[thirdparty/systemd.git] / src / random-seed / random-seed.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <errno.h>
#include <fcntl.h>
#include <getopt.h>
#include <linux/random.h>
#include <sys/ioctl.h>
#if USE_SYS_RANDOM_H
#  include <sys/random.h>
#endif
#include <sys/stat.h>
#include <sys/xattr.h>
#include <unistd.h>

#include "sd-id128.h"

#include "alloc-util.h"
#include "fd-util.h"
#include "fs-util.h"
#include "io-util.h"
#include "log.h"
#include "main-func.h"
#include "missing_random.h"
#include "missing_syscall.h"
#include "mkdir.h"
#include "parse-argument.h"
#include "parse-util.h"
#include "pretty-print.h"
#include "random-util.h"
#include "string-table.h"
#include "string-util.h"
#include "strv.h"
#include "sync-util.h"
#include "sha256.h"
#include "terminal-util.h"
#include "util.h"
#include "xattr-util.h"

typedef enum SeedAction {
        ACTION_LOAD,
        ACTION_SAVE,
        _ACTION_MAX,
        _ACTION_INVALID = -EINVAL,
} SeedAction;

typedef enum CreditEntropy {
        CREDIT_ENTROPY_NO_WAY,
        CREDIT_ENTROPY_YES_PLEASE,
        CREDIT_ENTROPY_YES_FORCED,
} CreditEntropy;

static SeedAction arg_action = _ACTION_INVALID;

static CreditEntropy may_credit(int seed_fd) {
        _cleanup_free_ char *creditable = NULL;
        const char *e;
        int r;

        assert(seed_fd >= 0);

        e = getenv("SYSTEMD_RANDOM_SEED_CREDIT");
        if (!e) {
                log_debug("$SYSTEMD_RANDOM_SEED_CREDIT is not set, not crediting entropy.");
                return CREDIT_ENTROPY_NO_WAY;
        }
        if (streq(e, "force")) {
                log_debug("$SYSTEMD_RANDOM_SEED_CREDIT is set to 'force', crediting entropy.");
                return CREDIT_ENTROPY_YES_FORCED;
        }

        r = parse_boolean(e);
        if (r <= 0) {
                if (r < 0)
                        log_warning_errno(r, "Failed to parse $SYSTEMD_RANDOM_SEED_CREDIT, not crediting entropy: %m");
                else
                        log_debug("Crediting entropy is turned off via $SYSTEMD_RANDOM_SEED_CREDIT, not crediting entropy.");

                return CREDIT_ENTROPY_NO_WAY;
        }

        /* Determine if the file is marked as creditable */
        r = fgetxattr_malloc(seed_fd, "user.random-seed-creditable", &creditable);
        if (r < 0) {
                if (ERRNO_IS_XATTR_ABSENT(r))
                        log_debug_errno(r, "Seed file is not marked as creditable, not crediting.");
                else
                        log_warning_errno(r, "Failed to read extended attribute, ignoring: %m");

                return CREDIT_ENTROPY_NO_WAY;
        }

        r = parse_boolean(creditable);
        if (r <= 0) {
                if (r < 0)
                        log_warning_errno(r, "Failed to parse user.random-seed-creditable extended attribute, ignoring: %s", creditable);
                else
                        log_debug("Seed file is marked as not creditable, not crediting.");

                return CREDIT_ENTROPY_NO_WAY;
        }

        /* Don't credit the random seed if we are in first-boot mode, because we are supposed to start from
         * scratch. This is a safety precaution for cases where we people ship "golden" images with empty
         * /etc but populated /var that contains a random seed. */
        r = RET_NERRNO(access("/run/systemd/first-boot", F_OK));
        if (r == -ENOENT)
                /* All is good, we are not in first-boot mode. */
                return CREDIT_ENTROPY_YES_PLEASE;
        if (r < 0) {
                log_warning_errno(r, "Failed to check whether we are in first-boot mode, not crediting entropy: %m");
                return CREDIT_ENTROPY_NO_WAY;
        }

        log_debug("Not crediting entropy, since booted in first-boot mode.");
        return CREDIT_ENTROPY_NO_WAY;
}

static int random_seed_size(int seed_fd, size_t *ret_size) {
        struct stat st;

        assert(ret_size);
        assert(seed_fd >= 0);

        if (fstat(seed_fd, &st) < 0)
                return log_error_errno(errno, "Failed to stat() seed file " RANDOM_SEED ": %m");

        /* If the seed file is larger than what the kernel expects, then honour the existing size and
         * save/restore as much as it says */

        *ret_size = CLAMP((uint64_t)st.st_size, random_pool_size(), RANDOM_POOL_SIZE_MAX);
        return 0;
}

static int load_seed_file(
                int seed_fd,
                int urandom_fd,
                size_t seed_size,
                struct sha256_ctx **ret_hash_state) {

