On Mi, 17.04.19 16:05, Chris Murphy (lists(a)colorremedies.com) wrote:
On Wed, Apr 17, 2019 at 11:36 AM Lennart Poettering
> Yeah, all that stuff is stuff the kernel could do better on its
> own. If the CPU jitter stuff or the TPM stuff is a good idea, then why
> not add that to the kernel natively, why involve userspace with that?
> i.e. if the TPM and the CPU jitter stuff can be trusted, then the same
> thing as for CONFIG_RANDOM_TRUST_CPU=y should be done: pass the random
> data into the pool directly inside in the kernel.
$ grep CONFIG_HW_RANDOM_TPM /boot/config-5.0.6-300.fc30.x86_64
So apparently, since a long time the kernel actually could push data
from hwrngs into the kernel pool while crediting entropy:
i.e. it's the "rng_core.default_quality=700" switch on the kernel
It sounds like that option is just something that needs a compile time
option that Fedora could just turn on.
Quoting from that mail: "This is better than relying on rng-tools."
I'm gonna guess Steve Grubb is wondering whether it could be wanted by
an earlier target, possibly cryptsetup-pre.target? I don't see a
service file in the upstream project so this may have been selected by
the Fedora packager as a known to work option.
WantedBy= doesn't really say much about when something is started,
just about what wants it started. It's not about ordering, it's about
If you want to order it early then set DefaultDependencies=no and use
Before= some appropriate unit.
But this is all pretty much pointless, since PID 1 (systemd) itself already
needs entropy, and thus starting this after PID 1 is useless.
Lennart Poettering, Berlin