[thirdparty/systemd.git] / src / random-seed / random-seed.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <errno.h>
#include <fcntl.h>
#include <getopt.h>
#include <linux/random.h>
#include <sys/ioctl.h>
#if USE_SYS_RANDOM_H
#  include <sys/random.h>
#endif
#include <sys/stat.h>
#include <sys/xattr.h>
#include <unistd.h>

#include "sd-id128.h"

#include "alloc-util.h"
#include "fd-util.h"
#include "fs-util.h"
#include "io-util.h"
#include "log.h"
#include "main-func.h"
#include "missing_random.h"
#include "missing_syscall.h"
#include "mkdir.h"
#include "parse-argument.h"
#include "parse-util.h"
#include "pretty-print.h"
#include "random-util.h"
#include "string-table.h"
#include "string-util.h"
#include "strv.h"
#include "sync-util.h"
#include "sha256.h"
#include "terminal-util.h"
#include "util.h"
#include "xattr-util.h"

typedef enum SeedAction {
        ACTION_LOAD,
        ACTION_SAVE,
        _ACTION_MAX,
        _ACTION_INVALID = -EINVAL,
} SeedAction;

typedef enum CreditEntropy {
        CREDIT_ENTROPY_NO_WAY,
        CREDIT_ENTROPY_YES_PLEASE,
        CREDIT_ENTROPY_YES_FORCED,
} CreditEntropy;

static SeedAction arg_action = _ACTION_INVALID;

static CreditEntropy may_credit(int seed_fd) {
        _cleanup_free_ char *creditable = NULL;
        const char *e;
        int r;

        assert(seed_fd >= 0);

        e = getenv("SYSTEMD_RANDOM_SEED_CREDIT");
        if (!e) {
                log_debug("$SYSTEMD_RANDOM_SEED_CREDIT is not set, not crediting entropy.");
                return CREDIT_ENTROPY_NO_WAY;
        }
        if (streq(e, "force")) {
                log_debug("$SYSTEMD_RANDOM_SEED_CREDIT is set to 'force', crediting entropy.");
                return CREDIT_ENTROPY_YES_FORCED;
        }

        r = parse_boolean(e);
        if (r <= 0) {
                if (r < 0)
                        log_warning_errno(r, "Failed to parse $SYSTEMD_RANDOM_SEED_CREDIT, not crediting entropy: %m");
                else
                        log_debug("Crediting entropy is turned off via $SYSTEMD_RANDOM_SEED_CREDIT, not crediting entropy.");

                return CREDIT_ENTROPY_NO_WAY;
        }

        /* Determine if the file is marked as creditable */
        r = fgetxattr_malloc(seed_fd, "user.random-seed-creditable", &creditable);
        if (r < 0) {
                if (ERRNO_IS_XATTR_ABSENT(r))
                        log_debug_errno(r, "Seed file is not marked as creditable, not crediting.");
                else
                        log_warning_errno(r, "Failed to read extended attribute, ignoring: %m");

                return CREDIT_ENTROPY_NO_WAY;
        }

        r = parse_boolean(creditable);
        if (r <= 0) {
                if (r < 0)
                        log_warning_errno(r, "Failed to parse user.random-seed-creditable extended attribute, ignoring: %s", creditable);
                else
                        log_debug("Seed file is marked as not creditable, not crediting.");

                return CREDIT_ENTROPY_NO_WAY;
        }

        /* Don't credit the random seed if we are in first-boot mode, because we are supposed to start from
         * scratch. This is a safety precaution for cases where we people ship "golden" images with empty
         * /etc but populated /var that contains a random seed. */
        r = RET_NERRNO(access("/run/systemd/first-boot", F_OK));
        if (r == -ENOENT)
                /* All is good, we are not in first-boot mode. */
                return CREDIT_ENTROPY_YES_PLEASE;
        if (r < 0) {
                log_warning_errno(r, "Failed to check whether we are in first-boot mode, not crediting entropy: %m");
                return CREDIT_ENTROPY_NO_WAY;
        }

        log_debug("Not crediting entropy, since booted in first-boot mode.");
        return CREDIT_ENTROPY_NO_WAY;
}

static int random_seed_size(int seed_fd, size_t *ret_size) {
        struct stat st;

        assert(ret_size);
        assert(seed_fd >= 0);

        if (fstat(seed_fd, &st) < 0)
                return log_error_errno(errno, "Failed to stat() seed file " RANDOM_SEED ": %m");