        _cleanup_free_ void *buf = NULL;
        CreditEntropy lets_credit;
        sd_id128_t mid;
        ssize_t k;
        int r;

        assert(seed_fd >= 0);
        assert(urandom_fd >= 0);

        /* First, let's write the machine ID into /dev/urandom, not crediting entropy. Why? As an extra
         * protection against "golden images" that are put together sloppily, i.e. images which are
         * duplicated on multiple systems but where the random seed file is not properly reset. Frequently
         * the machine ID is properly reset on those systems however (simply because it's easier to notice,
         * if it isn't due to address clashes and so on, while random seed equivalence is generally not
         * noticed easily), hence let's simply write the machined ID into the random pool too. */
        r = sd_id128_get_machine(&mid);
        if (r < 0)
                log_debug_errno(r, "Failed to get machine ID, ignoring: %m");
        else {
                r = random_write_entropy(urandom_fd, &mid, sizeof(mid), /* credit= */ false);
                if (r < 0)
                        log_debug_errno(r, "Failed to write machine ID to /dev/urandom, ignoring: %m");
        }

        buf = malloc(seed_size);
        if (!buf)
                return log_oom();

        k = loop_read(seed_fd, buf, seed_size, false);
        if (k < 0) {
                log_warning_errno(k, "Failed to read seed from " RANDOM_SEED ": %m");
                return 0;
        }
        if (k == 0) {
                log_debug("Seed file " RANDOM_SEED " not yet initialized, proceeding.");
                return 0;
        }

        /* If we're going to later write out a seed file, initialize a hash state with the contents of the
         * seed file we just read, so that the new one can't regress in entropy. */
        if (ret_hash_state) {
                struct sha256_ctx *hash_state;

                hash_state = malloc(sizeof(struct sha256_ctx));
                if (!hash_state)
                        return log_oom();

                sha256_init_ctx(hash_state);
                sha256_process_bytes(&k, sizeof(k), hash_state); /* Hash length to distinguish from new seed. */
                sha256_process_bytes(buf, k, hash_state);

                *ret_hash_state = hash_state;
        }

        (void) lseek(seed_fd, 0, SEEK_SET);

        lets_credit = may_credit(seed_fd);

        /* Before we credit or use the entropy, let's make sure to securely drop the creditable xattr from
         * the file, so that we never credit the same random seed again. Note that further down we'll write a
         * new seed again, and likely mark it as credible again, hence this is just paranoia to close the
         * short time window between the time we upload the random seed into the kernel and download the new
         * one from it. */

        if (fremovexattr(seed_fd, "user.random-seed-creditable") < 0) {
                if (!ERRNO_IS_XATTR_ABSENT(errno))
                        log_warning_errno(errno, "Failed to remove extended attribute, ignoring: %m");

                /* Otherwise, there was no creditable flag set, which is OK. */
        } else {
                r = fsync_full(seed_fd);
                if (r < 0) {
                        log_warning_errno(r, "Failed to synchronize seed to disk, not crediting entropy: %m");

                        if (lets_credit == CREDIT_ENTROPY_YES_PLEASE)
                                lets_credit = CREDIT_ENTROPY_NO_WAY;
                }
        }

        r = random_write_entropy(urandom_fd, buf, k,
                                 IN_SET(lets_credit, CREDIT_ENTROPY_YES_PLEASE, CREDIT_ENTROPY_YES_FORCED));
        if (r < 0)
                log_warning_errno(r, "Failed to write seed to /dev/urandom: %m");

        return 0;
}

static int save_seed_file(
                int seed_fd,
                int urandom_fd,
                size_t seed_size,
                bool synchronous,
                struct sha256_ctx *hash_state) {

        _cleanup_free_ void *buf = NULL;
        bool getrandom_worked = false;
        ssize_t k, l;
        int r;

        assert(seed_fd >= 0);
        assert(urandom_fd >= 0);

        /* This is just a safety measure. Given that we are root and most likely created the file ourselves
         * the mode and owner should be correct anyway. */
        r = fchmod_and_chown(seed_fd, 0600, 0, 0);
        if (r < 0)
                return log_error_errno(r, "Failed to adjust seed file ownership and access mode: %m");

        buf = malloc(seed_size);
        if (!buf)
                return log_oom();

