Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/share/man/man8 Various entropy integration improvements.
details: https://anonhg.NetBSD.org/src/rev/b737121146cf
branches: trunk
changeset: 949368:b737121146cf
user: riastradh <riastradh%NetBSD.org@localhost>
date: Sun Jan 10 23:24:25 2021 +0000
description:
Various entropy integration improvements.
- New /etc/security check for entropy in daily security report.
- New /etc/rc.d/entropy script runs (after random_seed and rndctl) to
check for entropy at boot -- in rc.conf, you can:
. set `entropy=check' to halt multiuser boot and enter single-user
mode if not enough entropy
. set `entropy=wait' to make multiuser boot wait until enough entropy
Default is to always boot without waiting -- and rely on other
channels like security report to alert the operator if there's a
problem.
- New man page entropy(7) discussing the higher-level concepts and
system integration with cross-references.
- New paragraph in afterboot(8) about entropy citing entropy(7) for
more details.
This change addresses many of the issues discussed in security/55659.
This is a first draft; happy to take improvements to the man pages and
scripted messages to improve clarity.
I considered changing motd to include an entropy warning with a
reference to the entropy(7) man page, but it's a little trickier:
- Not sure it's appropriate for all users to see at login rather than
users who have power to affect the entropy estimate (maybe it is,
just haven't decided).
- We only have a mechanism for changing once at boot; the message would
remain until next boot even if an operator adds enough entropy.
- The mechanism isn't really conducive to making a message appear
conditionally from boot to boot.
diffstat:
distrib/sets/lists/etc/mi | 3 +-
distrib/sets/lists/man/mi | 8 +-
etc/defaults/rc.conf | 7 +-
etc/defaults/security.conf | 3 +-
etc/rc.d/Makefile | 4 +-
etc/rc.d/entropy | 40 ++++++
etc/security | 15 ++-
share/man/man4/rnd.4 | 3 +-
share/man/man5/rc.conf.5 | 31 +++++-
share/man/man5/security.conf.5 | 5 +-
share/man/man7/Makefile | 8 +-
share/man/man7/entropy.7 | 241 +++++++++++++++++++++++++++++++++++++++++
share/man/man7/security.7 | 6 +-
share/man/man8/afterboot.8 | 22 +++-
14 files changed, 381 insertions(+), 15 deletions(-)
diffs (truncated from 621 to 300 lines):
diff -r b9ccf27ed383 -r b737121146cf distrib/sets/lists/etc/mi
--- a/distrib/sets/lists/etc/mi Sun Jan 10 21:45:50 2021 +0000
+++ b/distrib/sets/lists/etc/mi Sun Jan 10 23:24:25 2021 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.263 2020/09/08 12:52:44 martin Exp $
+# $NetBSD: mi,v 1.264 2021/01/10 23:24:25 riastradh Exp $
#
# Note: end-user configuration files that are moved to another location
# should not be marked "obsolete"; they should just be removed from
@@ -214,6 +214,7 @@
./etc/rc.d/dhcrelay etc-dhcpd-rc
./etc/rc.d/dmesg etc-sys-rc
./etc/rc.d/downinterfaces etc-sys-rc
+./etc/rc.d/entropy etc-sys-rc
./etc/rc.d/envsys etc-sys-rc
./etc/rc.d/fixsb etc-obsolete obsolete
./etc/rc.d/fsck etc-sys-rc
diff -r b9ccf27ed383 -r b737121146cf distrib/sets/lists/man/mi
--- a/distrib/sets/lists/man/mi Sun Jan 10 21:45:50 2021 +0000
+++ b/distrib/sets/lists/man/mi Sun Jan 10 23:24:25 2021 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.1712 2020/12/27 21:13:18 reinoud Exp $
