services: urandom-seed: Try using a HWRNG to seed the Linux CRNG at boot.
* gnu/services/base.scm (urandom-seed-shepherd-service): Try to read from '/dev/hwrng' at boot, as a supplement to any saved random seed. * doc/guix.texi (Base Services): Document the new feature.
This commit is contained in:
parent
a8db968fa4
commit
9a56cf2b5b
|
@ -10025,7 +10025,9 @@ well as in the @var{groups} field of the @var{operating-system} record.
|
|||
|
||||
@deffn {Scheme Procedure} urandom-seed-service
|
||||
Save some entropy in @var{%random-seed-file} to seed @file{/dev/urandom}
|
||||
when rebooting.
|
||||
when rebooting. It also tries to seed @file{/dev/urandom} from
|
||||
@file{/dev/hwrng} while booting, if @file{/dev/hwrng} exists and is
|
||||
readable.
|
||||
@end deffn
|
||||
|
||||
@defvr {Scheme Variable} %random-seed-file
|
||||
|
|
|
@ -516,6 +516,24 @@ stopped before 'kill' is called."
|
|||
(call-with-output-file "/dev/urandom"
|
||||
(lambda (urandom)
|
||||
(dump-port seed urandom))))))
|
||||
|
||||
;; Try writing from /dev/hwrng into /dev/urandom.
|
||||
;; It seems that the file /dev/hwrng always exists, even
|
||||
;; when there is no hardware random number generator
|
||||
;; available. So, we handle a failed read or any other error
|
||||
;; reported by the operating system.
|
||||
(let ((buf (catch 'system-error
|
||||
(lambda ()
|
||||
(call-with-input-file "/dev/hwrng"
|
||||
(lambda (hwrng)
|
||||
(get-bytevector-n hwrng 512))))
|
||||
;; Silence is golden...
|
||||
(const #f))))
|
||||
(when buf
|
||||
(call-with-output-file "/dev/urandom"
|
||||
(lambda (urandom)
|
||||
(put-bytevector urandom buf)))))
|
||||
|
||||
;; Immediately refresh the seed in case the system doesn't
|
||||
;; shut down cleanly.
|
||||
(call-with-input-file "/dev/urandom"
|
||||
|
|
Loading…
Reference in New Issue