        /* Let's make this whole job asynchronous, i.e. let's make ourselves a barrier for proper
         * initialization of the random pool. */
        k = getrandom(buf, seed_size, GRND_NONBLOCK);
        if (k < 0 && errno == EAGAIN && synchronous) {
                log_notice("Kernel entropy pool is not initialized yet, waiting until it is.");
                k = getrandom(buf, seed_size, 0); /* retry synchronously */
        }
        if (k < 0)
                log_debug_errno(errno, "Failed to read random data with getrandom(), falling back to /dev/urandom: %m");
        else if ((size_t) k < seed_size)
                log_debug("Short read from getrandom(), falling back to /dev/urandom.");
        else
                getrandom_worked = true;

        if (!getrandom_worked) {
                /* Retry with classic /dev/urandom */
                k = loop_read(urandom_fd, buf, seed_size, false);
                if (k < 0)
                        return log_error_errno(k, "Failed to read new seed from /dev/urandom: %m");
                if (k == 0)
                        return log_error_errno(SYNTHETIC_ERRNO(EIO), "Got EOF while reading from /dev/urandom.");
        }

        /* If we previously read in a seed file, then hash the new seed into the old one, and replace the
         * last 32 bytes of the seed with the hash output, so that the new seed file can't regress in
         * entropy. */
        if (hash_state) {
                uint8_t hash[SHA256_DIGEST_SIZE];

                sha256_process_bytes(&k, sizeof(k), hash_state); /* Hash length to distinguish from old seed. */
                sha256_process_bytes(buf, k, hash_state);
                sha256_finish_ctx(hash_state, hash);
                l = MIN((size_t)k, sizeof(hash));
                memcpy((uint8_t *)buf + k - l, hash, l);
        }

        r = loop_write(seed_fd, buf, (size_t) k, false);
        if (r < 0)
                return log_error_errno(r, "Failed to write new random seed file: %m");

        if (ftruncate(seed_fd, k) < 0)
                return log_error_errno(r, "Failed to truncate random seed file: %m");

        r = fsync_full(seed_fd);
        if (r < 0)
                return log_error_errno(r, "Failed to synchronize seed file: %m");

        /* If we got this random seed data from getrandom() the data is suitable for crediting entropy later
         * on. Let's keep that in mind by setting an extended attribute. on the file */
        if (getrandom_worked)
                if (fsetxattr(seed_fd, "user.random-seed-creditable", "1", 1, 0) < 0)
                        log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, errno,
                                       "Failed to mark seed file as creditable, ignoring: %m");
        return 0;
}

static int help(int argc, char *argv[], void *userdata) {
        _cleanup_free_ char *link = NULL;
        int r;

        r = terminal_urlify_man("systemd-random-seed", "8", &link);
        if (r < 0)
                return log_oom();

        printf("%1$s [OPTIONS...] COMMAND\n"
               "\n%5$sLoad and save the system random seed at boot and shutdown.%6$s\n"
               "\n%3$sCommands:%4$s\n"
               "  load                Load a random seed saved on disk into the kernel entropy pool\n"
               "  save                Save a new random seed on disk\n"
               "\n%3$sOptions:%4$s\n"
               "  -h --help           Show this help\n"
               "     --version        Show package version\n"
               "\nSee the %2$s for details.\n",
               program_invocation_short_name,
               link,
               ansi_underline(),
               ansi_normal(),
               ansi_highlight(),
               ansi_normal());

        return 0;
}

static const char* const seed_action_table[_ACTION_MAX] = {
        [ACTION_LOAD] = "load",
        [ACTION_SAVE] = "save",
};

DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(seed_action, SeedAction);

static int parse_argv(int argc, char *argv[]) {
        enum {
                ARG_VERSION = 0x100,
        };

        static const struct option options[] = {
                { "help",    no_argument, NULL, 'h'         },
                { "version", no_argument, NULL, ARG_VERSION },
        };

        int c;

        assert(argc >= 0);
        assert(argv);

        while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0)
                switch (c) {
                case 'h':
                        return help(0, NULL, NULL);
                case ARG_VERSION:
                        return version();
                case '?':
                        return -EINVAL;

                default:
                        assert_not_reached();
                }

        if (optind + 1 != argc)
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "This program requires one argument.");

        arg_action = seed_action_from_string(argv[optind]);
        if (arg_action < 0)
                return log_error_errno(arg_action, "Unknown action '%s'", argv[optind]);

        return 1;
}

static int run(int argc, char *argv[]) {
        _cleanup_free_ struct sha256_ctx *hash_state = NULL;
        _cleanup_close_ int seed_fd = -1, random_fd = -1;
        bool read_seed_file, write_seed_file, synchronous;
        size_t seed_size;
        int r;

        log_setup();

        r = parse_argv(argc, argv);
        if (r <= 0)
                return r;

        umask(0022);

        r = mkdir_parents(RANDOM_SEED, 0755);
        if (r < 0)
                return log_error_errno(r, "Failed to create directory " RANDOM_SEED_DIR ": %m");

