1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
5 #include <linux/random.h>
8 # include <sys/random.h>
11 #include <sys/xattr.h>
16 #include "alloc-util.h"
21 #include "main-func.h"
22 #include "missing_random.h"
23 #include "missing_syscall.h"
25 #include "parse-util.h"
26 #include "random-util.h"
27 #include "string-util.h"
29 #include "xattr-util.h"
31 typedef enum CreditEntropy
{
32 CREDIT_ENTROPY_NO_WAY
,
33 CREDIT_ENTROPY_YES_PLEASE
,
34 CREDIT_ENTROPY_YES_FORCED
,
37 static CreditEntropy
may_credit(int seed_fd
) {
38 _cleanup_free_
char *creditable
= NULL
;
44 e
= getenv("SYSTEMD_RANDOM_SEED_CREDIT");
46 log_debug("$SYSTEMD_RANDOM_SEED_CREDIT is not set, not crediting entropy.");
47 return CREDIT_ENTROPY_NO_WAY
;
49 if (streq(e
, "force")) {
50 log_debug("$SYSTEMD_RANDOM_SEED_CREDIT is set to 'force', crediting entropy.");
51 return CREDIT_ENTROPY_YES_FORCED
;
57 log_warning_errno(r
, "Failed to parse $SYSTEMD_RANDOM_SEED_CREDIT, not crediting entropy: %m");
59 log_debug("Crediting entropy is turned off via $SYSTEMD_RANDOM_SEED_CREDIT, not crediting entropy.");
61 return CREDIT_ENTROPY_NO_WAY
;
64 /* Determine if the file is marked as creditable */
65 r
= fgetxattr_malloc(seed_fd
, "user.random-seed-creditable", &creditable
);
67 if (IN_SET(r
, -ENODATA
, -ENOSYS
, -EOPNOTSUPP
))
68 log_debug_errno(r
, "Seed file is not marked as creditable, not crediting.");
70 log_warning_errno(r
, "Failed to read extended attribute, ignoring: %m");
72 return CREDIT_ENTROPY_NO_WAY
;
75 r
= parse_boolean(creditable
);
78 log_warning_errno(r
, "Failed to parse user.random-seed-creditable extended attribute, ignoring: %s", creditable
);
80 log_debug("Seed file is marked as not creditable, not crediting.");
82 return CREDIT_ENTROPY_NO_WAY
;
85 /* Don't credit the random seed if we are in first-boot mode, because we are supposed to start from
86 * scratch. This is a safety precaution for cases where we people ship "golden" images with empty
87 * /etc but populated /var that contains a random seed. */
88 if (access("/run/systemd/first-boot", F_OK
) < 0) {
90 if (errno
!= ENOENT
) {
91 log_warning_errno(errno
, "Failed to check whether we are in first-boot mode, not crediting entropy: %m");
92 return CREDIT_ENTROPY_NO_WAY
;
95 /* If ENOENT all is good, we are not in first-boot mode. */
97 log_debug("Not crediting entropy, since booted in first-boot mode.");
98 return CREDIT_ENTROPY_NO_WAY
;
101 return CREDIT_ENTROPY_YES_PLEASE
;
104 static int run(int argc
, char *argv
[]) {
105 _cleanup_close_
int seed_fd
= -1, random_fd
= -1;
106 bool read_seed_file
, write_seed_file
, synchronous
;
107 _cleanup_free_
void* buf
= NULL
;
116 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
117 "This program requires one argument.");
121 buf_size
= random_pool_size();
123 r
= mkdir_parents(RANDOM_SEED
, 0755);
125 return log_error_errno(r
, "Failed to create directory " RANDOM_SEED_DIR
": %m");
127 /* When we load the seed we read it and write it to the device and then immediately update the saved seed with
128 * new data, to make sure the next boot gets seeded differently. */
130 if (streq(argv
[1], "load")) {
132 seed_fd
= open(RANDOM_SEED
, O_RDWR
|O_CLOEXEC
|O_NOCTTY
|O_CREAT
, 0600);
134 int open_rw_error
= -errno
;
136 write_seed_file
= false;
138 seed_fd
= open(RANDOM_SEED
, O_RDONLY
|O_CLOEXEC
|O_NOCTTY
);
140 bool missing
= errno
== ENOENT
;
142 log_full_errno(missing
? LOG_DEBUG
: LOG_ERR
,
143 open_rw_error
, "Failed to open " RANDOM_SEED
" for writing: %m");
144 r
= log_full_errno(missing
? LOG_DEBUG
: LOG_ERR
,
145 errno
, "Failed to open " RANDOM_SEED
" for reading: %m");
146 return missing
? 0 : r
;
149 write_seed_file
= true;
151 random_fd
= open("/dev/urandom", O_RDWR
|O_CLOEXEC
|O_NOCTTY
, 0600);
153 return log_error_errno(errno
, "Failed to open /dev/urandom: %m");
155 read_seed_file
= true;
156 synchronous
= true; /* make this invocation a synchronous barrier for random pool initialization */
158 } else if (streq(argv
[1], "save")) {
160 random_fd
= open("/dev/urandom", O_RDONLY
|O_CLOEXEC
|O_NOCTTY
);
162 return log_error_errno(errno
, "Failed to open /dev/urandom: %m");
164 seed_fd
= open(RANDOM_SEED
, O_WRONLY
|O_CLOEXEC
|O_NOCTTY
|O_CREAT
, 0600);
166 return log_error_errno(errno
, "Failed to open " RANDOM_SEED
": %m");
168 read_seed_file
= false;
169 write_seed_file
= true;
172 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
173 "Unknown verb '%s'.", argv
[1]);
175 if (fstat(seed_fd
, &st
) < 0)
176 return log_error_errno(errno
, "Failed to stat() seed file " RANDOM_SEED
": %m");
178 /* If the seed file is larger than what we expect, then honour the existing size and save/restore as much as it says */
