#
1.1 |
|
10-Jan-2021 |
riastradh |
Various entropy integration improvements.
- New /etc/security check for entropy in daily security report.
- New /etc/rc.d/entropy script runs (after random_seed and rndctl) to check for entropy at boot -- in rc.conf, you can:
. set `entropy=check' to halt multiuser boot and enter single-user mode if not enough entropy
. set `entropy=wait' to make multiuser boot wait until enough entropy
Default is to always boot without waiting -- and rely on other channels like security report to alert the operator if there's a problem.
- New man page entropy(7) discussing the higher-level concepts and system integration with cross-references.
- New paragraph in afterboot(8) about entropy citing entropy(7) for more details.
This change addresses many of the issues discussed in security/55659. This is a first draft; happy to take improvements to the man pages and scripted messages to improve clarity.
I considered changing motd to include an entropy warning with a reference to the entropy(7) man page, but it's a little trickier: - Not sure it's appropriate for all users to see at login rather than users who have power to affect the entropy estimate (maybe it is, just haven't decided). - We only have a mechanism for changing once at boot; the message would remain until next boot even if an operator adds enough entropy. - The mechanism isn't really conducive to making a message appear conditionally from boot to boot.
|