[thirdparty/systemd.git] / src / random-seed / random-seed.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <errno.h>
#include <fcntl.h>
#include <linux/random.h>
#include <sys/ioctl.h>
#if USE_SYS_RANDOM_H
#  include <sys/random.h>
#endif
#include <sys/stat.h>
#include <sys/xattr.h>
#include <unistd.h>

#include "sd-id128.h"

#include "alloc-util.h"
#include "fd-util.h"
#include "fs-util.h"
#include "io-util.h"
#include "log.h"
#include "main-func.h"
#include "missing_random.h"
#include "missing_syscall.h"
#include "mkdir.h"
#include "parse-util.h"
#include "random-util.h"
#include "string-util.h"
#include "sync-util.h"
#include "sha256.h"
#include "util.h"
#include "xattr-util.h"

typedef enum CreditEntropy {
        CREDIT_ENTROPY_NO_WAY,
        CREDIT_ENTROPY_YES_PLEASE,
        CREDIT_ENTROPY_YES_FORCED,
} CreditEntropy;

static CreditEntropy may_credit(int seed_fd) {
        _cleanup_free_ char *creditable = NULL;
        const char *e;
        int r;

        assert(seed_fd >= 0);

        e = getenv("SYSTEMD_RANDOM_SEED_CREDIT");
        if (!e) {
                log_debug("$SYSTEMD_RANDOM_SEED_CREDIT is not set, not crediting entropy.");
                return CREDIT_ENTROPY_NO_WAY;
        }
        if (streq(e, "force")) {
                log_debug("$SYSTEMD_RANDOM_SEED_CREDIT is set to 'force', crediting entropy.");
                return CREDIT_ENTROPY_YES_FORCED;
        }

        r = parse_boolean(e);
        if (r <= 0) {
                if (r < 0)
                        log_warning_errno(r, "Failed to parse $SYSTEMD_RANDOM_SEED_CREDIT, not crediting entropy: %m");
                else
                        log_debug("Crediting entropy is turned off via $SYSTEMD_RANDOM_SEED_CREDIT, not crediting entropy.");

                return CREDIT_ENTROPY_NO_WAY;
        }

        /* Determine if the file is marked as creditable */
        r = fgetxattr_malloc(seed_fd, "user.random-seed-creditable", &creditable);
        if (r < 0) {
                if (ERRNO_IS_XATTR_ABSENT(r))
                        log_debug_errno(r, "Seed file is not marked as creditable, not crediting.");
                else
                        log_warning_errno(r, "Failed to read extended attribute, ignoring: %m");

                return CREDIT_ENTROPY_NO_WAY;
        }

        r = parse_boolean(creditable);
        if (r <= 0) {
                if (r < 0)
                        log_warning_errno(r, "Failed to parse user.random-seed-creditable extended attribute, ignoring: %s", creditable);
                else
                        log_debug("Seed file is marked as not creditable, not crediting.");

                return CREDIT_ENTROPY_NO_WAY;
        }

        /* Don't credit the random seed if we are in first-boot mode, because we are supposed to start from
         * scratch. This is a safety precaution for cases where we people ship "golden" images with empty
         * /etc but populated /var that contains a random seed. */
        r = RET_NERRNO(access("/run/systemd/first-boot", F_OK));
        if (r == -ENOENT)
                /* All is good, we are not in first-boot mode. */
                return CREDIT_ENTROPY_YES_PLEASE;
        if (r < 0) {
                log_warning_errno(r, "Failed to check whether we are in first-boot mode, not crediting entropy: %m");
                return CREDIT_ENTROPY_NO_WAY;
        }

        log_debug("Not crediting entropy, since booted in first-boot mode.");
        return CREDIT_ENTROPY_NO_WAY;
}

static int run(int argc, char *argv[]) {
        bool read_seed_file, write_seed_file, synchronous, hashed_old_seed = false;
        _cleanup_close_ int seed_fd = -1, random_fd = -1;
        _cleanup_free_ void* buf = NULL;
        struct sha256_ctx hash_state;
        size_t buf_size;
        struct stat st;
        ssize_t k, l;
        int r;

        log_setup();

        if (argc != 2)
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                       "This program requires one argument.");

        umask(0022);

        buf_size = random_pool_size();

        r = mkdir_parents(RANDOM_SEED, 0755);
        if (r < 0)
                return log_error_errno(r, "Failed to create directory " RANDOM_SEED_DIR ": %m");

        /* When we load the seed we read it and write it to the device and then immediately update the saved seed with
         * new data, to make sure the next boot gets seeded differently. */

        if (streq(argv[1], "load")) {

                seed_fd = open(RANDOM_SEED, O_RDWR|O_CLOEXEC|O_NOCTTY|O_CREAT, 0600);
                if (seed_fd < 0) {
                        int open_rw_error = -errno;