        /* If the seed file is larger than what the kernel expects, then honour the existing size and
         * save/restore as much as it says */

        *ret_size = CLAMP((uint64_t)st.st_size, random_pool_size(), RANDOM_POOL_SIZE_MAX);
        return 0;
}

static int help(int argc, char *argv[], void *userdata) {
        _cleanup_free_ char *link = NULL;
        int r;

        r = terminal_urlify_man("systemd-random-seed", "8", &link);
        if (r < 0)
                return log_oom();

        printf("%1$s [OPTIONS...] COMMAND\n"
               "\n%5$sLoad and save the system random seed at boot and shutdown.%6$s\n"
               "\n%3$sCommands:%4$s\n"
               "  load                Load a random seed saved on disk into the kernel entropy pool\n"
               "  save                Save a new random seed on disk\n"
               "\n%3$sOptions:%4$s\n"
               "  -h --help           Show this help\n"
               "     --version        Show package version\n"
               "\nSee the %2$s for details.\n",
               program_invocation_short_name,
               link,
               ansi_underline(),
               ansi_normal(),
               ansi_highlight(),
               ansi_normal());

        return 0;
}

static const char* const seed_action_table[_ACTION_MAX] = {
        [ACTION_LOAD] = "load",
        [ACTION_SAVE] = "save",
};

DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(seed_action, SeedAction);

static int parse_argv(int argc, char *argv[]) {
        enum {
                ARG_VERSION = 0x100,
        };

        static const struct option options[] = {
                { "help",    no_argument, NULL, 'h'         },
                { "version", no_argument, NULL, ARG_VERSION },
        };

        int c;

        assert(argc >= 0);
        assert(argv);

        while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0)
                switch (c) {
                case 'h':
                        return help(0, NULL, NULL);
                case ARG_VERSION:
                        return version();
                case '?':
                        return -EINVAL;

                default:
                        assert_not_reached();
                }

        if (optind + 1 != argc)
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "This program requires one argument.");

        arg_action = seed_action_from_string(argv[optind]);
        if (arg_action < 0)
                return log_error_errno(arg_action, "Unknown action '%s'", argv[optind]);

        return 1;
}

static int run(int argc, char *argv[]) {
        bool read_seed_file, write_seed_file, synchronous, hashed_old_seed = false;
        _cleanup_close_ int seed_fd = -1, random_fd = -1;
        _cleanup_free_ void* buf = NULL;
        struct sha256_ctx hash_state;
        size_t buf_size;
        ssize_t k, l;
        int r;

        log_setup();

        r = parse_argv(argc, argv);
        if (r <= 0)
                return r;

        umask(0022);

        r = mkdir_parents(RANDOM_SEED, 0755);
        if (r < 0)
                return log_error_errno(r, "Failed to create directory " RANDOM_SEED_DIR ": %m");

        /* When we load the seed we read it and write it to the device and then immediately update the saved
         * seed with new data, to make sure the next boot gets seeded differently. */

        switch (arg_action) {
        case ACTION_LOAD:
                seed_fd = open(RANDOM_SEED, O_RDWR|O_CLOEXEC|O_NOCTTY|O_CREAT, 0600);
                if (seed_fd < 0) {
                        int open_rw_error = -errno;

                        write_seed_file = false;

                        seed_fd = open(RANDOM_SEED, O_RDONLY|O_CLOEXEC|O_NOCTTY);
                        if (seed_fd < 0) {
                                bool missing = errno == ENOENT;