        /* When we load the seed we read it and write it to the device and then immediately update the saved
         * seed with new data, to make sure the next boot gets seeded differently. */

        switch (arg_action) {
        case ACTION_LOAD:
                seed_fd = open(RANDOM_SEED, O_RDWR|O_CLOEXEC|O_NOCTTY|O_CREAT, 0600);
                if (seed_fd < 0) {
                        int open_rw_error = -errno;

                        write_seed_file = false;

                        seed_fd = open(RANDOM_SEED, O_RDONLY|O_CLOEXEC|O_NOCTTY);
                        if (seed_fd < 0) {
                                bool missing = errno == ENOENT;
                                int level = missing ? LOG_DEBUG : LOG_ERR;

                                log_full_errno(level, open_rw_error, "Failed to open " RANDOM_SEED " for writing: %m");
                                log_full_errno(level, errno, "Failed to open " RANDOM_SEED " for reading: %m");

                                return missing ? 0 : -errno;
                        }
                } else
                        write_seed_file = true;

                random_fd = open("/dev/urandom", O_RDWR|O_CLOEXEC|O_NOCTTY);
                if (random_fd < 0)
                        return log_error_errno(errno, "Failed to open /dev/urandom: %m");

                read_seed_file = true;
                synchronous = true; /* make this invocation a synchronous barrier for random pool initialization */
                break;

        case ACTION_SAVE:
                random_fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC|O_NOCTTY);
                if (random_fd < 0)
                        return log_error_errno(errno, "Failed to open /dev/urandom: %m");

                seed_fd = open(RANDOM_SEED, O_WRONLY|O_CLOEXEC|O_NOCTTY|O_CREAT, 0600);
                if (seed_fd < 0)
                        return log_error_errno(errno, "Failed to open " RANDOM_SEED ": %m");

                read_seed_file = false;
                write_seed_file = true;
                synchronous = false;
                break;

        default:
                assert_not_reached();
        }

        r = random_seed_size(seed_fd, &seed_size);
        if (r < 0)
                return r;

        if (read_seed_file)
                r = load_seed_file(seed_fd, random_fd, seed_size,
                                   write_seed_file ? &hash_state : NULL);

        if (r >= 0 && write_seed_file)
                r = save_seed_file(seed_fd, random_fd, seed_size, synchronous, hash_state);