179 if ((uint64_t) st
.st_size
> buf_size
)
180 buf_size
= MIN(st
.st_size
, RANDOM_POOL_SIZE_MAX
);
182 buf
= malloc(buf_size
);
186 if (read_seed_file
) {
189 /* First, let's write the machine ID into /dev/urandom, not crediting entropy. Why? As an
190 * extra protection against "golden images" that are put together sloppily, i.e. images which
191 * are duplicated on multiple systems but where the random seed file is not properly
192 * reset. Frequently the machine ID is properly reset on those systems however (simply
193 * because it's easier to notice, if it isn't due to address clashes and so on, while random
194 * seed equivalence is generally not noticed easily), hence let's simply write the machined
195 * ID into the random pool too. */
196 r
= sd_id128_get_machine(&mid
);
198 log_debug_errno(r
, "Failed to get machine ID, ignoring: %m");
200 r
= loop_write(random_fd
, &mid
, sizeof(mid
), false);
202 log_debug_errno(r
, "Failed to write machine ID to /dev/urandom, ignoring: %m");
205 k
= loop_read(seed_fd
, buf
, buf_size
, false);
207 log_error_errno(k
, "Failed to read seed from " RANDOM_SEED
": %m");
209 log_debug("Seed file " RANDOM_SEED
" not yet initialized, proceeding.");
211 CreditEntropy lets_credit
;
213 (void) lseek(seed_fd
, 0, SEEK_SET
);
215 lets_credit
= may_credit(seed_fd
);
217 /* Before we credit or use the entropy, let's make sure to securely drop the
218 * creditable xattr from the file, so that we never credit the same random seed
219 * again. Note that further down we'll write a new seed again, and likely mark it as
220 * credible again, hence this is just paranoia to close the short time window between
221 * the time we upload the random seed into the kernel and download the new one from
224 if (fremovexattr(seed_fd
, "user.random-seed-creditable") < 0) {
225 if (!IN_SET(errno
, ENODATA
, ENOSYS
, EOPNOTSUPP
))
226 log_warning_errno(errno
, "Failed to remove extended attribute, ignoring: %m");
228 /* Otherwise, there was no creditable flag set, which is OK. */
230 r
= fsync_full(seed_fd
);
232 log_warning_errno(r
, "Failed to synchronize seed to disk, not crediting entropy: %m");
234 if (lets_credit
== CREDIT_ENTROPY_YES_PLEASE
)
235 lets_credit
= CREDIT_ENTROPY_NO_WAY
;
239 r
= random_write_entropy(random_fd
, buf
, k
,
240 IN_SET(lets_credit
, CREDIT_ENTROPY_YES_PLEASE
, CREDIT_ENTROPY_YES_FORCED
));
242 log_error_errno(r
, "Failed to write seed to /dev/urandom: %m");
246 if (write_seed_file
) {
247 bool getrandom_worked
= false;
249 /* This is just a safety measure. Given that we are root and most likely created the file
250 * ourselves the mode and owner should be correct anyway. */
251 r
= fchmod_and_chown(seed_fd
, 0600, 0, 0);
253 return log_error_errno(r
, "Failed to adjust seed file ownership and access mode.");
255 /* Let's make this whole job asynchronous, i.e. let's make ourselves a barrier for
256 * proper initialization of the random pool. */
257 k
= getrandom(buf
, buf_size
, GRND_NONBLOCK
);
258 if (k
< 0 && errno
== EAGAIN
&& synchronous
) {
259 log_notice("Kernel entropy pool is not initialized yet, waiting until it is.");
260 k
= getrandom(buf
, buf_size
, 0); /* retry synchronously */
263 log_debug_errno(errno
, "Failed to read random data with getrandom(), falling back to /dev/urandom: %m");
264 else if ((size_t) k
< buf_size
)
265 log_debug("Short read from getrandom(), falling back to /dev/urandom: %m");
267 getrandom_worked
= true;
269 if (!getrandom_worked
) {
270 /* Retry with classic /dev/urandom */
271 k
= loop_read(random_fd
, buf
, buf_size
, false);
273 return log_error_errno(k
, "Failed to read new seed from /dev/urandom: %m");
275 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
276 "Got EOF while reading from /dev/urandom.");
279 r
= loop_write(seed_fd
, buf
, (size_t) k
, false);
281 return log_error_errno(r
, "Failed to write new random seed file: %m");
283 if (ftruncate(seed_fd
, k
) < 0)
284 return log_error_errno(r
, "Failed to truncate random seed file: %m");
286 r
= fsync_full(seed_fd
);
288 return log_error_errno(r
, "Failed to synchronize seed file: %m");
290 /* If we got this random seed data from getrandom() the data is suitable for crediting
291 * entropy later on. Let's keep that in mind by setting an extended attribute. on the file */
292 if (getrandom_worked
)
293 if (fsetxattr(seed_fd
, "user.random-seed-creditable", "1", 1, 0) < 0)
294 log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno
) ? LOG_DEBUG
: LOG_WARNING
, errno
,
295 "Failed to mark seed file as creditable, ignoring: %m");
301 DEFINE_MAIN_FUNCTION(run
);