                                log_full_errno(missing ? LOG_DEBUG : LOG_ERR,
                                               open_rw_error, "Failed to open " RANDOM_SEED " for writing: %m");
                                r = log_full_errno(missing ? LOG_DEBUG : LOG_ERR,
                                                   errno, "Failed to open " RANDOM_SEED " for reading: %m");
                                return missing ? 0 : r;
                        }
                } else
                        write_seed_file = true;

                random_fd = open("/dev/urandom", O_RDWR|O_CLOEXEC|O_NOCTTY);
                if (random_fd < 0)
                        return log_error_errno(errno, "Failed to open /dev/urandom: %m");

                read_seed_file = true;
                synchronous = true; /* make this invocation a synchronous barrier for random pool initialization */
                break;

        case ACTION_SAVE:
                random_fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC|O_NOCTTY);
                if (random_fd < 0)
                        return log_error_errno(errno, "Failed to open /dev/urandom: %m");

                seed_fd = open(RANDOM_SEED, O_WRONLY|O_CLOEXEC|O_NOCTTY|O_CREAT, 0600);
                if (seed_fd < 0)
                        return log_error_errno(errno, "Failed to open " RANDOM_SEED ": %m");

                read_seed_file = false;
                write_seed_file = true;
                synchronous = false;
                break;

        default:
                assert_not_reached();
        }

        r = random_seed_size(seed_fd, &buf_size);
        if (r < 0)
                return r;

        buf = malloc(buf_size);
        if (!buf)
                return log_oom();

        if (read_seed_file) {
                sd_id128_t mid;

                /* First, let's write the machine ID into /dev/urandom, not crediting entropy. Why? As an
                 * extra protection against "golden images" that are put together sloppily, i.e. images which
                 * are duplicated on multiple systems but where the random seed file is not properly
                 * reset. Frequently the machine ID is properly reset on those systems however (simply
                 * because it's easier to notice, if it isn't due to address clashes and so on, while random
                 * seed equivalence is generally not noticed easily), hence let's simply write the machined
                 * ID into the random pool too. */
                r = sd_id128_get_machine(&mid);
                if (r < 0)
                        log_debug_errno(r, "Failed to get machine ID, ignoring: %m");
                else {
                        r = random_write_entropy(random_fd, &mid, sizeof(mid), /* credit= */ false);
                        if (r < 0)
                                log_debug_errno(r, "Failed to write machine ID to /dev/urandom, ignoring: %m");
                }

                k = loop_read(seed_fd, buf, buf_size, false);
                if (k < 0)
                        log_error_errno(k, "Failed to read seed from " RANDOM_SEED ": %m");
                else if (k == 0)
                        log_debug("Seed file " RANDOM_SEED " not yet initialized, proceeding.");
                else {
                        CreditEntropy lets_credit;

                        /* If we're going to later write out a seed file, initialize a hash state with
                         * the contents of the seed file we just read, so that the new one can't regress
                         * in entropy. */
                        if (write_seed_file) {
                                sha256_init_ctx(&hash_state);
                                sha256_process_bytes(&k, sizeof(k), &hash_state); /* Hash length to distinguish from new seed. */
                                sha256_process_bytes(buf, k, &hash_state);
                                hashed_old_seed = true;
                        }

                        (void) lseek(seed_fd, 0, SEEK_SET);

                        lets_credit = may_credit(seed_fd);

                        /* Before we credit or use the entropy, let's make sure to securely drop the
                         * creditable xattr from the file, so that we never credit the same random seed
                         * again. Note that further down we'll write a new seed again, and likely mark it as
                         * credible again, hence this is just paranoia to close the short time window between
                         * the time we upload the random seed into the kernel and download the new one from
                         * it. */

                        if (fremovexattr(seed_fd, "user.random-seed-creditable") < 0) {
                                if (!ERRNO_IS_XATTR_ABSENT(errno))
                                        log_warning_errno(errno, "Failed to remove extended attribute, ignoring: %m");

                                /* Otherwise, there was no creditable flag set, which is OK. */
                        } else {
                                r = fsync_full(seed_fd);
                                if (r < 0) {
                                        log_warning_errno(r, "Failed to synchronize seed to disk, not crediting entropy: %m");

                                        if (lets_credit == CREDIT_ENTROPY_YES_PLEASE)
                                                lets_credit = CREDIT_ENTROPY_NO_WAY;
                                }
                        }

                        r = random_write_entropy(random_fd, buf, k,
                                                 IN_SET(lets_credit, CREDIT_ENTROPY_YES_PLEASE, CREDIT_ENTROPY_YES_FORCED));
                        if (r < 0)
                                log_error_errno(r, "Failed to write seed to /dev/urandom: %m");
                }
        }

        if (write_seed_file) {
                bool getrandom_worked = false;