                        write_seed_file = false;

                        seed_fd = open(RANDOM_SEED, O_RDONLY|O_CLOEXEC|O_NOCTTY);
                        if (seed_fd < 0) {
                                bool missing = errno == ENOENT;

                                log_full_errno(missing ? LOG_DEBUG : LOG_ERR,
                                               open_rw_error, "Failed to open " RANDOM_SEED " for writing: %m");
                                r = log_full_errno(missing ? LOG_DEBUG : LOG_ERR,
                                                   errno, "Failed to open " RANDOM_SEED " for reading: %m");
                                return missing ? 0 : r;
                        }
                } else
                        write_seed_file = true;

                random_fd = open("/dev/urandom", O_RDWR|O_CLOEXEC|O_NOCTTY, 0600);
                if (random_fd < 0)
                        return log_error_errno(errno, "Failed to open /dev/urandom: %m");

                read_seed_file = true;
                synchronous = true; /* make this invocation a synchronous barrier for random pool initialization */

        } else if (streq(argv[1], "save")) {

                random_fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC|O_NOCTTY);
                if (random_fd < 0)
                        return log_error_errno(errno, "Failed to open /dev/urandom: %m");

                seed_fd = open(RANDOM_SEED, O_WRONLY|O_CLOEXEC|O_NOCTTY|O_CREAT, 0600);
                if (seed_fd < 0)
                        return log_error_errno(errno, "Failed to open " RANDOM_SEED ": %m");

                read_seed_file = false;
                write_seed_file = true;
                synchronous = false;
        } else
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                       "Unknown verb '%s'.", argv[1]);

        if (fstat(seed_fd, &st) < 0)
                return log_error_errno(errno, "Failed to stat() seed file " RANDOM_SEED ": %m");

        /* If the seed file is larger than what we expect, then honour the existing size and save/restore as much as it says */
        if ((uint64_t) st.st_size > buf_size)
                buf_size = MIN(st.st_size, RANDOM_POOL_SIZE_MAX);

        buf = malloc(buf_size);
        if (!buf)
                return log_oom();

        if (read_seed_file) {
                sd_id128_t mid;

                /* First, let's write the machine ID into /dev/urandom, not crediting entropy. Why? As an
                 * extra protection against "golden images" that are put together sloppily, i.e. images which
                 * are duplicated on multiple systems but where the random seed file is not properly
                 * reset. Frequently the machine ID is properly reset on those systems however (simply
                 * because it's easier to notice, if it isn't due to address clashes and so on, while random
                 * seed equivalence is generally not noticed easily), hence let's simply write the machined
                 * ID into the random pool too. */
                r = sd_id128_get_machine(&mid);
                if (r < 0)
                        log_debug_errno(r, "Failed to get machine ID, ignoring: %m");
                else {
                        r = loop_write(random_fd, &mid, sizeof(mid), false);
                        if (r < 0)
                                log_debug_errno(r, "Failed to write machine ID to /dev/urandom, ignoring: %m");
                }

                k = loop_read(seed_fd, buf, buf_size, false);
                if (k < 0)
                        log_error_errno(k, "Failed to read seed from " RANDOM_SEED ": %m");
                else if (k == 0)
                        log_debug("Seed file " RANDOM_SEED " not yet initialized, proceeding.");
                else {
                        CreditEntropy lets_credit;

                        /* If we're going to later write out a seed file, initialize a hash state with
                         * the contents of the seed file we just read, so that the new one can't regress
                         * in entropy. */
                        if (write_seed_file) {
                                sha256_init_ctx(&hash_state);
                                sha256_process_bytes(&k, sizeof(k), &hash_state); /* Hash length to distinguish from new seed. */
                                sha256_process_bytes(buf, k, &hash_state);
                                hashed_old_seed = true;
                        }

                        (void) lseek(seed_fd, 0, SEEK_SET);

                        lets_credit = may_credit(seed_fd);

                        /* Before we credit or use the entropy, let's make sure to securely drop the
                         * creditable xattr from the file, so that we never credit the same random seed
                         * again. Note that further down we'll write a new seed again, and likely mark it as
                         * credible again, hence this is just paranoia to close the short time window between
                         * the time we upload the random seed into the kernel and download the new one from
                         * it. */

                        if (fremovexattr(seed_fd, "user.random-seed-creditable") < 0) {
                                if (!ERRNO_IS_XATTR_ABSENT(errno))
                                        log_warning_errno(errno, "Failed to remove extended attribute, ignoring: %m");

                                /* Otherwise, there was no creditable flag set, which is OK. */
                        } else {
                                r = fsync_full(seed_fd);
                                if (r < 0) {
                                        log_warning_errno(r, "Failed to synchronize seed to disk, not crediting entropy: %m");

