]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
6e200d55 | 2 | |
6e200d55 | 3 | #include <errno.h> |
07630cea | 4 | #include <fcntl.h> |
26ded557 | 5 | #include <linux/random.h> |
26ded557 LP |
6 | #include <sys/ioctl.h> |
7 | #if USE_SYS_RANDOM_H | |
8 | # include <sys/random.h> | |
9 | #endif | |
6e200d55 | 10 | #include <sys/stat.h> |
26ded557 | 11 | #include <sys/xattr.h> |
07630cea | 12 | #include <unistd.h> |
6e200d55 | 13 | |
8ba12aef LP |
14 | #include "sd-id128.h" |
15 | ||
b5efdb8a | 16 | #include "alloc-util.h" |
3ffd4af2 | 17 | #include "fd-util.h" |
4b3b5bc7 | 18 | #include "fs-util.h" |
c004493c | 19 | #include "io-util.h" |
6e200d55 | 20 | #include "log.h" |
5e332028 | 21 | #include "main-func.h" |
123aeae2 | 22 | #include "missing_random.h" |
f5947a5e | 23 | #include "missing_syscall.h" |
49e942b2 | 24 | #include "mkdir.h" |
26ded557 | 25 | #include "parse-util.h" |
3e155eba | 26 | #include "random-util.h" |
07630cea | 27 | #include "string-util.h" |
bf819d3a | 28 | #include "sync-util.h" |
07630cea | 29 | #include "util.h" |
26ded557 LP |
30 | #include "xattr-util.h" |
31 | ||
32 | typedef enum CreditEntropy { | |
33 | CREDIT_ENTROPY_NO_WAY, | |
34 | CREDIT_ENTROPY_YES_PLEASE, | |
35 | CREDIT_ENTROPY_YES_FORCED, | |
36 | } CreditEntropy; | |
37 | ||
38 | static CreditEntropy may_credit(int seed_fd) { | |
39 | _cleanup_free_ char *creditable = NULL; | |
40 | const char *e; | |
41 | int r; | |
42 | ||
43 | assert(seed_fd >= 0); | |
44 | ||
45 | e = getenv("SYSTEMD_RANDOM_SEED_CREDIT"); | |
46 | if (!e) { | |
47 | log_debug("$SYSTEMD_RANDOM_SEED_CREDIT is not set, not crediting entropy."); | |
48 | return CREDIT_ENTROPY_NO_WAY; | |
49 | } | |
50 | if (streq(e, "force")) { | |
51 | log_debug("$SYSTEMD_RANDOM_SEED_CREDIT is set to 'force', crediting entropy."); | |
52 | return CREDIT_ENTROPY_YES_FORCED; | |
53 | } | |
54 | ||
55 | r = parse_boolean(e); | |
56 | if (r <= 0) { | |
57 | if (r < 0) | |
58 | log_warning_errno(r, "Failed to parse $SYSTEMD_RANDOM_SEED_CREDIT, not crediting entropy: %m"); | |
59 | else | |
60 | log_debug("Crediting entropy is turned off via $SYSTEMD_RANDOM_SEED_CREDIT, not crediting entropy."); | |
61 | ||
62 | return CREDIT_ENTROPY_NO_WAY; | |
63 | } | |
64 | ||
65 | /* Determine if the file is marked as creditable */ | |
66 | r = fgetxattr_malloc(seed_fd, "user.random-seed-creditable", &creditable); | |
67 | if (r < 0) { | |
68 | if (IN_SET(r, -ENODATA, -ENOSYS, -EOPNOTSUPP)) | |
69 | log_debug_errno(r, "Seed file is not marked as creditable, not crediting."); | |
70 | else | |
71 | log_warning_errno(r, "Failed to read extended attribute, ignoring: %m"); | |
72 | ||
73 | return CREDIT_ENTROPY_NO_WAY; | |
74 | } | |
75 | ||
76 | r = parse_boolean(creditable); | |
77 | if (r <= 0) { | |
78 | if (r < 0) | |
79 | log_warning_errno(r, "Failed to parse user.random-seed-creditable extended attribute, ignoring: %s", creditable); | |
80 | else | |
81 | log_debug("Seed file is marked as not creditable, not crediting."); | |
82 | ||
83 | return CREDIT_ENTROPY_NO_WAY; | |
84 | } | |
85 | ||
86 | /* Don't credit the random seed if we are in first-boot mode, because we are supposed to start from | |
87 | * scratch. This is a safety precaution for cases where we people ship "golden" images with empty | |
88 | * /etc but populated /var that contains a random seed. */ | |
