[thirdparty/systemd.git] / src / random-seed / random-seed.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <errno.h>
#include <fcntl.h>
#include <linux/random.h>
#include <sys/ioctl.h>
#if USE_SYS_RANDOM_H
#  include <sys/random.h>
#endif
#include <sys/stat.h>
#include <sys/xattr.h>
#include <unistd.h>

#include "sd-id128.h"

#include "alloc-util.h"
#include "fd-util.h"
#include "fs-util.h"
#include "io-util.h"
#include "log.h"
#include "main-func.h"
#include "missing_random.h"
#include "missing_syscall.h"
#include "mkdir.h"
#include "parse-util.h"
#include "random-util.h"
#include "string-util.h"
#include "sync-util.h"
#include "sha256.h"
#include "util.h"
#include "xattr-util.h"

typedef enum CreditEntropy {
        CREDIT_ENTROPY_NO_WAY,
        CREDIT_ENTROPY_YES_PLEASE,
        CREDIT_ENTROPY_YES_FORCED,
} CreditEntropy;

static CreditEntropy may_credit(int seed_fd) {
        _cleanup_free_ char *creditable = NULL;
        const char *e;
        int r;

        assert(seed_fd >= 0);

        e = getenv("SYSTEMD_RANDOM_SEED_CREDIT");
        if (!e) {
                log_debug("$SYSTEMD_RANDOM_SEED_CREDIT is not set, not crediting entropy.");
                return CREDIT_ENTROPY_NO_WAY;
        }
        if (streq(e, "force")) {
                log_debug("$SYSTEMD_RANDOM_SEED_CREDIT is set to 'force', crediting entropy.");
                return CREDIT_ENTROPY_YES_FORCED;
        }

        r = parse_boolean(e);
        if (r <= 0) {
                if (r < 0)
                        log_warning_errno(r, "Failed to parse $SYSTEMD_RANDOM_SEED_CREDIT, not crediting entropy: %m");
                else
                        log_debug("Crediting entropy is turned off via $SYSTEMD_RANDOM_SEED_CREDIT, not crediting entropy.");

                return CREDIT_ENTROPY_NO_WAY;
        }

        /* Determine if the file is marked as creditable */
        r = fgetxattr_malloc(seed_fd, "user.random-seed-creditable", &creditable);
        if (r < 0) {
                if (IN_SET(r, -ENODATA, -ENOSYS, -EOPNOTSUPP))
                        log_debug_errno(r, "Seed file is not marked as creditable, not crediting.");
                else
                        log_warning_errno(r, "Failed to read extended attribute, ignoring: %m");

                return CREDIT_ENTROPY_NO_WAY;
        }

        r = parse_boolean(creditable);
        if (r <= 0) {
                if (r < 0)
                        log_warning_errno(r, "Failed to parse user.random-seed-creditable extended attribute, ignoring: %s", creditable);
                else
                        log_debug("Seed file is marked as not creditable, not crediting.");

                return CREDIT_ENTROPY_NO_WAY;
        }

        /* Don't credit the random seed if we are in first-boot mode, because we are supposed to start from
         * scratch. This is a safety precaution for cases where we people ship "golden" images with empty
         * /etc but populated /var that contains a random seed. */
        if (access("/run/systemd/first-boot", F_OK) < 0) {

                if (errno != ENOENT) {
                        log_warning_errno(errno, "Failed to check whether we are in first-boot mode, not crediting entropy: %m");
                        return CREDIT_ENTROPY_NO_WAY;
                }

                /* If ENOENT all is good, we are not in first-boot mode. */
        } else {
                log_debug("Not crediting entropy, since booted in first-boot mode.");
                return CREDIT_ENTROPY_NO_WAY;
        }

        return CREDIT_ENTROPY_YES_PLEASE;
}

static int run(int argc, char *argv[]) {
        bool read_seed_file, write_seed_file, synchronous, hashed_old_seed = false;
        _cleanup_close_ int seed_fd = -1, random_fd = -1;
        _cleanup_free_ void* buf = NULL;
        struct sha256_ctx hash_state;
        size_t buf_size;
        struct stat st;
        ssize_t k, l;
        int r;

        log_setup();

        if (argc != 2)
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                       "This program requires one argument.");

        umask(0022);

        buf_size = random_pool_size();

        r = mkdir_parents(RANDOM_SEED, 0755);
        if (r < 0)
                return log_error_errno(r, "Failed to create directory " RANDOM_SEED_DIR ": %m");

