 2020 at 20:58, Otavio Salvador
> wrote:
> > We are adding a new PACKAGECONFIG option ('rng-tools') to control if we
> > wish the openssh-sshd to RRECOMMENDS the 'rng-tools' package. We are
> > enabling it by default so there is no behavior change.
>
> Is this fundamentally because many targets now have hardware RNGs that
> the kernel is using, and so rng-tools serves no purpose?
>
> This was originally added with data from iMX6 (oe-core
> 9b01375236e19e3366c58877c4154d7c71632984) and I'm curious if this
> followup is related to other improvements that have been made to iMX6
> since. Is there a better user space tool, or is the kernel using the
> hardware RNG out of the box?
>
perhaps haveged is an option to consider.
> I ask because I'm strongly tempted to argue that we should be assuming
> that a RNG is available and let BSPs turn this on if required.
>
> Ross
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#142821):
https://lists.openembedded.org/g/openembedded-core/message/142821
Mute This Topic: https://lists.openembedded.org/mt/77065556/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] openssh: Allow enable/disable of rng-tools recommendation on sshd
Em sex., 25 de set. de 2020 às 06:58, Ross Burton escreveu:
> On Thu, 24 Sep 2020 at 20:58, Otavio Salvador
> wrote:
> > We are adding a new PACKAGECONFIG option ('rng-tools') to control if we
> > wish the openssh-sshd to RRECOMMENDS the 'rng-tools' package. We are
> > enabling it by default so there is no behavior change.
>
> Is this fundamentally because many targets now have hardware RNGs that
> the kernel is using, and so rng-tools serves no purpose?
>
> This was originally added with data from iMX6 (oe-core
> 9b01375236e19e3366c58877c4154d7c71632984) and I'm curious if this
> followup is related to other improvements that have been made to iMX6
> since. Is there a better user space tool, or is the kernel using the
> hardware RNG out of the box?
Exactly, we can use it from the kernel and most of time it is of no-use.
> I ask because I'm strongly tempted to argue that we should be assuming
> that a RNG is available and let BSPs turn this on if required.
I added this enabled by default so we can backport it to Dunfell (as
it won't change the current behavior). For master, we can turn it off
and let distro to enable it if need.
I'd like to get this one merged first (and send the backport request)
and then I can send a patch to disable it.
--
Otavio Salvador O.S. Systems
http://www.ossystems.com.brhttp://code.ossystems.com.br
Mobile: +55 (53) 9 9981-7854 Mobile: +1 (347) 903-9750
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#142781):
https://lists.openembedded.org/g/openembedded-core/message/142781
Mute This Topic: https://lists.openembedded.org/mt/77065556/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] openssh: Allow enable/disable of rng-tools recommendation on sshd
On 25/09/2020 10:58, Ross Burton wrote:
> On Thu, 24 Sep 2020 at 20:58, Otavio Salvador
> wrote:
>> We are adding a new PACKAGECONFIG option ('rng-tools') to control if we
>> wish the openssh-sshd to RRECOMMENDS the 'rng-tools' package. We are
>> enabling it by default so there is no behavior change.
>
> Is this fundamentally because many targets now have hardware RNGs that
> the kernel is using, and so rng-tools serves no purpose?
>
> This was originally added with data from iMX6 (oe-core
> 9b01375236e19e3366c58877c4154d7c71632984) and I'm curious if this
> followup is related to other improvements that have been made to iMX6
> since. Is there a better user space tool, or is the kernel using the
> hardware RNG out of the box?
>
While I haven't had the time to explore the issue fully on my boards,
the issue I have specifically is that when the board is powered for a
short amount of time, systemd gets stuck on shutting down as rngd is
blocking for (I assume) a certain amount of entropy for it to enter the
ready state. Whether this is down to the specific hardware rng support
on my board, or possibly the lack of it being enabled I haven't dug into
yet.
> I ask because I'm strongly tempted to argue that we should be assuming
> that a RNG is available and let BSPs turn this on if required.
>
> Ross
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#142778):
https://lists.openembedded.org/g/openembedded-core/message/142778
Mute This Topic: https://lists.openembedded.org/mt/77065556/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] openssh: Allow enable/disable of rng-tools recommendation on sshd
On Fri, 2020-09-25 at 10:58 +0100, Ross Burton wrote:
> On Thu, 24 Sep 2020 at 20:58, Otavio Salvador <
> otavio.salva...@gmail.com> wrote:
> > We are adding a new PACKAGECONFIG option ('rng-tools') to control
> > if we
> > wish the openssh-sshd to RRECOMMENDS the 'rng-tools' package. We
> > are
> > enabling it by default so there is no behavior change.
>
> Is this fundamentally because many targets now have hardware RNGs
> that
> the kernel is using, and so rng-tools serves no purpose?
>
> This was originally added with data from iMX6 (oe-core
> 9b01375236e19e3366c58877c4154d7c71632984) and I'm curious if this
> followup is related to other improvements that have been made to iMX6
> since. Is there a better user space tool, or is the kernel using the
> hardware RNG out of the box?
>
> I ask because I'm strongly tempted to argue that we should be
> assuming
> that a RNG is available and let BSPs turn this on if required.
BSPs probably shouldn't be changing openssh configuration individually.
I have merged the patch since I think it is good that we have a
configuration option for it though. Its more appropriate for a DISTRO
to set.
How we could make this configurable on a machine basis is an open
question...