                                        if (lets_credit == CREDIT_ENTROPY_YES_PLEASE)
                                                lets_credit = CREDIT_ENTROPY_NO_WAY;
                                }
                        }

                        r = random_write_entropy(random_fd, buf, k,
                                                 IN_SET(lets_credit, CREDIT_ENTROPY_YES_PLEASE, CREDIT_ENTROPY_YES_FORCED));
                        if (r < 0)
                                log_error_errno(r, "Failed to write seed to /dev/urandom: %m");
                }
        }

        if (write_seed_file) {
                bool getrandom_worked = false;

                /* This is just a safety measure. Given that we are root and most likely created the file
                 * ourselves the mode and owner should be correct anyway. */
                r = fchmod_and_chown(seed_fd, 0600, 0, 0);
                if (r < 0)
                        return log_error_errno(r, "Failed to adjust seed file ownership and access mode: %m");

                /* Let's make this whole job asynchronous, i.e. let's make ourselves a barrier for
                 * proper initialization of the random pool. */
                k = getrandom(buf, buf_size, GRND_NONBLOCK);
                if (k < 0 && errno == EAGAIN && synchronous) {
                        log_notice("Kernel entropy pool is not initialized yet, waiting until it is.");
                        k = getrandom(buf, buf_size, 0); /* retry synchronously */
                }
                if (k < 0)
                        log_debug_errno(errno, "Failed to read random data with getrandom(), falling back to /dev/urandom: %m");
                else if ((size_t) k < buf_size)
                        log_debug("Short read from getrandom(), falling back to /dev/urandom.");
                else
                        getrandom_worked = true;

                if (!getrandom_worked) {
                        /* Retry with classic /dev/urandom */
                        k = loop_read(random_fd, buf, buf_size, false);
                        if (k < 0)
                                return log_error_errno(k, "Failed to read new seed from /dev/urandom: %m");
                        if (k == 0)
                                return log_error_errno(SYNTHETIC_ERRNO(EIO),
                                                       "Got EOF while reading from /dev/urandom.");
                }

                /* If we previously read in a seed file, then hash the new seed into the old one,
                 * and replace the last 32 bytes of the seed with the hash output, so that the
                 * new seed file can't regress in entropy. */
                if (hashed_old_seed) {
                        uint8_t hash[SHA256_DIGEST_SIZE];
                        sha256_process_bytes(&k, sizeof(k), &hash_state); /* Hash length to distinguish from old seed. */
                        sha256_process_bytes(buf, k, &hash_state);
                        sha256_finish_ctx(&hash_state, hash);
                        l = MIN((size_t)k, sizeof(hash));
                        memcpy((uint8_t *)buf + k - l, hash, l);
                }

                r = loop_write(seed_fd, buf, (size_t) k, false);
                if (r < 0)
                        return log_error_errno(r, "Failed to write new random seed file: %m");

                if (ftruncate(seed_fd, k) < 0)
                        return log_error_errno(r, "Failed to truncate random seed file: %m");

                r = fsync_full(seed_fd);
                if (r < 0)
                        return log_error_errno(r, "Failed to synchronize seed file: %m");

                /* If we got this random seed data from getrandom() the data is suitable for crediting
                 * entropy later on. Let's keep that in mind by setting an extended attribute. on the file */
                if (getrandom_worked)
                        if (fsetxattr(seed_fd, "user.random-seed-creditable", "1", 1, 0) < 0)
                                log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, errno,
                                               "Failed to mark seed file as creditable, ignoring: %m");
        }