89 | if (access("/run/systemd/first-boot", F_OK) < 0) { | |
90 | ||
91 | if (errno != ENOENT) { | |
92 | log_warning_errno(errno, "Failed to check whether we are in first-boot mode, not crediting entropy: %m"); | |
93 | return CREDIT_ENTROPY_NO_WAY; | |
94 | } | |
95 | ||
96 | /* If ENOENT all is good, we are not in first-boot mode. */ | |
97 | } else { | |
98 | log_debug("Not crediting entropy, since booted in first-boot mode."); | |
99 | return CREDIT_ENTROPY_NO_WAY; | |
100 | } | |
101 | ||
102 | return CREDIT_ENTROPY_YES_PLEASE; | |
103 | } | |
6e200d55 | 104 | |
72d0d7a6 | 105 | static int run(int argc, char *argv[]) { |
ce179470 | 106 | _cleanup_close_ int seed_fd = -1, random_fd = -1; |
26ded557 | 107 | bool read_seed_file, write_seed_file, synchronous; |
ce179470 | 108 | _cleanup_free_ void* buf = NULL; |
3e155eba | 109 | size_t buf_size; |
ac93390b | 110 | struct stat st; |
ce179470 | 111 | ssize_t k; |
ac93390b | 112 | int r; |
6e200d55 | 113 | |
d2acb93d | 114 | log_setup(); |
6e200d55 | 115 | |
baaa35ad ZJS |
116 | if (argc != 2) |
117 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), | |
118 | "This program requires one argument."); | |
72d0d7a6 | 119 | |
4c12626c LP |
120 | umask(0022); |
121 | ||
3e155eba | 122 | buf_size = random_pool_size(); |
26192dfc | 123 | |
5468d9af | 124 | r = mkdir_parents(RANDOM_SEED, 0755); |
72d0d7a6 ZJS |
125 | if (r < 0) |
126 | return log_error_errno(r, "Failed to create directory " RANDOM_SEED_DIR ": %m"); | |
b56e5747 | 127 | |
ac93390b LP |
128 | /* When we load the seed we read it and write it to the device and then immediately update the saved seed with |
129 | * new data, to make sure the next boot gets seeded differently. */ | |
6e200d55 LP |
130 | |
131 | if (streq(argv[1], "load")) { | |
132 | ||
ce179470 LP |
133 | seed_fd = open(RANDOM_SEED, O_RDWR|O_CLOEXEC|O_NOCTTY|O_CREAT, 0600); |
134 | if (seed_fd < 0) { | |
15d961bf LP |
135 | int open_rw_error = -errno; |
136 | ||
ac93390b | 137 | write_seed_file = false; |
8edc2d22 | 138 | |
ce179470 LP |
139 | seed_fd = open(RANDOM_SEED, O_RDONLY|O_CLOEXEC|O_NOCTTY); |
140 | if (seed_fd < 0) { | |
8edc2d22 ZJS |
141 | bool missing = errno == ENOENT; |
142 | ||
143 | log_full_errno(missing ? LOG_DEBUG : LOG_ERR, | |
144 | open_rw_error, "Failed to open " RANDOM_SEED " for writing: %m"); | |
145 | r = log_full_errno(missing ? LOG_DEBUG : LOG_ERR, | |
146 | errno, "Failed to open " RANDOM_SEED " for reading: %m"); | |
72d0d7a6 | 147 | return missing ? 0 : r; |
6e200d55 | 148 | } |
ac93390b LP |
149 | } else |
150 | write_seed_file = true; | |
6e200d55 | 151 | |
ce179470 | 152 | random_fd = open("/dev/urandom", O_RDWR|O_CLOEXEC|O_NOCTTY, 0600); |
c6127c39 LP |
153 | if (random_fd < 0) |
154 | return log_error_errno(errno, "Failed to open /dev/urandom: %m"); | |
6e200d55 | 155 | |
ac93390b | 156 | read_seed_file = true; |
26ded557 | 157 | synchronous = true; /* make this invocation a synchronous barrier for random pool initialization */ |
6e200d55 LP |
158 | |
159 | } else if (streq(argv[1], "save")) { | |
160 | ||
ac93390b | 161 | random_fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC|O_NOCTTY); |
72d0d7a6 ZJS |
162 | if (random_fd < 0) |
163 | return log_error_errno(errno, "Failed to open /dev/urandom: %m"); | |
ac93390b | 164 | |
ce179470 | 165 | seed_fd = open(RANDOM_SEED, O_WRONLY|O_CLOEXEC|O_NOCTTY|O_CREAT, 0600); |