        /* When we load the seed we read it and write it to the device and then immediately update the saved seed with
         * new data, to make sure the next boot gets seeded differently. */

        if (streq(argv[1], "load")) {

                seed_fd = open(RANDOM_SEED, O_RDWR|O_CLOEXEC|O_NOCTTY|O_CREAT, 0600);
                if (seed_fd < 0) {
                        int open_rw_error = -errno;

                        write_seed_file = false;

                        seed_fd = open(RANDOM_SEED, O_RDONLY|O_CLOEXEC|O_NOCTTY);
                        if (seed_fd < 0) {
                                bool missing = errno == ENOENT;

                                log_full_errno(missing ? LOG_DEBUG : LOG_ERR,
                                               open_rw_error, "Failed to open " RANDOM_SEED " for writing: %m");
                                r = log_full_errno(missing ? LOG_DEBUG : LOG_ERR,
                                                   errno, "Failed to open " RANDOM_SEED " for reading: %m");
                                return missing ? 0 : r;
                        }
                } else
                        write_seed_file = true;

                random_fd = open("/dev/urandom", O_RDWR|O_CLOEXEC|O_NOCTTY, 0600);
                if (random_fd < 0)
                        return log_error_errno(errno, "Failed to open /dev/urandom: %m");

                read_seed_file = true;
                synchronous = true; /* make this invocation a synchronous barrier for random pool initialization */

        } else if (streq(argv[1], "save")) {

                random_fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC|O_NOCTTY);
                if (random_fd < 0)
                        return log_error_errno(errno, "Failed to open /dev/urandom: %m");

                seed_fd = open(RANDOM_SEED, O_WRONLY|O_CLOEXEC|O_NOCTTY|O_CREAT, 0600);
                if (seed_fd < 0)
                        return log_error_errno(errno, "Failed to open " RANDOM_SEED ": %m");

                read_seed_file = false;
                write_seed_file = true;
                synchronous = false;
        } else
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                       "Unknown verb '%s'.", argv[1]);

        if (fstat(seed_fd, &st) < 0)
                return log_error_errno(errno, "Failed to stat() seed file " RANDOM_SEED ": %m");

        /* If the seed file is larger than what we expect, then honour the existing size and save/restore as much as it says */
        if ((uint64_t) st.st_size > buf_size)
                buf_size = MIN(st.st_size, RANDOM_POOL_SIZE_MAX);

        buf = malloc(buf_size);
        if (!buf)
                return log_oom();

        if (read_seed_file) {
                sd_id128_t mid;

                /* First, let's write the machine ID into /dev/urandom, not crediting entropy. Why? As an
                 * extra protection against "golden images" that are put together sloppily, i.e. images which
                 * are duplicated on multiple systems but where the random seed file is not properly
                 * reset. Frequently the machine ID is properly reset on those systems however (simply
                 * because it's easier to notice, if it isn't due to address clashes and so on, while random
                 * seed equivalence is generally not noticed easily), hence let's simply write the machined
                 * ID into the random pool too. */
                r = sd_id128_get_machine(&mid);
                if (r < 0)
                        log_debug_errno(r, "Failed to get machine ID, ignoring: %m");
                else {
                        r = loop_write(random_fd, &mid, sizeof(mid), false);
                        if (r < 0)
                                log_debug_errno(r, "Failed to write machine ID to /dev/urandom, ignoring: %m");
                }

                k = loop_read(seed_fd, buf, buf_size, false);
                if (k < 0)
                        log_error_errno(k, "Failed to read seed from " RANDOM_SEED ": %m");
                else if (k == 0)
                        log_debug("Seed file " RANDOM_SEED " not yet initialized, proceeding.");
                else {
                        CreditEntropy lets_credit;

                        /* If we're going to later write out a seed file, initialize a hash state with
                         * the contents of the seed file we just read, so that the new one can't regress
                         * in entropy. */
                        if (write_seed_file) {
                                sha256_init_ctx(&hash_state);
                                sha256_process_bytes(&k, sizeof(k), &hash_state); /* Hash length to distinguish from new seed. */
                                sha256_process_bytes(buf, k, &hash_state);
                                hashed_old_seed = true;
                        }