+# $NetBSD: mi,v 1.1713 2021/01/10 23:24:25 riastradh Exp $
#
# Note: don't delete entries from here - mark them as "obsolete" instead.
#
@@ -2340,6 +2340,7 @@
./usr/share/man/cat7/c99.0 man-reference-catman .cat
./usr/share/man/cat7/des_modes.0 man-reference-catman .cat
./usr/share/man/cat7/editline.0 man-sys-catman .cat
+./usr/share/man/cat7/entropy.0 man-reference-catman .cat
./usr/share/man/cat7/environ.0 man-reference-catman .cat
./usr/share/man/cat7/glob.0 man-reference-catman .cat
./usr/share/man/cat7/groups.0 man-reference-catman .cat
@@ -2367,6 +2368,7 @@
./usr/share/man/cat7/pcap-linktype.0 man-netutil-catman .cat
./usr/share/man/cat7/pcap-tstamp.0 man-netutil-catman .cat
./usr/share/man/cat7/pkgsrc.0 man-reference-catman .cat
+./usr/share/man/cat7/random.0 man-reference-catman .cat
./usr/share/man/cat7/re_format.0 man-reference-catman .cat
./usr/share/man/cat7/release.0 man-reference-catman .cat
./usr/share/man/cat7/rfc6056.0 man-reference-catman .cat
@@ -5465,6 +5467,7 @@
./usr/share/man/html7/c99.html man-reference-htmlman html
./usr/share/man/html7/des_modes.html man-reference-htmlman html
./usr/share/man/html7/editline.html man-sys-htmlman html
+./usr/share/man/html7/entropy.html man-reference-htmlman html
./usr/share/man/html7/environ.html man-reference-htmlman html
./usr/share/man/html7/glob.html man-reference-htmlman html
./usr/share/man/html7/groups.html man-reference-htmlman html
@@ -5488,6 +5491,7 @@
./usr/share/man/html7/pcap-linktype.html man-netutil-htmlman html
./usr/share/man/html7/pcap-tstamp.html man-netutil-htmlman html
./usr/share/man/html7/pkgsrc.html man-reference-htmlman html
+./usr/share/man/html7/random.html man-reference-htmlman html
./usr/share/man/html7/re_format.html man-reference-htmlman html
./usr/share/man/html7/release.html man-reference-htmlman html
./usr/share/man/html7/rfc6056.html man-reference-htmlman html
@@ -8560,6 +8564,7 @@
./usr/share/man/man7/c99.7 man-reference-man .man
./usr/share/man/man7/des_modes.7 man-reference-man .man
./usr/share/man/man7/editline.7 man-sys-man .man
+./usr/share/man/man7/entropy.7 man-reference-man .man
./usr/share/man/man7/environ.7 man-reference-man .man
./usr/share/man/man7/glob.7 man-reference-man .man
./usr/share/man/man7/groups.7 man-reference-man .man
@@ -8586,6 +8591,7 @@
./usr/share/man/man7/pcap-linktype.7 man-netutil-man .man
./usr/share/man/man7/pcap-tstamp.7 man-netutil-man .man
./usr/share/man/man7/pkgsrc.7 man-reference-man .man
+./usr/share/man/man7/random.7 man-reference-man .man
./usr/share/man/man7/re_format.7 man-reference-man .man
./usr/share/man/man7/release.7 man-reference-man .man
./usr/share/man/man7/rfc6056.7 man-reference-man .man
diff -r b9ccf27ed383 -r b737121146cf etc/defaults/rc.conf
--- a/etc/defaults/rc.conf Sun Jan 10 21:45:50 2021 +0000
+++ b/etc/defaults/rc.conf Sun Jan 10 23:24:25 2021 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: rc.conf,v 1.160 2020/09/29 02:49:55 msaitoh Exp $
+# $NetBSD: rc.conf,v 1.161 2021/01/10 23:24:25 riastradh Exp $
#
# /etc/defaults/rc.conf --
# default configuration of /etc/rc.conf
@@ -384,6 +384,11 @@
#
random_seed=YES
+# Set to `check' to abort multi-user boot if not enough entropy, or
+# `wait' to wait until enough entropy.
