services: urandom-seed: Try using a HWRNG to seed the Linux CRNG at boot.

* gnu/services/base.scm (urandom-seed-shepherd-service): Try to read from
'/dev/hwrng' at boot, as a supplement to any saved random seed.
* doc/guix.texi (Base Services): Document the new feature.
This commit is contained in:
Leo Famulari 2017-12-13 18:49:28 -05:00
parent a8db968fa4
commit 9a56cf2b5b
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
2 changed files with 21 additions and 1 deletions

View File

@ -10025,7 +10025,9 @@ well as in the @var{groups} field of the @var{operating-system} record.
@deffn {Scheme Procedure} urandom-seed-service
Save some entropy in @var{%random-seed-file} to seed @file{/dev/urandom}
when rebooting.
when rebooting. It also tries to seed @file{/dev/urandom} from
@file{/dev/hwrng} while booting, if @file{/dev/hwrng} exists and is
readable.
@end deffn
@defvr {Scheme Variable} %random-seed-file

View File

@ -516,6 +516,24 @@ stopped before 'kill' is called."
(call-with-output-file "/dev/urandom"
(lambda (urandom)
(dump-port seed urandom))))))
;; Try writing from /dev/hwrng into /dev/urandom.
;; It seems that the file /dev/hwrng always exists, even
;; when there is no hardware random number generator
;; available. So, we handle a failed read or any other error
;; reported by the operating system.
(let ((buf (catch 'system-error
(lambda ()
(call-with-input-file "/dev/hwrng"
(lambda (hwrng)
(get-bytevector-n hwrng 512))))
;; Silence is golden...
(const #f))))
(when buf
(call-with-output-file "/dev/urandom"
(lambda (urandom)
(put-bytevector urandom buf)))))
;; Immediately refresh the seed in case the system doesn't
;; shut down cleanly.
(call-with-input-file "/dev/urandom"