        return r;
}

DEFINE_MAIN_FUNCTION(run);
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
6e200d55	2
6e200d55	3	#include <errno.h>
07630cea	4	#include <fcntl.h>
0d0c6639	5	#include <getopt.h>
26ded557	6	#include <linux/random.h>
26ded557 LP	7	#include <sys/ioctl.h>
	8	#if USE_SYS_RANDOM_H
	9	# include <sys/random.h>
	10	#endif
6e200d55	11	#include <sys/stat.h>
26ded557	12	#include <sys/xattr.h>
07630cea	13	#include <unistd.h>
6e200d55	14
8ba12aef LP	15	#include "sd-id128.h"
8ba12aef LP	16
b5efdb8a	17	#include "alloc-util.h"
3ffd4af2	18	#include "fd-util.h"
4b3b5bc7	19	#include "fs-util.h"
c004493c	20	#include "io-util.h"
6e200d55	21	#include "log.h"
5e332028	22	#include "main-func.h"
123aeae2	23	#include "missing_random.h"
f5947a5e	24	#include "missing_syscall.h"
49e942b2	25	#include "mkdir.h"
0d0c6639	26	#include "parse-argument.h"
26ded557	27	#include "parse-util.h"
0d0c6639	28	#include "pretty-print.h"
3e155eba	29	#include "random-util.h"
0d0c6639	30	#include "string-table.h"
07630cea	31	#include "string-util.h"
0d0c6639	32	#include "strv.h"
bf819d3a	33	#include "sync-util.h"
da2862ef	34	#include "sha256.h"
0d0c6639	35	#include "terminal-util.h"
07630cea	36	#include "util.h"
26ded557 LP	37	#include "xattr-util.h"
26ded557 LP	38
0d0c6639 FB	39	typedef enum SeedAction {
	40	ACTION_LOAD,
	41	ACTION_SAVE,
	42	_ACTION_MAX,
	43	_ACTION_INVALID = -EINVAL,
	44	} SeedAction;
	45
26ded557 LP	46	typedef enum CreditEntropy {
	47	CREDIT_ENTROPY_NO_WAY,
	48	CREDIT_ENTROPY_YES_PLEASE,
	49	CREDIT_ENTROPY_YES_FORCED,
	50	} CreditEntropy;
	51
0d0c6639 FB	52	static SeedAction arg_action = _ACTION_INVALID;
0d0c6639 FB	53
26ded557 LP	54	static CreditEntropy may_credit(int seed_fd) {
	55	_cleanup_free_ char *creditable = NULL;
	56	const char *e;
	57	int r;
	58
	59	assert(seed_fd >= 0);
	60
	61	e = getenv("SYSTEMD_RANDOM_SEED_CREDIT");
	62	if (!e) {
	63	log_debug("$SYSTEMD_RANDOM_SEED_CREDIT is not set, not crediting entropy.");
	64	return CREDIT_ENTROPY_NO_WAY;
	65	}
	66	if (streq(e, "force")) {
	67	log_debug("$SYSTEMD_RANDOM_SEED_CREDIT is set to 'force', crediting entropy.");
	68	return CREDIT_ENTROPY_YES_FORCED;
	69	}
	70
	71	r = parse_boolean(e);
	72	if (r <= 0) {
	73	if (r < 0)
	74	log_warning_errno(r, "Failed to parse $SYSTEMD_RANDOM_SEED_CREDIT, not crediting entropy: %m");
	75	else
	76	log_debug("Crediting entropy is turned off via $SYSTEMD_RANDOM_SEED_CREDIT, not crediting entropy.");
	77
	78	return CREDIT_ENTROPY_NO_WAY;
	79	}
	80
	81	/* Determine if the file is marked as creditable */
	82	r = fgetxattr_malloc(seed_fd, "user.random-seed-creditable", &creditable);
	83	if (r < 0) {
00675c36	84	if (ERRNO_IS_XATTR_ABSENT(r))
26ded557 LP	85	log_debug_errno(r, "Seed file is not marked as creditable, not crediting.");
	86	else
	87	log_warning_errno(r, "Failed to read extended attribute, ignoring: %m");
	88
	89	return CREDIT_ENTROPY_NO_WAY;
	90	}
	91
	92	r = parse_boolean(creditable);
	93	if (r <= 0) {
	94	if (r < 0)
	95	log_warning_errno(r, "Failed to parse user.random-seed-creditable extended attribute, ignoring: %s", creditable);
	96	else
	97	log_debug("Seed file is marked as not creditable, not crediting.");
	98
	99	return CREDIT_ENTROPY_NO_WAY;
	100	}
	101
	102	/* Don't credit the random seed if we are in first-boot mode, because we are supposed to start from
	103	* scratch. This is a safety precaution for cases where we people ship "golden" images with empty
	104	* /etc but populated /var that contains a random seed. */
249d31b0 FB	105	r = RET_NERRNO(access("/run/systemd/first-boot", F_OK));
	106	if (r == -ENOENT)
	107	/* All is good, we are not in first-boot mode. */
	108	return CREDIT_ENTROPY_YES_PLEASE;
	109	if (r < 0) {
	110	log_warning_errno(r, "Failed to check whether we are in first-boot mode, not crediting entropy: %m");
26ded557 LP	111	return CREDIT_ENTROPY_NO_WAY;
	112	}
	113
249d31b0 FB	114	log_debug("Not crediting entropy, since booted in first-boot mode.");
249d31b0 FB	115	return CREDIT_ENTROPY_NO_WAY;
26ded557	116	}
6e200d55	117
205138d8 FB	118	static int random_seed_size(int seed_fd, size_t *ret_size) {
	119	struct stat st;
	120
	121	assert(ret_size);