                /* This is just a safety measure. Given that we are root and most likely created the file
                 * ourselves the mode and owner should be correct anyway. */
                r = fchmod_and_chown(seed_fd, 0600, 0, 0);
                if (r < 0)
                        return log_error_errno(r, "Failed to adjust seed file ownership and access mode: %m");

                /* Let's make this whole job asynchronous, i.e. let's make ourselves a barrier for
                 * proper initialization of the random pool. */
                k = getrandom(buf, buf_size, GRND_NONBLOCK);
                if (k < 0 && errno == EAGAIN && synchronous) {
                        log_notice("Kernel entropy pool is not initialized yet, waiting until it is.");
                        k = getrandom(buf, buf_size, 0); /* retry synchronously */
                }
                if (k < 0)
                        log_debug_errno(errno, "Failed to read random data with getrandom(), falling back to /dev/urandom: %m");
                else if ((size_t) k < buf_size)
                        log_debug("Short read from getrandom(), falling back to /dev/urandom.");
                else
                        getrandom_worked = true;

                if (!getrandom_worked) {
                        /* Retry with classic /dev/urandom */
                        k = loop_read(random_fd, buf, buf_size, false);
                        if (k < 0)
                                return log_error_errno(k, "Failed to read new seed from /dev/urandom: %m");
                        if (k == 0)
                                return log_error_errno(SYNTHETIC_ERRNO(EIO),
                                                       "Got EOF while reading from /dev/urandom.");
                }

                /* If we previously read in a seed file, then hash the new seed into the old one,
                 * and replace the last 32 bytes of the seed with the hash output, so that the
                 * new seed file can't regress in entropy. */
                if (hashed_old_seed) {
                        uint8_t hash[SHA256_DIGEST_SIZE];
                        sha256_process_bytes(&k, sizeof(k), &hash_state); /* Hash length to distinguish from old seed. */
                        sha256_process_bytes(buf, k, &hash_state);
                        sha256_finish_ctx(&hash_state, hash);
                        l = MIN((size_t)k, sizeof(hash));
                        memcpy((uint8_t *)buf + k - l, hash, l);
                }

                r = loop_write(seed_fd, buf, (size_t) k, false);
                if (r < 0)
                        return log_error_errno(r, "Failed to write new random seed file: %m");

                if (ftruncate(seed_fd, k) < 0)
                        return log_error_errno(r, "Failed to truncate random seed file: %m");

                r = fsync_full(seed_fd);
                if (r < 0)
                        return log_error_errno(r, "Failed to synchronize seed file: %m");

                /* If we got this random seed data from getrandom() the data is suitable for crediting
                 * entropy later on. Let's keep that in mind by setting an extended attribute. on the file */
                if (getrandom_worked)
                        if (fsetxattr(seed_fd, "user.random-seed-creditable", "1", 1, 0) < 0)
                                log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, errno,
                                               "Failed to mark seed file as creditable, ignoring: %m");
        }