                        (void) lseek(seed_fd, 0, SEEK_SET);

                        lets_credit = may_credit(seed_fd);

                        /* Before we credit or use the entropy, let's make sure to securely drop the
                         * creditable xattr from the file, so that we never credit the same random seed
                         * again. Note that further down we'll write a new seed again, and likely mark it as
                         * credible again, hence this is just paranoia to close the short time window between
                         * the time we upload the random seed into the kernel and download the new one from
                         * it. */

                        if (fremovexattr(seed_fd, "user.random-seed-creditable") < 0) {
                                if (!IN_SET(errno, ENODATA, ENOSYS, EOPNOTSUPP))
                                        log_warning_errno(errno, "Failed to remove extended attribute, ignoring: %m");

                                /* Otherwise, there was no creditable flag set, which is OK. */
                        } else {
                                r = fsync_full(seed_fd);
                                if (r < 0) {
                                        log_warning_errno(r, "Failed to synchronize seed to disk, not crediting entropy: %m");

                                        if (lets_credit == CREDIT_ENTROPY_YES_PLEASE)
                                                lets_credit = CREDIT_ENTROPY_NO_WAY;
                                }
                        }

                        r = random_write_entropy(random_fd, buf, k,
                                                 IN_SET(lets_credit, CREDIT_ENTROPY_YES_PLEASE, CREDIT_ENTROPY_YES_FORCED));
                        if (r < 0)
                                log_error_errno(r, "Failed to write seed to /dev/urandom: %m");
                }
        }

        if (write_seed_file) {
                bool getrandom_worked = false;

                /* This is just a safety measure. Given that we are root and most likely created the file
                 * ourselves the mode and owner should be correct anyway. */
                r = fchmod_and_chown(seed_fd, 0600, 0, 0);
                if (r < 0)
                        return log_error_errno(r, "Failed to adjust seed file ownership and access mode: %m");

                /* Let's make this whole job asynchronous, i.e. let's make ourselves a barrier for
                 * proper initialization of the random pool. */
                k = getrandom(buf, buf_size, GRND_NONBLOCK);
                if (k < 0 && errno == EAGAIN && synchronous) {
                        log_notice("Kernel entropy pool is not initialized yet, waiting until it is.");
                        k = getrandom(buf, buf_size, 0); /* retry synchronously */
                }
                if (k < 0)
                        log_debug_errno(errno, "Failed to read random data with getrandom(), falling back to /dev/urandom: %m");
                else if ((size_t) k < buf_size)
                        log_debug("Short read from getrandom(), falling back to /dev/urandom.");
                else
                        getrandom_worked = true;

                if (!getrandom_worked) {
                        /* Retry with classic /dev/urandom */
                        k = loop_read(random_fd, buf, buf_size, false);
                        if (k < 0)
                                return log_error_errno(k, "Failed to read new seed from /dev/urandom: %m");
                        if (k == 0)
                                return log_error_errno(SYNTHETIC_ERRNO(EIO),
                                                       "Got EOF while reading from /dev/urandom.");
                }

                /* If we previously read in a seed file, then hash the new seed into the old one,
                 * and replace the last 32 bytes of the seed with the hash output, so that the
                 * new seed file can't regress in entropy. */
                if (hashed_old_seed) {
                        uint8_t hash[32];
                        sha256_process_bytes(&k, sizeof(k), &hash_state); /* Hash length to distinguish from old seed. */
                        sha256_process_bytes(buf, k, &hash_state);
                        sha256_finish_ctx(&hash_state, hash);
                        l = MIN((size_t)k, sizeof(hash));
                        memcpy((uint8_t *)buf + k - l, hash, l);
                }

                r = loop_write(seed_fd, buf, (size_t) k, false);
                if (r < 0)
                        return log_error_errno(r, "Failed to write new random seed file: %m");

                if (ftruncate(seed_fd, k) < 0)
                        return log_error_errno(r, "Failed to truncate random seed file: %m");

                r = fsync_full(seed_fd);
                if (r < 0)
                        return log_error_errno(r, "Failed to synchronize seed file: %m");