	122	assert(seed_fd >= 0);
	123
	124	if (fstat(seed_fd, &st) < 0)
	125	return log_error_errno(errno, "Failed to stat() seed file " RANDOM_SEED ": %m");
	126
	127	/* If the seed file is larger than what the kernel expects, then honour the existing size and
	128	* save/restore as much as it says */
	129
	130	*ret_size = CLAMP((uint64_t)st.st_size, random_pool_size(), RANDOM_POOL_SIZE_MAX);
	131	return 0;
	132	}
	133
d3fa881a FB	134	static int load_seed_file(
	135	int seed_fd,
	136	int urandom_fd,
	137	size_t seed_size,
	138	struct sha256_ctx **ret_hash_state) {
	139
	140	_cleanup_free_ void *buf = NULL;
	141	CreditEntropy lets_credit;
	142	sd_id128_t mid;
	143	ssize_t k;
	144	int r;
	145
	146	assert(seed_fd >= 0);
	147	assert(urandom_fd >= 0);
	148
	149	/* First, let's write the machine ID into /dev/urandom, not crediting entropy. Why? As an extra
	150	* protection against "golden images" that are put together sloppily, i.e. images which are
	151	* duplicated on multiple systems but where the random seed file is not properly reset. Frequently
	152	* the machine ID is properly reset on those systems however (simply because it's easier to notice,
	153	* if it isn't due to address clashes and so on, while random seed equivalence is generally not
	154	* noticed easily), hence let's simply write the machined ID into the random pool too. */
	155	r = sd_id128_get_machine(&mid);
	156	if (r < 0)
	157	log_debug_errno(r, "Failed to get machine ID, ignoring: %m");
	158	else {
	159	r = random_write_entropy(urandom_fd, &mid, sizeof(mid), /* credit= */ false);
	160	if (r < 0)
	161	log_debug_errno(r, "Failed to write machine ID to /dev/urandom, ignoring: %m");
	162	}
	163
	164	buf = malloc(seed_size);
	165	if (!buf)
	166	return log_oom();
	167
	168	k = loop_read(seed_fd, buf, seed_size, false);
	169	if (k < 0) {
ea37e1ed	170	log_warning_errno(k, "Failed to read seed from " RANDOM_SEED ": %m");
d3fa881a FB	171	return 0;
	172	}
	173	if (k == 0) {
	174	log_debug("Seed file " RANDOM_SEED " not yet initialized, proceeding.");
	175	return 0;
	176	}
	177
	178	/* If we're going to later write out a seed file, initialize a hash state with the contents of the
	179	* seed file we just read, so that the new one can't regress in entropy. */
	180	if (ret_hash_state) {
	181	struct sha256_ctx *hash_state;
	182
	183	hash_state = malloc(sizeof(struct sha256_ctx));
	184	if (!hash_state)
	185	return log_oom();
	186
	187	sha256_init_ctx(hash_state);
	188	sha256_process_bytes(&k, sizeof(k), hash_state); /* Hash length to distinguish from new seed. */
	189	sha256_process_bytes(buf, k, hash_state);
	190
	191	*ret_hash_state = hash_state;
	192	}
	193
	194	(void) lseek(seed_fd, 0, SEEK_SET);
	195
	196	lets_credit = may_credit(seed_fd);
	197
	198	/* Before we credit or use the entropy, let's make sure to securely drop the creditable xattr from
	199	* the file, so that we never credit the same random seed again. Note that further down we'll write a
	200	* new seed again, and likely mark it as credible again, hence this is just paranoia to close the
	201	* short time window between the time we upload the random seed into the kernel and download the new
	202	* one from it. */
	203
	204	if (fremovexattr(seed_fd, "user.random-seed-creditable") < 0) {
	205	if (!ERRNO_IS_XATTR_ABSENT(errno))
	206	log_warning_errno(errno, "Failed to remove extended attribute, ignoring: %m");
	207
	208	/* Otherwise, there was no creditable flag set, which is OK. */
	209	} else {
	210	r = fsync_full(seed_fd);
	211	if (r < 0) {
	212	log_warning_errno(r, "Failed to synchronize seed to disk, not crediting entropy: %m");
	213
	214	if (lets_credit == CREDIT_ENTROPY_YES_PLEASE)
	215	lets_credit = CREDIT_ENTROPY_NO_WAY;
	216	}
	217	}
	218
	219	r = random_write_entropy(urandom_fd, buf, k,
	220	IN_SET(lets_credit, CREDIT_ENTROPY_YES_PLEASE, CREDIT_ENTROPY_YES_FORCED));
	221	if (r < 0)
ea37e1ed	222	log_warning_errno(r, "Failed to write seed to /dev/urandom: %m");
d3fa881a FB	223
	224	return 0;
	225	}
	226
	227	static int save_seed_file(
	228	int seed_fd,
	229	int urandom_fd,
	230	size_t seed_size,
	231	bool synchronous,
	232	struct sha256_ctx *hash_state) {