        return 0;
}

DEFINE_MAIN_FUNCTION(run);
Commit	Line	Data
	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
	2
	3	#include <errno.h>
	4	#include <fcntl.h>
	5	#include <getopt.h>
	6	#include <linux/random.h>
	7	#include <sys/ioctl.h>
	8	#if USE_SYS_RANDOM_H
	9	# include <sys/random.h>
	10	#endif
	11	#include <sys/stat.h>
	12	#include <sys/xattr.h>
	13	#include <unistd.h>
	14
	15	#include "sd-id128.h"
	16
	17	#include "alloc-util.h"
	18	#include "fd-util.h"
	19	#include "fs-util.h"
	20	#include "io-util.h"
	21	#include "log.h"
	22	#include "main-func.h"
	23	#include "missing_random.h"
	24	#include "missing_syscall.h"
	25	#include "mkdir.h"
	26	#include "parse-argument.h"
	27	#include "parse-util.h"
	28	#include "pretty-print.h"
	29	#include "random-util.h"
	30	#include "string-table.h"
	31	#include "string-util.h"
	32	#include "strv.h"
	33	#include "sync-util.h"
	34	#include "sha256.h"
	35	#include "terminal-util.h"
	36	#include "util.h"
	37	#include "xattr-util.h"
	38
	39	typedef enum SeedAction {
	40	ACTION_LOAD,
	41	ACTION_SAVE,
	42	_ACTION_MAX,
	43	_ACTION_INVALID = -EINVAL,
	44	} SeedAction;
	45
	46	typedef enum CreditEntropy {
	47	CREDIT_ENTROPY_NO_WAY,
	48	CREDIT_ENTROPY_YES_PLEASE,
	49	CREDIT_ENTROPY_YES_FORCED,
	50	} CreditEntropy;
	51
	52	static SeedAction arg_action = _ACTION_INVALID;
	53
	54	static CreditEntropy may_credit(int seed_fd) {
	55	_cleanup_free_ char *creditable = NULL;
	56	const char *e;
	57	int r;
	58
	59	assert(seed_fd >= 0);
	60
	61	e = getenv("SYSTEMD_RANDOM_SEED_CREDIT");
	62	if (!e) {
	63	log_debug("$SYSTEMD_RANDOM_SEED_CREDIT is not set, not crediting entropy.");
	64	return CREDIT_ENTROPY_NO_WAY;
	65	}
	66	if (streq(e, "force")) {
	67	log_debug("$SYSTEMD_RANDOM_SEED_CREDIT is set to 'force', crediting entropy.");
	68	return CREDIT_ENTROPY_YES_FORCED;
	69	}
	70
	71	r = parse_boolean(e);
	72	if (r <= 0) {
	73	if (r < 0)
	74	log_warning_errno(r, "Failed to parse $SYSTEMD_RANDOM_SEED_CREDIT, not crediting entropy: %m");
	75	else
	76	log_debug("Crediting entropy is turned off via $SYSTEMD_RANDOM_SEED_CREDIT, not crediting entropy.");
	77
	78	return CREDIT_ENTROPY_NO_WAY;
	79	}
	80
	81	/* Determine if the file is marked as creditable */
	82	r = fgetxattr_malloc(seed_fd, "user.random-seed-creditable", &creditable);
	83	if (r < 0) {
	84	if (ERRNO_IS_XATTR_ABSENT(r))
	85	log_debug_errno(r, "Seed file is not marked as creditable, not crediting.");
	86	else
	87	log_warning_errno(r, "Failed to read extended attribute, ignoring: %m");
	88
	89	return CREDIT_ENTROPY_NO_WAY;
	90	}
	91
	92	r = parse_boolean(creditable);
	93	if (r <= 0) {
	94	if (r < 0)
	95	log_warning_errno(r, "Failed to parse user.random-seed-creditable extended attribute, ignoring: %s", creditable);
	96	else
	97	log_debug("Seed file is marked as not creditable, not crediting.");
	98
	99	return CREDIT_ENTROPY_NO_WAY;
	100	}
	101
	102	/* Don't credit the random seed if we are in first-boot mode, because we are supposed to start from
	103	* scratch. This is a safety precaution for cases where we people ship "golden" images with empty
	104	* /etc but populated /var that contains a random seed. */
	105	r = RET_NERRNO(access("/run/systemd/first-boot", F_OK));
	106	if (r == -ENOENT)
	107	/* All is good, we are not in first-boot mode. */
	108	return CREDIT_ENTROPY_YES_PLEASE;
	109	if (r < 0) {
	110	log_warning_errno(r, "Failed to check whether we are in first-boot mode, not crediting entropy: %m");
	111	return CREDIT_ENTROPY_NO_WAY;
	112	}
	113
	114	log_debug("Not crediting entropy, since booted in first-boot mode.");
	115	return CREDIT_ENTROPY_NO_WAY;
	116	}
	117