                /* If we got this random seed data from getrandom() the data is suitable for crediting
                 * entropy later on. Let's keep that in mind by setting an extended attribute. on the file */
                if (getrandom_worked)
                        if (fsetxattr(seed_fd, "user.random-seed-creditable", "1", 1, 0) < 0)
                                log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, errno,
                                               "Failed to mark seed file as creditable, ignoring: %m");
        }

        return 0;
}

DEFINE_MAIN_FUNCTION(run);
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
6e200d55	2
6e200d55	3	#include <errno.h>
07630cea	4	#include <fcntl.h>
26ded557	5	#include <linux/random.h>
26ded557 LP	6	#include <sys/ioctl.h>
	7	#if USE_SYS_RANDOM_H
	8	# include <sys/random.h>
	9	#endif
6e200d55	10	#include <sys/stat.h>
26ded557	11	#include <sys/xattr.h>
07630cea	12	#include <unistd.h>
6e200d55	13
8ba12aef LP	14	#include "sd-id128.h"
8ba12aef LP	15
b5efdb8a	16	#include "alloc-util.h"
3ffd4af2	17	#include "fd-util.h"
4b3b5bc7	18	#include "fs-util.h"
c004493c	19	#include "io-util.h"
6e200d55	20	#include "log.h"
5e332028	21	#include "main-func.h"
123aeae2	22	#include "missing_random.h"
f5947a5e	23	#include "missing_syscall.h"
49e942b2	24	#include "mkdir.h"
26ded557	25	#include "parse-util.h"
3e155eba	26	#include "random-util.h"
07630cea	27	#include "string-util.h"
bf819d3a	28	#include "sync-util.h"
da2862ef	29	#include "sha256.h"
07630cea	30	#include "util.h"
26ded557 LP	31	#include "xattr-util.h"
	32
	33	typedef enum CreditEntropy {
	34	CREDIT_ENTROPY_NO_WAY,
	35	CREDIT_ENTROPY_YES_PLEASE,
	36	CREDIT_ENTROPY_YES_FORCED,
	37	} CreditEntropy;
	38
	39	static CreditEntropy may_credit(int seed_fd) {
	40	_cleanup_free_ char *creditable = NULL;
	41	const char *e;
	42	int r;
	43
	44	assert(seed_fd >= 0);
	45
	46	e = getenv("SYSTEMD_RANDOM_SEED_CREDIT");
	47	if (!e) {
	48	log_debug("$SYSTEMD_RANDOM_SEED_CREDIT is not set, not crediting entropy.");
	49	return CREDIT_ENTROPY_NO_WAY;
	50	}
	51	if (streq(e, "force")) {
	52	log_debug("$SYSTEMD_RANDOM_SEED_CREDIT is set to 'force', crediting entropy.");
	53	return CREDIT_ENTROPY_YES_FORCED;
	54	}
	55
	56	r = parse_boolean(e);
	57	if (r <= 0) {
	58	if (r < 0)
	59	log_warning_errno(r, "Failed to parse $SYSTEMD_RANDOM_SEED_CREDIT, not crediting entropy: %m");
	60	else
	61	log_debug("Crediting entropy is turned off via $SYSTEMD_RANDOM_SEED_CREDIT, not crediting entropy.");
	62
	63	return CREDIT_ENTROPY_NO_WAY;
	64	}
	65
	66	/* Determine if the file is marked as creditable */
	67	r = fgetxattr_malloc(seed_fd, "user.random-seed-creditable", &creditable);
	68	if (r < 0) {
	69	if (IN_SET(r, -ENODATA, -ENOSYS, -EOPNOTSUPP))
	70	log_debug_errno(r, "Seed file is not marked as creditable, not crediting.");
	71	else
	72	log_warning_errno(r, "Failed to read extended attribute, ignoring: %m");
	73
	74	return CREDIT_ENTROPY_NO_WAY;
	75	}
	76
	77	r = parse_boolean(creditable);
	78	if (r <= 0) {
	79	if (r < 0)
	80	log_warning_errno(r, "Failed to parse user.random-seed-creditable extended attribute, ignoring: %s", creditable);
	81	else
	82	log_debug("Seed file is marked as not creditable, not crediting.");
	83
	84	return CREDIT_ENTROPY_NO_WAY;
	85	}
	86
	87	/* Don't credit the random seed if we are in first-boot mode, because we are supposed to start from
	88	* scratch. This is a safety precaution for cases where we people ship "golden" images with empty