	233
	234	_cleanup_free_ void *buf = NULL;
	235	bool getrandom_worked = false;
	236	ssize_t k, l;
	237	int r;
	238
	239	assert(seed_fd >= 0);
	240	assert(urandom_fd >= 0);
	241
	242	/* This is just a safety measure. Given that we are root and most likely created the file ourselves
	243	* the mode and owner should be correct anyway. */
	244	r = fchmod_and_chown(seed_fd, 0600, 0, 0);
	245	if (r < 0)
	246	return log_error_errno(r, "Failed to adjust seed file ownership and access mode: %m");
	247
	248	buf = malloc(seed_size);
	249	if (!buf)
	250	return log_oom();
	251
	252	/* Let's make this whole job asynchronous, i.e. let's make ourselves a barrier for proper
	253	* initialization of the random pool. */
	254	k = getrandom(buf, seed_size, GRND_NONBLOCK);
	255	if (k < 0 && errno == EAGAIN && synchronous) {
	256	log_notice("Kernel entropy pool is not initialized yet, waiting until it is.");
	257	k = getrandom(buf, seed_size, 0); /* retry synchronously */
	258	}
	259	if (k < 0)
	260	log_debug_errno(errno, "Failed to read random data with getrandom(), falling back to /dev/urandom: %m");
	261	else if ((size_t) k < seed_size)
	262	log_debug("Short read from getrandom(), falling back to /dev/urandom.");
	263	else
	264	getrandom_worked = true;
	265
	266	if (!getrandom_worked) {
	267	/* Retry with classic /dev/urandom */
	268	k = loop_read(urandom_fd, buf, seed_size, false);
	269	if (k < 0)
	270	return log_error_errno(k, "Failed to read new seed from /dev/urandom: %m");
	271	if (k == 0)
	272	return log_error_errno(SYNTHETIC_ERRNO(EIO), "Got EOF while reading from /dev/urandom.");
	273	}
	274
	275	/* If we previously read in a seed file, then hash the new seed into the old one, and replace the
	276	* last 32 bytes of the seed with the hash output, so that the new seed file can't regress in
	277	* entropy. */
	278	if (hash_state) {
	279	uint8_t hash[SHA256_DIGEST_SIZE];
	280
	281	sha256_process_bytes(&k, sizeof(k), hash_state); /* Hash length to distinguish from old seed. */
	282	sha256_process_bytes(buf, k, hash_state);
	283	sha256_finish_ctx(hash_state, hash);
	284	l = MIN((size_t)k, sizeof(hash));
	285	memcpy((uint8_t *)buf + k - l, hash, l);
	286	}
287
288	r = loop_write(seed_fd, buf, (size_t) k, false);
289	if (r < 0)
290	return log_error_errno(r, "Failed to write new random seed file: %m");
291
292	if (ftruncate(seed_fd, k) < 0)
293	return log_error_errno(r, "Failed to truncate random seed file: %m");
294
295	r = fsync_full(seed_fd);
296	if (r < 0)
297	return log_error_errno(r, "Failed to synchronize seed file: %m");
298
299	/* If we got this random seed data from getrandom() the data is suitable for crediting entropy later
300	* on. Let's keep that in mind by setting an extended attribute. on the file */
301	if (getrandom_worked)
302	if (fsetxattr(seed_fd, "user.random-seed-creditable", "1", 1, 0) < 0)
303	log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, errno,
304	"Failed to mark seed file as creditable, ignoring: %m");
305	return 0;
306	}
307
0d0c6639 FB	308	static int help(int argc, char argv[], void userdata) {
	309	_cleanup_free_ char *link = NULL;
	310	int r;
	311
	312	r = terminal_urlify_man("systemd-random-seed", "8", &link);
	313	if (r < 0)
	314	return log_oom();
	315
	316	printf("%1$s [OPTIONS...] COMMAND\n"
	317	"\n%5$sLoad and save the system random seed at boot and shutdown.%6$s\n"
	318	"\n%3$sCommands:%4$s\n"
	319	" load Load a random seed saved on disk into the kernel entropy pool\n"
	320	" save Save a new random seed on disk\n"
	321	"\n%3$sOptions:%4$s\n"
	322	" -h --help Show this help\n"
	323	" --version Show package version\n"
	324	"\nSee the %2$s for details.\n",
	325	program_invocation_short_name,
	326	link,
	327	ansi_underline(),
	328	ansi_normal(),
	329	ansi_highlight(),
	330	ansi_normal());
	331
	332	return 0;
	333	}
	334
	335	static const char* const seed_action_table[_ACTION_MAX] = {
	336	[ACTION_LOAD] = "load",
	337	[ACTION_SAVE] = "save",
	338	};
	339
	340	DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(seed_action, SeedAction);
	341
	342	static int parse_argv(int argc, char *argv[]) {
	343	enum {
	344	ARG_VERSION = 0x100,
	345	};