Cheers,
Richard
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#142777):
https://lists.openembedded.org/g/openembedded-core/message/142777
Mute This Topic: https://lists.openembedded.org/mt/77065556/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] openssh: Allow enable/disable of rng-tools recommendation on sshd
On Thu, 24 Sep 2020 at 20:58, Otavio Salvador wrote:
> We are adding a new PACKAGECONFIG option ('rng-tools') to control if we
> wish the openssh-sshd to RRECOMMENDS the 'rng-tools' package. We are
> enabling it by default so there is no behavior change.
Is this fundamentally because many targets now have hardware RNGs that
the kernel is using, and so rng-tools serves no purpose?
This was originally added with data from iMX6 (oe-core
9b01375236e19e3366c58877c4154d7c71632984) and I'm curious if this
followup is related to other improvements that have been made to iMX6
since. Is there a better user space tool, or is the kernel using the
hardware RNG out of the box?
I ask because I'm strongly tempted to argue that we should be assuming
that a RNG is available and let BSPs turn this on if required.
Ross
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#142776):
https://lists.openembedded.org/g/openembedded-core/message/142776
Mute This Topic: https://lists.openembedded.org/mt/77065556/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] openssh: Allow enable/disable of rng-tools recommendation on sshd
On Fri, 25 Sep 2020 at 09:51, Jack Mitchell wrote: > While rng-tools has also been causing havoc with my images as it seems > ARM soc support for whatever underlying generator it uses is spotty, > this seems to be an abuse of packageconfig. Would something like: > > BAD_RECOMMENDATIONS_pn-openssh = "rng-tools" > > Not perform the same function? It would, but I don't see this being an abuse of PACKAGECONFIG at all. It's a configuration option that is configuring the package. Ross -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#142775): https://lists.openembedded.org/g/openembedded-core/message/142775 Mute This Topic: https://lists.openembedded.org/mt/77065556/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] openssh: Allow enable/disable of rng-tools recommendation on sshd
On 24/09/2020 20:58, Otavio Salvador wrote:
> We are adding a new PACKAGECONFIG option ('rng-tools') to control if we
> wish the openssh-sshd to RRECOMMENDS the 'rng-tools' package. We are
> enabling it by default so there is no behavior change.
>
> Signed-off-by: Otavio Salvador
> ---
>
> meta/recipes-connectivity/openssh/openssh_8.3p1.bb | 10 --
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
> b/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
> index fad321898c..e007328704 100644
> --- a/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
> @@ -42,12 +42,15 @@ SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket"
>
> inherit autotools-brokensep ptest
>
> -PACKAGECONFIG ??= ""
> +PACKAGECONFIG ??= "rng-tools"
> PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5"
> PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns"
> PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
> PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat"
>
> +# Add RRECOMMENDS to rng-tools for sshd package
> +PACKAGECONFIG[rng-tools] = ""
> +
> EXTRA_AUTORECONF += "--exclude=aclocal"
>
> # login path is hardcoded in sshd
> @@ -149,7 +152,10 @@ FILES_${PN}-keygen = "${bindir}/ssh-keygen"
>
> RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
> RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES',
> 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
> -RRECOMMENDS_${PN}-sshd_append_class-target = " rng-tools"
> +RRECOMMENDS_${PN}-sshd_append_class-target = "\
> +${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \
> +"
> +
> # gdb would make attach-ptrace test pass rather than skip but not worth the
> build dependencies
> RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed
> sudo coreutils"
>
>
While rng-tools has also been causing havoc with my images as it seems
ARM soc support for whatever underlying generator it uses is spotty,
this seems to be an abuse of packageconfig. Would something like:
BAD_RECOMMENDATIONS_pn-openssh = "rng-tools"
Not perform the same function?
Regards,
Jack.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#142772):
https://lists.openembedded.org/g/openembedded-core/message/142772
Mute This Topic: https://lists.openembedded.org/mt/77065556/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] openssh: Allow enable/disable of rng-tools recommendation on sshd
We are adding a new PACKAGECONFIG option ('rng-tools') to control if we
wish the openssh-sshd to RRECOMMENDS the 'rng-tools' package. We are
enabling it by default so there is no behavior change.
Signed-off-by: Otavio Salvador
---
meta/recipes-connectivity/openssh/openssh_8.3p1.bb | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
b/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
index fad321898c..e007328704 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.3p1.bb
@@ -42,12 +42,15 @@ SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket"
inherit autotools-brokensep ptest
-PACKAGECONFIG ??= ""
+PACKAGECONFIG ??= "rng-tools"
PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5"
PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns"
PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat"
+# Add RRECOMMENDS to rng-tools for sshd package
+PACKAGECONFIG[rng-tools] = ""
+
EXTRA_AUTORECONF += "--exclude=aclocal"
# login path is hardcoded in sshd
@@ -149,7 +152,10 @@ FILES_${PN}-keygen = "${bindir}/ssh-keygen"
RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES',
'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
-RRECOMMENDS_${PN}-sshd_append_class-target = " rng-tools"
+RRECOMMENDS_${PN}-sshd_append_class-target = "\
+${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \
+"
+
# gdb would make attach-ptrace test pass rather than skip but not worth the
build dependencies
RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo
coreutils"
--
2.28.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#142760):
https://lists.openembedded.org/g/openembedded-core/message/142760
Mute This Topic: https://lists.openembedded.org/mt/77065556/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
