[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Seeding the Linux RNG at first boot
From: |
Leo Famulari |
Subject: |
Re: Seeding the Linux RNG at first boot |
Date: |
Mon, 11 Dec 2017 11:08:45 -0500 |
User-agent: |
Mutt/1.9.1 (2017-09-22) |
On Mon, Dec 11, 2017 at 10:16:42AM +0100, Ludovic Courtès wrote:
> Leo Famulari <address@hidden> skribis:
> > At the same time we handle the random seed, we could also try reading
> > from /dev/hwrng and, if the read is successful, copy some bytes into
> > /dev/urandom. We'd have to try reading and handle failure since we
> > always create /dev/hwrng regardless of whether the Linux kernel module
> > is loaded or not.
>
> OK.
Okay, I'll work on adding this to the urandom-seed-service.
> > If one always passes the same value to --entropy-seed, it will not
> > negatively affect the reproducibility of the image ;)
> >
> > This would not be something we do for the official release image, but
> > merely an optional tool.
>
> Yeah it’d be OK to add this as an option.
>
> When the option is present, ‘guix system’ would hook into the VM
> creation code somehow, or to extend ‘activation-service-type’ with code
> to create the file.
>
> Maybe we could provide a more generic --copy-file=SOURCE[=DEST] option?
> Like --copy-file=./my-seed=/var/lib/random-seed or
> --copy-file=$HOME/.ssh/authorized_keys.
>
> Thoughts?
That sounds good to me. I'll try implementing it.
signature.asc
Description: PGP signature