GNU bug report logs

#29773 urandom-seed-service should run earlier in the boot process

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #19 received at 29773@debbugs.gnu.org (full text, mbox, reply):

Received: (at 29773) by debbugs.gnu.org; 21 Dec 2017 09:10:34 +0000
From debbugs-submit-bounces@debbugs.gnu.org Thu Dec 21 04:10:34 2017
Received: from localhost ([127.0.0.1]:45183 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1eRws4-0005TR-Rz
	for submit@debbugs.gnu.org; Thu, 21 Dec 2017 04:10:34 -0500
Received: from hera.aquilenet.fr ([141.255.128.1]:48736)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1eRws3-0005TJ-FH
 for 29773@debbugs.gnu.org; Thu, 21 Dec 2017 04:10:31 -0500
Received: from localhost (localhost [127.0.0.1])
 by hera.aquilenet.fr (Postfix) with ESMTP id 2686B102BB;
 Thu, 21 Dec 2017 10:10:34 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at aquilenet.fr
Received: from hera.aquilenet.fr ([127.0.0.1])
 by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id PdnVZDQbtWEr; Thu, 21 Dec 2017 10:10:33 +0100 (CET)
Received: from ribbon (unknown [193.50.110.235])
 by hera.aquilenet.fr (Postfix) with ESMTPSA id 8DECFFEB6;
 Thu, 21 Dec 2017 10:10:33 +0100 (CET)
From: ludo@gnu.org (Ludovic Courtès)
To: Leo Famulari <leo@famulari.name>
Subject: Re: bug#29773: urandom-seed-service should run earlier in the boot
 process
References: <20171219191348.GA19177@jasmine.lan> <87tvwlzop3.fsf@gnu.org>
 <20171220230751.GA18857@jasmine.lan>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 1 Nivôse an 226 de la Révolution
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Thu, 21 Dec 2017 10:10:29 +0100
In-Reply-To: <20171220230751.GA18857@jasmine.lan> (Leo Famulari's message of
 "Wed, 20 Dec 2017 18:07:51 -0500")
Message-ID: <87ind0a1kq.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: 3.8 (+++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Leo Famulari <leo@famulari.name> skribis: > On Wed, Dec 20,
    2017 at 11:19:36AM +0100, Ludovic Courtès wrote: >> There’s a ‘user-processes’
    service that serves a similar purpose. >> >> With the attached patches ‘urandom-seed’
    becomes a dependency of >> ‘user-processes’, meaning that daemons & co.
    start after >> ‘urandom-seed’. >> >> WDYT? > > In general, I think it's
    a good approach. > > Currently, the urandom-seed-service seems to non-deterministically
    but > typically start after the udev-service, so that /dev/hwrng is always
    set > up by udev before the urandom-seed-service tries to use it. > > With
    these patches, that's not the case. This breaks the hwrng seeding > feature
    added in 9a56cf2b5b (services: urandom-seed: Try using a HWRNG > to seed
   the Linux CRNG at boot). > > I'll try rearranging the service dependency graph.
    [...] 
 
 Content analysis details:   (3.8 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
  1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
  2.8 PERCENT_RANDOM         Message has a random macro in it
X-Debbugs-Envelope-To: 29773
Cc: 29773@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 3.8 (+++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Leo Famulari <leo@famulari.name> skribis: > On Wed, Dec 20,
    2017 at 11:19:36AM +0100, Ludovic Courtès wrote: >> There’s a ‘user-processes’
    service that serves a similar purpose. >> >> With the attached patches ‘urandom-seed’
    becomes a dependency of >> ‘user-processes’, meaning that daemons & co.
    start after >> ‘urandom-seed’. >> >> WDYT? > > In general, I think it's
    a good approach. > > Currently, the urandom-seed-service seems to non-deterministically
    but > typically start after the udev-service, so that /dev/hwrng is always
    set > up by udev before the urandom-seed-service tries to use it. > > With
    these patches, that's not the case. This breaks the hwrng seeding > feature
    added in 9a56cf2b5b (services: urandom-seed: Try using a HWRNG > to seed
   the Linux CRNG at boot). > > I'll try rearranging the service dependency graph.
    [...] 
 
 Content analysis details:   (3.8 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
  1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
  2.8 PERCENT_RANDOM         Message has a random macro in it

[Message part 1 (text/plain, inline)]
Leo Famulari <leo@famulari.name> skribis:

> On Wed, Dec 20, 2017 at 11:19:36AM +0100, Ludovic Courtès wrote:
>> There’s a ‘user-processes’ service that serves a similar purpose.
>> 
>> With the attached patches ‘urandom-seed’ becomes a dependency of
>> ‘user-processes’, meaning that daemons & co. start after
>> ‘urandom-seed’.
>> 
>> WDYT?
>
> In general, I think it's a good approach.
>
> Currently, the urandom-seed-service seems to non-deterministically but
> typically start after the udev-service, so that /dev/hwrng is always set
> up by udev before the urandom-seed-service tries to use it.
>
> With these patches, that's not the case. This breaks the hwrng seeding
> feature added in 9a56cf2b5b (services: urandom-seed: Try using a HWRNG
> to seed the Linux CRNG at boot).
>
> I'll try rearranging the service dependency graph.

The attached patch does the trick, AFAICS:


[Message part 2 (text/x-patch, inline)]
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index acc5c33f5..7fc8f6aa7 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -529,7 +529,10 @@ in KNOWN-MOUNT-POINTS when it is stopped."
   (list (shepherd-service
          (documentation "Preserve entropy across reboots for /dev/urandom.")
          (provision '(urandom-seed))
-         (requirement '(file-systems))
+
+         ;; Depend on udev so that /dev/hwrng is available.
+         (requirement '(file-systems udev))
+
          (start #~(lambda _
                     ;; On boot, write random seed into /dev/urandom.
                     (when (file-exists? #$%random-seed-file)

[Message part 3 (text/plain, inline)]
> Watching a fresh system boot repeatedly, I noticed that the host keys
> always seem to be generated immediately after Linux reports "random:
> crng init done".
>
> To me, this suggests that OpenSSH is using the getrandom() syscall. If
> so, any GuixSD host keys created with glibc >= 2.25 and OpenSSH >= 7.2
> should be unpredictable. But I'm not sure if that's what's happening or
> not.

Nice.

The problem though is that ‘ssh-keygen -A’ runs from the activation
snippet, which itself runs before shepherd is started.

To work around that, we should either introduce a separate ‘ssh-keygen’
service that ‘ssh-daemon’ would depend on, or invoke ‘ssh-keygen’ from
the ‘start’ method of the ‘ssh-daemon’ service.

>> +(define (user-processes-shepherd-service requirements)
>> +  "Return the 'user-processes' Shepherd service with dependencies on
>> +REQUIREMENTS (a list of service names).
>> +
>> +This is a synchronization point used to make sure user processes and daemons
>> +get started only after crucial initial services have been started---file
>> +system mounts, etc.  This is similar to 'target' in systemd."
>
> To clarify, user-processes may be similar to the sysinit target in
> systemd. Systemd targets are sort of like run-levels, and there are
> several of them, such as the multi-user target, the graphical target,
> etc.

Indeed, I’ve fixed it locally.

If that’s OK I’ll push these patches later today.

Thank you,
Ludo’.

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Mon Dec 30 17:45:59 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.