	118	static int random_seed_size(int seed_fd, size_t *ret_size) {
	119	struct stat st;
	120
	121	assert(ret_size);
	122	assert(seed_fd >= 0);
	123
	124	if (fstat(seed_fd, &st) < 0)
	125	return log_error_errno(errno, "Failed to stat() seed file " RANDOM_SEED ": %m");
	126
	127	/* If the seed file is larger than what the kernel expects, then honour the existing size and
	128	* save/restore as much as it says */
	129
	130	*ret_size = CLAMP((uint64_t)st.st_size, random_pool_size(), RANDOM_POOL_SIZE_MAX);
	131	return 0;
	132	}
	133
	134	static int help(int argc, char argv[], void userdata) {
	135	_cleanup_free_ char *link = NULL;
	136	int r;
	137
	138	r = terminal_urlify_man("systemd-random-seed", "8", &link);
	139	if (r < 0)
	140	return log_oom();
	141
	142	printf("%1$s [OPTIONS...] COMMAND\n"
	143	"\n%5$sLoad and save the system random seed at boot and shutdown.%6$s\n"
	144	"\n%3$sCommands:%4$s\n"
	145	" load Load a random seed saved on disk into the kernel entropy pool\n"
	146	" save Save a new random seed on disk\n"
	147	"\n%3$sOptions:%4$s\n"
	148	" -h --help Show this help\n"
	149	" --version Show package version\n"
	150	"\nSee the %2$s for details.\n",
	151	program_invocation_short_name,
	152	link,
	153	ansi_underline(),
	154	ansi_normal(),
	155	ansi_highlight(),
	156	ansi_normal());
	157
	158	return 0;
	159	}
	160
	161	static const char* const seed_action_table[_ACTION_MAX] = {
	162	[ACTION_LOAD] = "load",
	163	[ACTION_SAVE] = "save",
	164	};
	165
	166	DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(seed_action, SeedAction);
	167
	168	static int parse_argv(int argc, char *argv[]) {
	169	enum {
	170	ARG_VERSION = 0x100,
	171	};
	172
	173	static const struct option options[] = {
	174	{ "help", no_argument, NULL, 'h' },
	175	{ "version", no_argument, NULL, ARG_VERSION },
	176	};
	177
	178	int c;
	179
	180	assert(argc >= 0);
	181	assert(argv);
	182
	183	while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0)
	184	switch (c) {
	185	case 'h':
	186	return help(0, NULL, NULL);
	187	case ARG_VERSION:
	188	return version();
	189	case '?':
	190	return -EINVAL;
	191
	192	default:
	193	assert_not_reached();
	194	}
	195
	196	if (optind + 1 != argc)
	197	return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "This program requires one argument.");
	198
	199	arg_action = seed_action_from_string(argv[optind]);
	200	if (arg_action < 0)
	201	return log_error_errno(arg_action, "Unknown action '%s'", argv[optind]);
	202
	203	return 1;
	204	}
	205
	206	static int run(int argc, char *argv[]) {
	207	bool read_seed_file, write_seed_file, synchronous, hashed_old_seed = false;
	208	_cleanup_close_ int seed_fd = -1, random_fd = -1;
	209	_cleanup_free_ void* buf = NULL;
	210	struct sha256_ctx hash_state;
	211	size_t buf_size;
	212	ssize_t k, l;
	213	int r;
	214
	215	log_setup();
	216
	217	r = parse_argv(argc, argv);
	218	if (r <= 0)
	219	return r;
	220
	221	umask(0022);
	222
	223	r = mkdir_parents(RANDOM_SEED, 0755);
	224	if (r < 0)
	225	return log_error_errno(r, "Failed to create directory " RANDOM_SEED_DIR ": %m");
	226
	227	/* When we load the seed we read it and write it to the device and then immediately update the saved
	228	* seed with new data, to make sure the next boot gets seeded differently. */
	229
	230	switch (arg_action) {
	231	case ACTION_LOAD:
	232	seed_fd = open(RANDOM_SEED, O_RDWR\|O_CLOEXEC\|O_NOCTTY\|O_CREAT, 0600);
	233	if (seed_fd < 0) {
	234	int open_rw_error = -errno;
	235
	236	write_seed_file = false;
	237
	238	seed_fd = open(RANDOM_SEED, O_RDONLY\|O_CLOEXEC\|O_NOCTTY);
	239	if (seed_fd < 0) {
	240	bool missing = errno == ENOENT;
	241