	89	* /etc but populated /var that contains a random seed. */
	90	if (access("/run/systemd/first-boot", F_OK) < 0) {
	91
	92	if (errno != ENOENT) {
	93	log_warning_errno(errno, "Failed to check whether we are in first-boot mode, not crediting entropy: %m");
	94	return CREDIT_ENTROPY_NO_WAY;
95	}
96
97	/* If ENOENT all is good, we are not in first-boot mode. */
98	} else {
99	log_debug("Not crediting entropy, since booted in first-boot mode.");
100	return CREDIT_ENTROPY_NO_WAY;
101	}
102
103	return CREDIT_ENTROPY_YES_PLEASE;
104	}
6e200d55	105
72d0d7a6	106	static int run(int argc, char *argv[]) {
06511ba5	107	bool read_seed_file, write_seed_file, synchronous, hashed_old_seed = false;
ce179470 LP	108	_cleanup_close_ int seed_fd = -1, random_fd = -1;
ce179470 LP	109	_cleanup_free_ void* buf = NULL;
da2862ef	110	struct sha256_ctx hash_state;
3e155eba	111	size_t buf_size;
ac93390b	112	struct stat st;
da2862ef	113	ssize_t k, l;
ac93390b	114	int r;
6e200d55	115
d2acb93d	116	log_setup();
6e200d55	117
baaa35ad ZJS	118	if (argc != 2)
	119	return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
	120	"This program requires one argument.");
72d0d7a6	121
4c12626c LP	122	umask(0022);
4c12626c LP	123
3e155eba	124	buf_size = random_pool_size();
26192dfc	125
5468d9af	126	r = mkdir_parents(RANDOM_SEED, 0755);
72d0d7a6 ZJS	127	if (r < 0)
72d0d7a6 ZJS	128	return log_error_errno(r, "Failed to create directory " RANDOM_SEED_DIR ": %m");
b56e5747	129
ac93390b LP	130	/* When we load the seed we read it and write it to the device and then immediately update the saved seed with
ac93390b LP	131	* new data, to make sure the next boot gets seeded differently. */
6e200d55 LP	132
	133	if (streq(argv[1], "load")) {
	134
ce179470 LP	135	seed_fd = open(RANDOM_SEED, O_RDWR\|O_CLOEXEC\|O_NOCTTY\|O_CREAT, 0600);
ce179470 LP	136	if (seed_fd < 0) {
15d961bf LP	137	int open_rw_error = -errno;
15d961bf LP	138
ac93390b	139	write_seed_file = false;
8edc2d22	140
ce179470 LP	141	seed_fd = open(RANDOM_SEED, O_RDONLY\|O_CLOEXEC\|O_NOCTTY);
ce179470 LP	142	if (seed_fd < 0) {
8edc2d22 ZJS	143	bool missing = errno == ENOENT;
	144
	145	log_full_errno(missing ? LOG_DEBUG : LOG_ERR,
	146	open_rw_error, "Failed to open " RANDOM_SEED " for writing: %m");
	147	r = log_full_errno(missing ? LOG_DEBUG : LOG_ERR,
	148	errno, "Failed to open " RANDOM_SEED " for reading: %m");
72d0d7a6	149	return missing ? 0 : r;
6e200d55	150	}
ac93390b LP	151	} else
ac93390b LP	152	write_seed_file = true;
6e200d55	153
ce179470	154	random_fd = open("/dev/urandom", O_RDWR\|O_CLOEXEC\|O_NOCTTY, 0600);
c6127c39 LP	155	if (random_fd < 0)
c6127c39 LP	156	return log_error_errno(errno, "Failed to open /dev/urandom: %m");
6e200d55	157
ac93390b	158	read_seed_file = true;
26ded557	159	synchronous = true; /* make this invocation a synchronous barrier for random pool initialization */
6e200d55 LP	160
	161	} else if (streq(argv[1], "save")) {
	162
ac93390b	163	random_fd = open("/dev/urandom", O_RDONLY\|O_CLOEXEC\|O_NOCTTY);
72d0d7a6 ZJS	164	if (random_fd < 0)
72d0d7a6 ZJS	165	return log_error_errno(errno, "Failed to open /dev/urandom: %m");
ac93390b	166
ce179470	167	seed_fd = open(RANDOM_SEED, O_WRONLY\|O_CLOEXEC\|O_NOCTTY\|O_CREAT, 0600);
72d0d7a6 ZJS	168	if (seed_fd < 0)
72d0d7a6 ZJS	169	return log_error_errno(errno, "Failed to open " RANDOM_SEED ": %m");
6e200d55	170
ac93390b LP	171	read_seed_file = false;
ac93390b LP	172	write_seed_file = true;
26ded557	173	synchronous = false;
baaa35ad ZJS	174	} else
