On Mi, 17.04.19 16:05, Chris Murphy (lists(a)colorremedies.com) wrote:
On Wed, Apr 17, 2019 at 11:36 AM Lennart Poettering
<mzerqung(a)0pointer.de> wrote:
>
> Yeah, all that stuff is stuff the kernel could do better on its
> own. If the CPU jitter stuff or the TPM stuff is a good idea, then why
> not add that to the kernel natively, why involve userspace with that?
> i.e. if the TPM and the CPU jitter stuff can be trusted, then the same
> thing as for CONFIG_RANDOM_TRUST_CPU=y should be done: pass the random
> data into the pool directly inside in the kernel.
$ grep CONFIG_HW_RANDOM_TPM /boot/config-5.0.6-300.fc30.x86_64
CONFIG_HW_RANDOM_TPM=y
So apparently, since a long time the kernel actually could push data
from hwrngs into the kernel pool while crediting entropy:
https://lkml.org/lkml/2018/11/2/193
i.e. it's the "rng_core.default_quality=700" switch on the kernel
cmdline.
It sounds like that option is just something that needs a compile time
option that Fedora could just turn on.
Quoting from that mail: "This is better than relying on rng-tools."
/usr/lib/systemd/system/rngd.service contains
WantedBy=multi-user.target
I'm gonna guess Steve Grubb is wondering whether it could be wanted by
an earlier target, possibly cryptsetup-pre.target? I don't see a
service file in the upstream project so this may have been selected by
the Fedora packager as a known to work option.
WantedBy= doesn't really say much about when something is started,
just about what wants it started. It's not about ordering, it's about
requirement.
If you want to order it early then set DefaultDependencies=no and use
Before= some appropriate unit.
But this is all pretty much pointless, since PID 1 (systemd) itself already
needs entropy, and thus starting this after PID 1 is useless.
Lennart
--
Lennart Poettering, Berlin