	242	log_full_errno(missing ? LOG_DEBUG : LOG_ERR,
	243	open_rw_error, "Failed to open " RANDOM_SEED " for writing: %m");
	244	r = log_full_errno(missing ? LOG_DEBUG : LOG_ERR,
	245	errno, "Failed to open " RANDOM_SEED " for reading: %m");
	246	return missing ? 0 : r;
	247	}
	248	} else
	249	write_seed_file = true;
	250
	251	random_fd = open("/dev/urandom", O_RDWR\|O_CLOEXEC\|O_NOCTTY);
	252	if (random_fd < 0)
	253	return log_error_errno(errno, "Failed to open /dev/urandom: %m");
	254
	255	read_seed_file = true;
	256	synchronous = true; /* make this invocation a synchronous barrier for random pool initialization */
	257	break;
	258
	259	case ACTION_SAVE:
	260	random_fd = open("/dev/urandom", O_RDONLY\|O_CLOEXEC\|O_NOCTTY);
	261	if (random_fd < 0)
	262	return log_error_errno(errno, "Failed to open /dev/urandom: %m");
	263
	264	seed_fd = open(RANDOM_SEED, O_WRONLY\|O_CLOEXEC\|O_NOCTTY\|O_CREAT, 0600);
	265	if (seed_fd < 0)
	266	return log_error_errno(errno, "Failed to open " RANDOM_SEED ": %m");
	267
	268	read_seed_file = false;
	269	write_seed_file = true;
	270	synchronous = false;
	271	break;
	272
	273	default:
	274	assert_not_reached();
	275	}
	276
	277	r = random_seed_size(seed_fd, &buf_size);
	278	if (r < 0)
	279	return r;
	280
	281	buf = malloc(buf_size);
	282	if (!buf)
	283	return log_oom();
	284
	285	if (read_seed_file) {
	286	sd_id128_t mid;
	287
	288	/* First, let's write the machine ID into /dev/urandom, not crediting entropy. Why? As an
	289	* extra protection against "golden images" that are put together sloppily, i.e. images which
	290	* are duplicated on multiple systems but where the random seed file is not properly
	291	* reset. Frequently the machine ID is properly reset on those systems however (simply
	292	* because it's easier to notice, if it isn't due to address clashes and so on, while random
	293	* seed equivalence is generally not noticed easily), hence let's simply write the machined
	294	* ID into the random pool too. */
	295	r = sd_id128_get_machine(&mid);
	296	if (r < 0)
	297	log_debug_errno(r, "Failed to get machine ID, ignoring: %m");
	298	else {
	299	r = random_write_entropy(random_fd, &mid, sizeof(mid), /* credit= */ false);
	300	if (r < 0)
	301	log_debug_errno(r, "Failed to write machine ID to /dev/urandom, ignoring: %m");
	302	}
	303
	304	k = loop_read(seed_fd, buf, buf_size, false);
	305	if (k < 0)
	306	log_error_errno(k, "Failed to read seed from " RANDOM_SEED ": %m");
	307	else if (k == 0)
	308	log_debug("Seed file " RANDOM_SEED " not yet initialized, proceeding.");
	309	else {
	310	CreditEntropy lets_credit;
	311
	312	/* If we're going to later write out a seed file, initialize a hash state with
	313	* the contents of the seed file we just read, so that the new one can't regress
	314	* in entropy. */
	315	if (write_seed_file) {
	316	sha256_init_ctx(&hash_state);
	317	sha256_process_bytes(&k, sizeof(k), &hash_state); /* Hash length to distinguish from new seed. */
	318	sha256_process_bytes(buf, k, &hash_state);
	319	hashed_old_seed = true;
	320	}
	321
	322	(void) lseek(seed_fd, 0, SEEK_SET);
	323
	324	lets_credit = may_credit(seed_fd);
	325
	326	/* Before we credit or use the entropy, let's make sure to securely drop the
	327	* creditable xattr from the file, so that we never credit the same random seed
	328	* again. Note that further down we'll write a new seed again, and likely mark it as
	329	* credible again, hence this is just paranoia to close the short time window between
	330	* the time we upload the random seed into the kernel and download the new one from
	331	* it. */
	332
	333	if (fremovexattr(seed_fd, "user.random-seed-creditable") < 0) {