	346
	347	static const struct option options[] = {
	348	{ "help", no_argument, NULL, 'h' },
	349	{ "version", no_argument, NULL, ARG_VERSION },
	350	};
	351
	352	int c;
	353
	354	assert(argc >= 0);
	355	assert(argv);
	356
	357	while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0)
	358	switch (c) {
	359	case 'h':
	360	return help(0, NULL, NULL);
	361	case ARG_VERSION:
	362	return version();
	363	case '?':
	364	return -EINVAL;
	365
	366	default:
	367	assert_not_reached();
	368	}
	369
	370	if (optind + 1 != argc)
	371	return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "This program requires one argument.");
372
373	arg_action = seed_action_from_string(argv[optind]);
374	if (arg_action < 0)
375	return log_error_errno(arg_action, "Unknown action '%s'", argv[optind]);
376
377	return 1;
378	}
379
72d0d7a6	380	static int run(int argc, char *argv[]) {
d3fa881a	381	_cleanup_free_ struct sha256_ctx *hash_state = NULL;
ce179470	382	_cleanup_close_ int seed_fd = -1, random_fd = -1;
d3fa881a FB	383	bool read_seed_file, write_seed_file, synchronous;
d3fa881a FB	384	size_t seed_size;
ac93390b	385	int r;
6e200d55	386
d2acb93d	387	log_setup();
6e200d55	388
0d0c6639 FB	389	r = parse_argv(argc, argv);
	390	if (r <= 0)
	391	return r;
72d0d7a6	392
4c12626c LP	393	umask(0022);
4c12626c LP	394
5468d9af	395	r = mkdir_parents(RANDOM_SEED, 0755);
72d0d7a6 ZJS	396	if (r < 0)
72d0d7a6 ZJS	397	return log_error_errno(r, "Failed to create directory " RANDOM_SEED_DIR ": %m");
b56e5747	398
0d0c6639 FB	399	/* When we load the seed we read it and write it to the device and then immediately update the saved
0d0c6639 FB	400	* seed with new data, to make sure the next boot gets seeded differently. */
6e200d55	401
0d0c6639 FB	402	switch (arg_action) {
0d0c6639 FB	403	case ACTION_LOAD:
ce179470 LP	404	seed_fd = open(RANDOM_SEED, O_RDWR\|O_CLOEXEC\|O_NOCTTY\|O_CREAT, 0600);
ce179470 LP	405	if (seed_fd < 0) {
15d961bf LP	406	int open_rw_error = -errno;
15d961bf LP	407
ac93390b	408	write_seed_file = false;
8edc2d22	409
ce179470 LP	410	seed_fd = open(RANDOM_SEED, O_RDONLY\|O_CLOEXEC\|O_NOCTTY);
ce179470 LP	411	if (seed_fd < 0) {
8edc2d22	412	bool missing = errno == ENOENT;
3f6fbfe6	413	int level = missing ? LOG_DEBUG : LOG_ERR;
8edc2d22	414
3f6fbfe6 FB	415	log_full_errno(level, open_rw_error, "Failed to open " RANDOM_SEED " for writing: %m");
	416	log_full_errno(level, errno, "Failed to open " RANDOM_SEED " for reading: %m");
	417
	418	return missing ? 0 : -errno;
6e200d55	419	}
ac93390b LP	420	} else
ac93390b LP	421	write_seed_file = true;
6e200d55	422
4620c0af	423	random_fd = open("/dev/urandom", O_RDWR\|O_CLOEXEC\|O_NOCTTY);
c6127c39 LP	424	if (random_fd < 0)
c6127c39 LP	425	return log_error_errno(errno, "Failed to open /dev/urandom: %m");
6e200d55	426
ac93390b	427	read_seed_file = true;
26ded557	428	synchronous = true; /* make this invocation a synchronous barrier for random pool initialization */
0d0c6639	429	break;
6e200d55	430
0d0c6639	431	case ACTION_SAVE:
ac93390b	432	random_fd = open("/dev/urandom", O_RDONLY\|O_CLOEXEC\|O_NOCTTY);
72d0d7a6 ZJS	433	if (random_fd < 0)
72d0d7a6 ZJS	434	return log_error_errno(errno, "Failed to open /dev/urandom: %m");
ac93390b	435
ce179470	436	seed_fd = open(RANDOM_SEED, O_WRONLY\|O_CLOEXEC\|O_NOCTTY\|O_CREAT, 0600);
72d0d7a6 ZJS	437	if (seed_fd < 0)
72d0d7a6 ZJS	438	return log_error_errno(errno, "Failed to open " RANDOM_SEED ": %m");
6e200d55	439
ac93390b LP	440	read_seed_file = false;
ac93390b LP	441	write_seed_file = true;
26ded557	442	synchronous = false;
0d0c6639 FB	443	break;
	444
	445	default:
	446	assert_not_reached();
	447	}
6e200d55	448
d3fa881a	449	r = random_seed_size(seed_fd, &seed_size);
205138d8 FB	450	if (r < 0)
205138d8 FB	451	return r;
ac93390b	452
d3fa881a FB	453	if (read_seed_file)
	454	r = load_seed_file(seed_fd, random_fd, seed_size,
	455	write_seed_file ? &hash_state : NULL);
26ded557	456
d3fa881a FB	457	if (r >= 0 && write_seed_file)
d3fa881a FB	458	r = save_seed_file(seed_fd, random_fd, seed_size, synchronous, hash_state);
26ded557	459
d3fa881a	460	return r;
6e200d55	461	}
72d0d7a6 ZJS	462
72d0d7a6 ZJS	463	DEFINE_MAIN_FUNCTION(run);