	175	return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
	176	"Unknown verb '%s'.", argv[1]);
6e200d55	177
72d0d7a6 ZJS	178	if (fstat(seed_fd, &st) < 0)
72d0d7a6 ZJS	179	return log_error_errno(errno, "Failed to stat() seed file " RANDOM_SEED ": %m");
ac93390b LP	180
	181	/* If the seed file is larger than what we expect, then honour the existing size and save/restore as much as it says */
	182	if ((uint64_t) st.st_size > buf_size)
3e155eba	183	buf_size = MIN(st.st_size, RANDOM_POOL_SIZE_MAX);
ac93390b LP	184
ac93390b LP	185	buf = malloc(buf_size);
72d0d7a6 ZJS	186	if (!buf)
72d0d7a6 ZJS	187	return log_oom();
ac93390b LP	188
ac93390b LP	189	if (read_seed_file) {
8ba12aef	190	sd_id128_t mid;
26ded557 LP	191
	192	/* First, let's write the machine ID into /dev/urandom, not crediting entropy. Why? As an
	193	* extra protection against "golden images" that are put together sloppily, i.e. images which
	194	* are duplicated on multiple systems but where the random seed file is not properly
	195	* reset. Frequently the machine ID is properly reset on those systems however (simply
	196	* because it's easier to notice, if it isn't due to address clashes and so on, while random
	197	* seed equivalence is generally not noticed easily), hence let's simply write the machined
	198	* ID into the random pool too. */
	199	r = sd_id128_get_machine(&mid);
	200	if (r < 0)
	201	log_debug_errno(r, "Failed to get machine ID, ignoring: %m");
	202	else {
	203	r = loop_write(random_fd, &mid, sizeof(mid), false);
	204	if (r < 0)
	205	log_debug_errno(r, "Failed to write machine ID to /dev/urandom, ignoring: %m");
	206	}
ac93390b LP	207
	208	k = loop_read(seed_fd, buf, buf_size, false);
	209	if (k < 0)
26ded557 LP	210	log_error_errno(k, "Failed to read seed from " RANDOM_SEED ": %m");
26ded557 LP	211	else if (k == 0)
ac93390b	212	log_debug("Seed file " RANDOM_SEED " not yet initialized, proceeding.");
26ded557 LP	213	else {
	214	CreditEntropy lets_credit;
	215
06511ba5 JD	216	/* If we're going to later write out a seed file, initialize a hash state with
	217	* the contents of the seed file we just read, so that the new one can't regress
	218	* in entropy. */
	219	if (write_seed_file) {
	220	sha256_init_ctx(&hash_state);
	221	sha256_process_bytes(&k, sizeof(k), &hash_state); /* Hash length to distinguish from new seed. */
	222	sha256_process_bytes(buf, k, &hash_state);
	223	hashed_old_seed = true;
	224	}
	225
ac93390b LP	226	(void) lseek(seed_fd, 0, SEEK_SET);
ac93390b LP	227
26ded557	228	lets_credit = may_credit(seed_fd);
8ba12aef	229
26ded557 LP	230	/* Before we credit or use the entropy, let's make sure to securely drop the
	231	* creditable xattr from the file, so that we never credit the same random seed
	232	* again. Note that further down we'll write a new seed again, and likely mark it as
	233	* credible again, hence this is just paranoia to close the short time window between
	234	* the time we upload the random seed into the kernel and download the new one from
	235	* it. */
	236
	237	if (fremovexattr(seed_fd, "user.random-seed-creditable") < 0) {
	238	if (!IN_SET(errno, ENODATA, ENOSYS, EOPNOTSUPP))
	239	log_warning_errno(errno, "Failed to remove extended attribute, ignoring: %m");
	240
	241	/* Otherwise, there was no creditable flag set, which is OK. */
	242	} else {
	243	r = fsync_full(seed_fd);
	244	if (r < 0) {
	245	log_warning_errno(r, "Failed to synchronize seed to disk, not crediting entropy: %m");
	246
	247	if (lets_credit == CREDIT_ENTROPY_YES_PLEASE)
