Improving available entropy

Simon Eisenmann simon at
Mon Feb 8 12:21:27 UTC 2016

Am 08.02.2016 um 12:17 schrieb Oliver Grawert:
>>> > > I think including rng-tools everywhere is a good idea: for only 80KB or so
>>> > > of storage space the value it gives is fantastic. I'd rather it be
>>> > > included everywhere and set up by default to the extent we can.
>> > 
>> > It does not help to include rng-tools and then start it eventually. It
>> > is important that the boot process blocks until a certain amount of
>> > entropy bits has become available as during first boot persistent keys
>> > are generated (essentially without entropy).
>> > 
>> > I think boot / all initialization of snaps and system wide services
>> > should block until at least 1024 bits of entropy are available for the
>> > first time.
> i disagree... we should make sure to only block services that actually
> make use of the entropy by having properly defined dependencies between
> systemd units, not delay the whole boot process ;)

Yeah sure, it does not have to block the whole boot process, as long as
it it possible for Snaps to wait on entropy as well.

> ... and in that light we should perhaps consider pulling rng-tools into
> the initrd to have it start as early as /sys and /dev are there so even
> these delays are as short as possible.

Yes it would be good to have rngd running from the initrd. Though as it
is a daemon, does it then need to be restarted when rootfs takes over?
Another issue is the configuration of rngd - i guess it would be a start
to have the autodetect logic as in the init script but ultimatively this
is hardware dependent and thus might need to be different from platform
to platform.


Yeah well


Simon Eisenmann

[ mailto:simon at ]

[ struktur AG | Kronenstraße 22a | D-70173 Stuttgart ]
[ T. +49.711.896656.68 | F.+49.711.89665610 ]
[ | mailto:info at ]

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the snappy-devel mailing list