+#
+entropy=""
+
# Creating / updating of man page index on boot
makemandb=YES
diff -r b9ccf27ed383 -r b737121146cf etc/defaults/security.conf
--- a/etc/defaults/security.conf Sun Jan 10 21:45:50 2021 +0000
+++ b/etc/defaults/security.conf Sun Jan 10 23:24:25 2021 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: security.conf,v 1.27 2019/12/06 14:43:29 riastradh Exp $
+# $NetBSD: security.conf,v 1.28 2021/01/10 23:24:25 riastradh Exp $
#
# /etc/defaults/security.conf --
# default configuration of /etc/security.conf
@@ -9,6 +9,7 @@
# EDIT /etc/security.conf INSTEAD.
#
+check_entropy=YES
check_passwd=YES
check_group=YES
check_rootdotfiles=YES
diff -r b9ccf27ed383 -r b737121146cf etc/rc.d/Makefile
--- a/etc/rc.d/Makefile Sun Jan 10 21:45:50 2021 +0000
+++ b/etc/rc.d/Makefile Sun Jan 10 23:24:25 2021 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.109 2020/09/08 12:54:36 martin Exp $
+# $NetBSD: Makefile,v 1.110 2021/01/10 23:24:25 riastradh Exp $
.include <bsd.own.mk>
@@ -20,7 +20,7 @@
ccd cgd clearcritlocal cleartmp cron \
devpubd dhcpcd dhcpd dhcpd6 dhcrelay dmesg \
downinterfaces \
- envsys \
+ entropy envsys \
fsck fsck_root ftp_proxy ftpd \
gpio \
hostapd httpd \
diff -r b9ccf27ed383 -r b737121146cf etc/rc.d/entropy
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/etc/rc.d/entropy Sun Jan 10 23:24:25 2021 +0000
@@ -0,0 +1,40 @@
+#!/bin/sh
+#
+# $NetBSD: entropy,v 1.1 2021/01/10 23:24:25 riastradh Exp $
+#
+
+# PROVIDE: entropy
+# REQUIRE: random_seed rndctl
+# BEFORE: ike ipsec network
+
+$_rc_subr_loaded . /etc/rc.subr
+
+name="entropy"
+start_cmd="entropy_start"
+stop_cmd=":"
+
+entropy_start()
+{
+ case ${entropy-} in
+ '') ;;
+ check) echo -n "Checking for entropy..."
+ # dd will print an error message `Resource temporarily
+ # unavailable' to stderr, which is a little annoying,
+ # but getting rid of it is also a little annoying.
+ if dd if=/dev/random iflag=nonblock of=/dev/null bs=1 count=1 \
+ msgfmt=quiet; then
+ echo "done"
+ else
+ echo "not enough entropy available, aborting boot."
+ stop_boot
+ fi
+ ;;
+ wait) echo -n "Waiting for entropy..."
+ dd if=/dev/random of=/dev/null bs=1 count=1 msgfmt=quiet
+ echo "done"
+ ;;
+ esac
+}
+
+load_rc_config "$name"
+run_rc_command "$1"
diff -r b9ccf27ed383 -r b737121146cf etc/security
--- a/etc/security Sun Jan 10 21:45:50 2021 +0000
+++ b/etc/security Sun Jan 10 23:24:25 2021 +0000
@@ -1,6 +1,6 @@
#!/bin/sh -
#
-# $NetBSD: security,v 1.127 2020/12/02 14:18:13 wiz Exp $
+# $NetBSD: security,v 1.128 2021/01/10 23:24:25 riastradh Exp $
# from: @(#)security 8.1 (Berkeley) 6/9/93
#
@@ -192,6 +192,19 @@
done | mtree -CM -k all > $SPECIALSPEC || exit 1
+# Check for enough entropy.