72d0d7a6 ZJS |
166 | if (seed_fd < 0) |
167 | return log_error_errno(errno, "Failed to open " RANDOM_SEED ": %m"); | |
6e200d55 | 168 | |
ac93390b LP |
169 | read_seed_file = false; |
170 | write_seed_file = true; | |
26ded557 | 171 | synchronous = false; |
baaa35ad ZJS |
172 | } else |
173 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), | |
174 | "Unknown verb '%s'.", argv[1]); | |
6e200d55 | 175 | |
72d0d7a6 ZJS |
176 | if (fstat(seed_fd, &st) < 0) |
177 | return log_error_errno(errno, "Failed to stat() seed file " RANDOM_SEED ": %m"); | |
ac93390b LP |
178 | |
179 | /* If the seed file is larger than what we expect, then honour the existing size and save/restore as much as it says */ | |
180 | if ((uint64_t) st.st_size > buf_size) | |
3e155eba | 181 | buf_size = MIN(st.st_size, RANDOM_POOL_SIZE_MAX); |
ac93390b LP |
182 | |
183 | buf = malloc(buf_size); | |
72d0d7a6 ZJS |
184 | if (!buf) |
185 | return log_oom(); | |
ac93390b LP |
186 | |
187 | if (read_seed_file) { | |
8ba12aef | 188 | sd_id128_t mid; |
26ded557 LP |
189 | |
190 | /* First, let's write the machine ID into /dev/urandom, not crediting entropy. Why? As an | |
191 | * extra protection against "golden images" that are put together sloppily, i.e. images which | |
192 | * are duplicated on multiple systems but where the random seed file is not properly | |
193 | * reset. Frequently the machine ID is properly reset on those systems however (simply | |
194 | * because it's easier to notice, if it isn't due to address clashes and so on, while random | |
195 | * seed equivalence is generally not noticed easily), hence let's simply write the machined | |
196 | * ID into the random pool too. */ | |
197 | r = sd_id128_get_machine(&mid); | |
198 | if (r < 0) | |
199 | log_debug_errno(r, "Failed to get machine ID, ignoring: %m"); | |
200 | else { | |
201 | r = loop_write(random_fd, &mid, sizeof(mid), false); | |
202 | if (r < 0) | |
203 | log_debug_errno(r, "Failed to write machine ID to /dev/urandom, ignoring: %m"); | |
204 | } | |
ac93390b LP |
205 | |
206 | k = loop_read(seed_fd, buf, buf_size, false); | |
207 | if (k < 0) | |
26ded557 LP |
208 | log_error_errno(k, "Failed to read seed from " RANDOM_SEED ": %m"); |
209 | else if (k == 0) | |
ac93390b | 210 | log_debug("Seed file " RANDOM_SEED " not yet initialized, proceeding."); |
26ded557 LP |
211 | else { |
212 | CreditEntropy lets_credit; | |
213 | ||
ac93390b LP |
214 | (void) lseek(seed_fd, 0, SEEK_SET); |
215 | ||
26ded557 | 216 | lets_credit = may_credit(seed_fd); |
8ba12aef | 217 | |
26ded557 LP |
218 | /* Before we credit or use the entropy, let's make sure to securely drop the |
219 | * creditable xattr from the file, so that we never credit the same random seed | |
220 | * again. Note that further down we'll write a new seed again, and likely mark it as | |
221 | * credible again, hence this is just paranoia to close the short time window between | |
222 | * the time we upload the random seed into the kernel and download the new one from | |
223 | * it. */ | |
224 | ||
225 | if (fremovexattr(seed_fd, "user.random-seed-creditable") < 0) { | |
226 | if (!IN_SET(errno, ENODATA, ENOSYS, EOPNOTSUPP)) | |
227 | log_warning_errno(errno, "Failed to remove extended attribute, ignoring: %m"); | |
228 | ||
229 | /* Otherwise, there was no creditable flag set, which is OK. */ | |
