Improving available entropy
Oliver Grawert
ogra at ubuntu.com
Mon Feb 8 11:17:14 UTC 2016
hi,
Am Montag, den 08.02.2016, 09:41 +0100 schrieb Simon Eisenmann:
> Hi,
>
> Am 06.02.2016 um 02:09 schrieb Seth Arnold:
> > On Fri, Feb 05, 2016 at 06:39:40PM -0600, Tyler Hicks wrote:
> >> 2) We need to make rng-tools available. Would it be preferred that
> >> rng-tools is seeded in core or should it be a snap that gadget
> >> snaps, for devices that have a hwrng, can declare as a preinstall
> >> dependency?
> >
> > I think including rng-tools everywhere is a good idea: for only 80KB or so
> > of storage space the value it gives is fantastic. I'd rather it be
> > included everywhere and set up by default to the extent we can.
>
> It does not help to include rng-tools and then start it eventually. It
> is important that the boot process blocks until a certain amount of
> entropy bits has become available as during first boot persistent keys
> are generated (essentially without entropy).
>
> I think boot / all initialization of snaps and system wide services
> should block until at least 1024 bits of entropy are available for the
> first time.
i disagree... we should make sure to only block services that actually
make use of the entropy by having properly defined dependencies between
systemd units, not delay the whole boot process ;)
... and in that light we should perhaps consider pulling rng-tools into
the initrd to have it start as early as /sys and /dev are there so even
these delays are as short as possible.
ciao
oli
More information about the snappy-devel
mailing list