+#
+if checkyesno check_entropy; then
+ if ! dd if=/dev/random iflag=nonblock of=/dev/null bs=1 count=1 \
+ msgfmt=quiet 2>/dev/null; then
+ printf '\n'
+ printf 'Entropy:\n'
+ printf 'System may need more entropy for cryptography.\n'
+ printf 'See the entropy(7) man page for details.\n'
+ fi
+fi
+
+
# Check the master password file syntax.
#
if checkyesno check_passwd; then
diff -r b9ccf27ed383 -r b737121146cf share/man/man4/rnd.4
--- a/share/man/man4/rnd.4 Sun Jan 10 21:45:50 2021 +0000
+++ b/share/man/man4/rnd.4 Sun Jan 10 23:24:25 2021 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: rnd.4,v 1.35 2020/05/06 18:38:20 riastradh Exp $
+.\" $NetBSD: rnd.4,v 1.36 2021/01/10 23:24:25 riastradh Exp $
.\"
.\" Copyright (c) 2014-2020 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -634,6 +634,7 @@
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.Sh SEE ALSO
.Xr arc4random 3 ,
+.Xr entropy 7 ,
.Xr rndctl 8 ,
.Xr cprng 9 ,
.Xr rnd 9
diff -r b9ccf27ed383 -r b737121146cf share/man/man5/rc.conf.5
--- a/share/man/man5/rc.conf.5 Sun Jan 10 21:45:50 2021 +0000
+++ b/share/man/man5/rc.conf.5 Sun Jan 10 23:24:25 2021 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: rc.conf.5,v 1.187 2020/09/11 12:20:01 wiz Exp $
+.\" $NetBSD: rc.conf.5,v 1.188 2021/01/10 23:24:26 riastradh Exp $
.\"
.\" Copyright (c) 1996 Matthew R. Green
.\" All rights reserved.
@@ -439,6 +439,35 @@
.Xr dmesg 8 .
Passes
.Sy dmesg_flags .
+.It Sy entropy
+A string,
+.Sq Li check
+or
+.Sq Li wait .
+If set, then during boot-up, after
+.Sy random_seed
+and
+.Sy rndctl ,
+check for or wait until enough entropy before any networking is
+enabled.
+.Pp
+If not enough entropy is available, then:
+.Bl -bullet -compact
+.It
+With
+.Sq Li entropy=check ,
+stop multiuser boot and enter single-user mode instead.
+.It
+With
+.Sq Li entropy=wait ,
+wait until enough entropy is available.
+.El
+.Pp
+Note that
+.Sq Li entropy=wait
+may cause the system to hang indefinitely at boot if it has neither a
+random seed nor any hardware random number generators \(em use with
+care.
.It Sy envsys
Boolean value.
Sets preferences for the environmental systems framework,
diff -r b9ccf27ed383 -r b737121146cf share/man/man5/security.conf.5
--- a/share/man/man5/security.conf.5 Sun Jan 10 21:45:50 2021 +0000
+++ b/share/man/man5/security.conf.5 Sun Jan 10 23:24:25 2021 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: security.conf.5,v 1.42 2020/12/02 14:18:13 wiz Exp $
+.\" $NetBSD: security.conf.5,v 1.43 2021/01/10 23:24:26 riastradh Exp $
.\"
.\" Copyright (c) 1996 Matthew R. Green
.\" All rights reserved.
@@ -47,6 +47,9 @@
.Pp
The variables described below can be set to "NO" to disable the test:
.Bl -tag -width check_pkg_vulnerabilities
+.It Sy check_entropy
+This checks whether the system has enough entropy
+.Pq see Xr entropy 7 .
.It Sy check_passwd
This checks the
.Pa /etc/master.passwd
diff -r b9ccf27ed383 -r b737121146cf share/man/man7/Makefile
--- a/share/man/man7/Makefile Sun Jan 10 21:45:50 2021 +0000
+++ b/share/man/man7/Makefile Sun Jan 10 23:24:25 2021 +0000
@@ -1,11 +1,12 @@
-# $NetBSD: Makefile,v 1.35 2020/06/23 16:08:46 maxv Exp $
+# $NetBSD: Makefile,v 1.36 2021/01/10 23:24:26 riastradh Exp $
# @(#)Makefile 8.1 (Berkeley) 6/5/93
.include <bsd.init.mk>
# missing: eqnchar.7 man.7 ms.7 term.7
-MAN= ascii.7 c.7 environ.7 glob.7 groups.7 hier.7 hostname.7 intro.7 \
+MAN= ascii.7 c.7 entropy.7 environ.7 glob.7 groups.7 hier.7 hostname.7 \
Home |
Main Index |
Thread Index |
Old Index