230 | } else { | |
231 | r = fsync_full(seed_fd); | |
232 | if (r < 0) { | |
233 | log_warning_errno(r, "Failed to synchronize seed to disk, not crediting entropy: %m"); | |
234 | ||
235 | if (lets_credit == CREDIT_ENTROPY_YES_PLEASE) | |
236 | lets_credit = CREDIT_ENTROPY_NO_WAY; | |
237 | } | |
238 | } | |
239 | ||
4dd055f9 LP |
240 | r = random_write_entropy(random_fd, buf, k, |
241 | IN_SET(lets_credit, CREDIT_ENTROPY_YES_PLEASE, CREDIT_ENTROPY_YES_FORCED)); | |
242 | if (r < 0) | |
243 | log_error_errno(r, "Failed to write seed to /dev/urandom: %m"); | |
8ba12aef | 244 | } |
ac93390b LP |
245 | } |
246 | ||
247 | if (write_seed_file) { | |
26ded557 | 248 | bool getrandom_worked = false; |
6e200d55 | 249 | |
26ded557 LP |
250 | /* This is just a safety measure. Given that we are root and most likely created the file |
251 | * ourselves the mode and owner should be correct anyway. */ | |
252 | r = fchmod_and_chown(seed_fd, 0600, 0, 0); | |
253 | if (r < 0) | |
254 | return log_error_errno(r, "Failed to adjust seed file ownership and access mode."); | |
255 | ||
256 | /* Let's make this whole job asynchronous, i.e. let's make ourselves a barrier for | |
257 | * proper initialization of the random pool. */ | |
258 | k = getrandom(buf, buf_size, GRND_NONBLOCK); | |
259 | if (k < 0 && errno == EAGAIN && synchronous) { | |
260 | log_notice("Kernel entropy pool is not initialized yet, waiting until it is."); | |
261 | k = getrandom(buf, buf_size, 0); /* retry synchronously */ | |
262 | } | |
72d0d7a6 | 263 | if (k < 0) |
26ded557 LP |
264 | log_debug_errno(errno, "Failed to read random data with getrandom(), falling back to /dev/urandom: %m"); |
265 | else if ((size_t) k < buf_size) | |
111a3aae | 266 | log_debug("Short read from getrandom(), falling back to /dev/urandom."); |
26ded557 LP |
267 | else |
268 | getrandom_worked = true; | |
269 | ||
270 | if (!getrandom_worked) { | |
271 | /* Retry with classic /dev/urandom */ | |
272 | k = loop_read(random_fd, buf, buf_size, false); | |
273 | if (k < 0) | |
274 | return log_error_errno(k, "Failed to read new seed from /dev/urandom: %m"); | |
275 | if (k == 0) | |
276 | return log_error_errno(SYNTHETIC_ERRNO(EIO), | |
277 | "Got EOF while reading from /dev/urandom."); | |
278 | } | |
1509fb87 LP |
279 | |
280 | r = loop_write(seed_fd, buf, (size_t) k, false); | |
281 | if (r < 0) | |
72d0d7a6 | 282 | return log_error_errno(r, "Failed to write new random seed file: %m"); |
26ded557 LP |
283 | |
284 | if (ftruncate(seed_fd, k) < 0) | |
285 | return log_error_errno(r, "Failed to truncate random seed file: %m"); | |
286 | ||
287 | r = fsync_full(seed_fd); | |
288 | if (r < 0) | |
289 | return log_error_errno(r, "Failed to synchronize seed file: %m"); | |
290 | ||
291 | /* If we got this random seed data from getrandom() the data is suitable for crediting | |
292 | * entropy later on. Let's keep that in mind by setting an extended attribute. on the file */ | |
293 | if (getrandom_worked) | |
294 | if (fsetxattr(seed_fd, "user.random-seed-creditable", "1", 1, 0) < 0) | |
97f1c6af | 295 | log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, errno, |
26ded557 | 296 | "Failed to mark seed file as creditable, ignoring: %m"); |
6e200d55 LP |
297 | } |
298 | ||
26ded557 | 299 | return 0; |
6e200d55 | 300 | } |
72d0d7a6 ZJS |
301 | |
302 | DEFINE_MAIN_FUNCTION(run); |