	334	if (!ERRNO_IS_XATTR_ABSENT(errno))
	335	log_warning_errno(errno, "Failed to remove extended attribute, ignoring: %m");
	336
	337	/* Otherwise, there was no creditable flag set, which is OK. */
	338	} else {
	339	r = fsync_full(seed_fd);
	340	if (r < 0) {
	341	log_warning_errno(r, "Failed to synchronize seed to disk, not crediting entropy: %m");
	342
	343	if (lets_credit == CREDIT_ENTROPY_YES_PLEASE)
	344	lets_credit = CREDIT_ENTROPY_NO_WAY;
	345	}
	346	}
	347
	348	r = random_write_entropy(random_fd, buf, k,
	349	IN_SET(lets_credit, CREDIT_ENTROPY_YES_PLEASE, CREDIT_ENTROPY_YES_FORCED));
	350	if (r < 0)
	351	log_error_errno(r, "Failed to write seed to /dev/urandom: %m");
	352	}
	353	}
	354
	355	if (write_seed_file) {
	356	bool getrandom_worked = false;
	357
	358	/* This is just a safety measure. Given that we are root and most likely created the file
	359	* ourselves the mode and owner should be correct anyway. */
	360	r = fchmod_and_chown(seed_fd, 0600, 0, 0);
	361	if (r < 0)
	362	return log_error_errno(r, "Failed to adjust seed file ownership and access mode: %m");
	363
	364	/* Let's make this whole job asynchronous, i.e. let's make ourselves a barrier for
	365	* proper initialization of the random pool. */
	366	k = getrandom(buf, buf_size, GRND_NONBLOCK);
	367	if (k < 0 && errno == EAGAIN && synchronous) {
	368	log_notice("Kernel entropy pool is not initialized yet, waiting until it is.");
	369	k = getrandom(buf, buf_size, 0); /* retry synchronously */
	370	}
	371	if (k < 0)
	372	log_debug_errno(errno, "Failed to read random data with getrandom(), falling back to /dev/urandom: %m");
	373	else if ((size_t) k < buf_size)
	374	log_debug("Short read from getrandom(), falling back to /dev/urandom.");
	375	else
	376	getrandom_worked = true;
	377
	378	if (!getrandom_worked) {
	379	/* Retry with classic /dev/urandom */
	380	k = loop_read(random_fd, buf, buf_size, false);
	381	if (k < 0)
	382	return log_error_errno(k, "Failed to read new seed from /dev/urandom: %m");
	383	if (k == 0)
	384	return log_error_errno(SYNTHETIC_ERRNO(EIO),
	385	"Got EOF while reading from /dev/urandom.");
	386	}
	387
	388	/* If we previously read in a seed file, then hash the new seed into the old one,
	389	* and replace the last 32 bytes of the seed with the hash output, so that the
	390	* new seed file can't regress in entropy. */
	391	if (hashed_old_seed) {
	392	uint8_t hash[SHA256_DIGEST_SIZE];
	393	sha256_process_bytes(&k, sizeof(k), &hash_state); /* Hash length to distinguish from old seed. */
	394	sha256_process_bytes(buf, k, &hash_state);
	395	sha256_finish_ctx(&hash_state, hash);
	396	l = MIN((size_t)k, sizeof(hash));
	397	memcpy((uint8_t *)buf + k - l, hash, l);
	398	}
	399
	400	r = loop_write(seed_fd, buf, (size_t) k, false);
	401	if (r < 0)
	402	return log_error_errno(r, "Failed to write new random seed file: %m");
	403
	404	if (ftruncate(seed_fd, k) < 0)
	405	return log_error_errno(r, "Failed to truncate random seed file: %m");
	406
	407	r = fsync_full(seed_fd);
	408	if (r < 0)
	409	return log_error_errno(r, "Failed to synchronize seed file: %m");
	410
	411	/* If we got this random seed data from getrandom() the data is suitable for crediting
	412	* entropy later on. Let's keep that in mind by setting an extended attribute. on the file */
	413	if (getrandom_worked)
	414	if (fsetxattr(seed_fd, "user.random-seed-creditable", "1", 1, 0) < 0)
	415	log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, errno,
	416	"Failed to mark seed file as creditable, ignoring: %m");
	417	}
	418
	419	return 0;
	420	}
	421
	422	DEFINE_MAIN_FUNCTION(run);