	248	lets_credit = CREDIT_ENTROPY_NO_WAY;
	249	}
	250	}
	251
4dd055f9 LP	252	r = random_write_entropy(random_fd, buf, k,
	253	IN_SET(lets_credit, CREDIT_ENTROPY_YES_PLEASE, CREDIT_ENTROPY_YES_FORCED));
	254	if (r < 0)
	255	log_error_errno(r, "Failed to write seed to /dev/urandom: %m");
8ba12aef	256	}
ac93390b LP	257	}
	258
	259	if (write_seed_file) {
26ded557	260	bool getrandom_worked = false;
6e200d55	261
26ded557 LP	262	/* This is just a safety measure. Given that we are root and most likely created the file
	263	* ourselves the mode and owner should be correct anyway. */
	264	r = fchmod_and_chown(seed_fd, 0600, 0, 0);
	265	if (r < 0)
e5b90b30	266	return log_error_errno(r, "Failed to adjust seed file ownership and access mode: %m");
26ded557 LP	267
	268	/* Let's make this whole job asynchronous, i.e. let's make ourselves a barrier for
	269	* proper initialization of the random pool. */
	270	k = getrandom(buf, buf_size, GRND_NONBLOCK);
	271	if (k < 0 && errno == EAGAIN && synchronous) {
	272	log_notice("Kernel entropy pool is not initialized yet, waiting until it is.");
	273	k = getrandom(buf, buf_size, 0); /* retry synchronously */
	274	}
72d0d7a6	275	if (k < 0)
26ded557 LP	276	log_debug_errno(errno, "Failed to read random data with getrandom(), falling back to /dev/urandom: %m");
26ded557 LP	277	else if ((size_t) k < buf_size)
111a3aae	278	log_debug("Short read from getrandom(), falling back to /dev/urandom.");
26ded557 LP	279	else
	280	getrandom_worked = true;
	281
	282	if (!getrandom_worked) {
	283	/* Retry with classic /dev/urandom */
	284	k = loop_read(random_fd, buf, buf_size, false);
	285	if (k < 0)
	286	return log_error_errno(k, "Failed to read new seed from /dev/urandom: %m");
	287	if (k == 0)
	288	return log_error_errno(SYNTHETIC_ERRNO(EIO),
	289	"Got EOF while reading from /dev/urandom.");
	290	}
1509fb87	291
da2862ef JD	292	/* If we previously read in a seed file, then hash the new seed into the old one,
	293	* and replace the last 32 bytes of the seed with the hash output, so that the
	294	* new seed file can't regress in entropy. */
06511ba5 JD	295	if (hashed_old_seed) {
	296	uint8_t hash[32];
	297	sha256_process_bytes(&k, sizeof(k), &hash_state); /* Hash length to distinguish from old seed. */
da2862ef JD	298	sha256_process_bytes(buf, k, &hash_state);
da2862ef JD	299	sha256_finish_ctx(&hash_state, hash);
06511ba5	300	l = MIN((size_t)k, sizeof(hash));
da2862ef JD	301	memcpy((uint8_t *)buf + k - l, hash, l);
	302	}
	303
1509fb87 LP	304	r = loop_write(seed_fd, buf, (size_t) k, false);
1509fb87 LP	305	if (r < 0)
72d0d7a6	306	return log_error_errno(r, "Failed to write new random seed file: %m");
26ded557 LP	307
	308	if (ftruncate(seed_fd, k) < 0)
	309	return log_error_errno(r, "Failed to truncate random seed file: %m");
	310
	311	r = fsync_full(seed_fd);
	312	if (r < 0)
	313	return log_error_errno(r, "Failed to synchronize seed file: %m");
	314
	315	/* If we got this random seed data from getrandom() the data is suitable for crediting
	316	* entropy later on. Let's keep that in mind by setting an extended attribute. on the file */
	317	if (getrandom_worked)
	318	if (fsetxattr(seed_fd, "user.random-seed-creditable", "1", 1, 0) < 0)
97f1c6af	319	log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, errno,
26ded557	320	"Failed to mark seed file as creditable, ignoring: %m");
6e200d55 LP	321	}
6e200d55 LP	322
26ded557	323	return 0;
6e200d55	324	}
72d0d7a6 ZJS	325
72d0d7a6 ZJS	326	DEFINE_MAIN_FUNCTION(run);