[PATCH] ssh dump: install random-seed from a new location

WANG Chao chaowang at redhat.com
Wed Jan 15 07:39:14 UTC 2014


On 01/14/14 at 04:17pm, Vivek Goyal wrote:
> On Wed, Dec 25, 2013 at 06:07:39PM +0800, WANG Chao wrote:
> 
> [..]
> > > >      if is_ssh_dump_target; then
> > > > -        dracut_install /var/lib/random-seed || exit $?
> > > > +        dracut_install -o /var/lib/random-seed || exit $?
> > > > +        dracut_install -o /var/lib/systemd/random-seed || exit $?
> > > 
> > > below is better?
> > > 
> > > dracut_install /var/lib/random-seed || dracut_install -o /var/lib/systemd/random-seed || exit $?
> > 
> > Using dracut_install will error out w/o -o option. I think random-seed
> > is not essential for ssh dump, we can omit it safely. What do you think
> > for below:
> > 
> > dracut_install -o /var/lib/random-seed
> > dracut_install -o /var/lib/systemd/random-seed
> 
> I am not sure if random seed is optional. I think things will still work
> but enough randomness might not be there and it might make for weaker
> crypto and might make it little less secure in kdump environemnt.

Yes, it's right. Without sufficient entropy, the random could be
theoretically vulnerable. That makes kdump environment less secure like
you said.

But kdump can't force user to maintain such random seed file
/var/lib/systemd/random-seed or /var/lib/random-seed. For whatever
reason, this seed file could be deleted or relocated some other place.

Given the fact that entropy may be not sufficient and we must feed
/dev/urandom in 2nd kernel. What makes sense to me is that we generate
our own seed when creating kdump initramfs and feed this one to
/dev/urandom in 2nd kernel.

It's rather simple to implement it.
[inspired from man:random(4)]

In module-setup.sh, save random seed:

	dd if=/dev/urandom of=${initdir}/$RANDOM_SEED \
	   bs=`cat /proc/sys/kernel/random/poolsize` count=1

In kdump.sh, feed /dev/urandom with our preserved randome seed:

	cat $RANDOM_SEED > /dev/urandom

So neither we have to fail when kdump can't find the system-wide random
seed file nor we have worry about where the seed is located.

What do you think?

> 
> Before this change, we used dracut install without -o option. That means
> random seem was must. So why change behavior now.

Actually it's I didn't understand why random-seed is a must.

Thanks
WANG Chao

> 
> How about using following.
> 
> 	if [ -f /var/lib/random-seed ]
> 		dracut_install /var/lib/random-seed || exit $?
>         elif [ -f /var/lib/systemd/random-seed ]
> 		dracut_install /var/lib/random-seed || exit $?
> 	else
> 		error
> 
> Thanks
> Vivek


More information about the kexec mailing list