On Sun, Jan 27, 2019 at 06:41:10PM +0100, Steve Grubb wrote:
The biggest problem in dealing with crypto early in boot is that the
system is starved for entropy. I'm wondering if this runs before or
after systemd loads the saved entropy seed into the kernel?
On bare-metal, I didn't notice real problems regarding low
entropy during the early sshd startup. I just noticed sometimes
that sshd took a bit longer than usual to startup (due to low
entropy).
Perhaps this isn't the only reason, but I suspect that the usual
network 'noise' and a ping I have running when I reboot a remote
machine is sufficient for the remote machine to build up enough
entropy in reasonable time.
With the CI suite rapidly starting VMs, possibly inside a VM, I
noticed serious entropy starving which resulted in slow sshd
startup or even timeouts (with the early and late sshd),
sometimes. Which resulted in pseudo-randomly failing tests, of
course. Thus, my solution to this is to add `-device
virtio-rng-pci` to the QEMU call.
And when running the tests locally I also start haveged (on the
host). This is not necessary in the Travis-CI environment.
Best regards
Georg
--
'Correction of ASN.1 syntax definition errors introduced by automatic Word
correction.' (TD.57 specification version 29.2, 2011)