        return 0;
}

DEFINE_MAIN_FUNCTION(run);
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
6e200d55	2
6e200d55	3	#include <errno.h>
07630cea	4	#include <fcntl.h>
26ded557	5	#include <linux/random.h>
26ded557 LP	6	#include <sys/ioctl.h>
	7	#if USE_SYS_RANDOM_H
	8	# include <sys/random.h>
	9	#endif
6e200d55	10	#include <sys/stat.h>
26ded557	11	#include <sys/xattr.h>
07630cea	12	#include <unistd.h>
6e200d55	13
8ba12aef LP	14	#include "sd-id128.h"
8ba12aef LP	15
b5efdb8a	16	#include "alloc-util.h"
3ffd4af2	17	#include "fd-util.h"
4b3b5bc7	18	#include "fs-util.h"
c004493c	19	#include "io-util.h"
6e200d55	20	#include "log.h"
5e332028	21	#include "main-func.h"
123aeae2	22	#include "missing_random.h"
f5947a5e	23	#include "missing_syscall.h"
49e942b2	24	#include "mkdir.h"
26ded557	25	#include "parse-util.h"
3e155eba	26	#include "random-util.h"
07630cea	27	#include "string-util.h"
bf819d3a	28	#include "sync-util.h"
da2862ef	29	#include "sha256.h"
07630cea	30	#include "util.h"
26ded557 LP	31	#include "xattr-util.h"
	32
	33	typedef enum CreditEntropy {
	34	CREDIT_ENTROPY_NO_WAY,
	35	CREDIT_ENTROPY_YES_PLEASE,
	36	CREDIT_ENTROPY_YES_FORCED,
	37	} CreditEntropy;
	38
	39	static CreditEntropy may_credit(int seed_fd) {
	40	_cleanup_free_ char *creditable = NULL;
	41	const char *e;
	42	int r;
	43
	44	assert(seed_fd >= 0);
	45
	46	e = getenv("SYSTEMD_RANDOM_SEED_CREDIT");
	47	if (!e) {
	48	log_debug("$SYSTEMD_RANDOM_SEED_CREDIT is not set, not crediting entropy.");
	49	return CREDIT_ENTROPY_NO_WAY;
	50	}
	51	if (streq(e, "force")) {
	52	log_debug("$SYSTEMD_RANDOM_SEED_CREDIT is set to 'force', crediting entropy.");
	53	return CREDIT_ENTROPY_YES_FORCED;
	54	}
	55
	56	r = parse_boolean(e);
	57	if (r <= 0) {
	58	if (r < 0)
	59	log_warning_errno(r, "Failed to parse $SYSTEMD_RANDOM_SEED_CREDIT, not crediting entropy: %m");
	60	else
	61	log_debug("Crediting entropy is turned off via $SYSTEMD_RANDOM_SEED_CREDIT, not crediting entropy.");
	62
	63	return CREDIT_ENTROPY_NO_WAY;
	64	}
	65
	66	/* Determine if the file is marked as creditable */
	67	r = fgetxattr_malloc(seed_fd, "user.random-seed-creditable", &creditable);
	68	if (r < 0) {
00675c36	69	if (ERRNO_IS_XATTR_ABSENT(r))
26ded557 LP	70	log_debug_errno(r, "Seed file is not marked as creditable, not crediting.");
	71	else
	72	log_warning_errno(r, "Failed to read extended attribute, ignoring: %m");
	73
	74	return CREDIT_ENTROPY_NO_WAY;
	75	}
	76
	77	r = parse_boolean(creditable);
	78	if (r <= 0) {
	79	if (r < 0)
	80	log_warning_errno(r, "Failed to parse user.random-seed-creditable extended attribute, ignoring: %s", creditable);
	81	else
	82	log_debug("Seed file is marked as not creditable, not crediting.");
	83
	84	return CREDIT_ENTROPY_NO_WAY;
	85	}
	86
	87	/* Don't credit the random seed if we are in first-boot mode, because we are supposed to start from
	88	* scratch. This is a safety precaution for cases where we people ship "golden" images with empty
	89	* /etc but populated /var that contains a random seed. */
249d31b0 FB	90	r = RET_NERRNO(access("/run/systemd/first-boot", F_OK));
	91	if (r == -ENOENT)
	92	/* All is good, we are not in first-boot mode. */
	93	return CREDIT_ENTROPY_YES_PLEASE;
	94	if (r < 0) {
	95	log_warning_errno(r, "Failed to check whether we are in first-boot mode, not crediting entropy: %m");
26ded557 LP	96	return CREDIT_ENTROPY_NO_WAY;
	97	}
	98
249d31b0 FB	99	log_debug("Not crediting entropy, since booted in first-boot mode.");
249d31b0 FB	100	return CREDIT_ENTROPY_NO_WAY;
26ded557	101	}
6e200d55	102
72d0d7a6	103	static int run(int argc, char *argv[]) {
06511ba5	104	bool read_seed_file, write_seed_file, synchronous, hashed_old_seed = false;
ce179470 LP	105	_cleanup_close_ int seed_fd = -1, random_fd = -1;
ce179470 LP	106	_cleanup_free_ void* buf = NULL;
da2862ef	107	struct sha256_ctx hash_state;
3e155eba	108	size_t buf_size;
ac93390b	109	struct stat st;
da2862ef	110	ssize_t k, l;
ac93390b	111	int r;
6e200d55	112
d2acb93d	113	log_setup();
6e200d55	114
baaa35ad ZJS	115	if (argc != 2)
	116	return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
	117	"This program requires one argument.");
72d0d7a6	118
4c12626c LP	119	umask(0022);
4c12626c LP	120
3e155eba	121	buf_size = random_pool_size();
26192dfc	122
5468d9af	123	r = mkdir_parents(RANDOM_SEED, 0755);
72d0d7a6 ZJS	124	if (r < 0)
72d0d7a6 ZJS	125	return log_error_errno(r, "Failed to create directory " RANDOM_SEED_DIR ": %m");
b56e5747	126
ac93390b LP	127	/* When we load the seed we read it and write it to the device and then immediately update the saved seed with
ac93390b LP	128	* new data, to make sure the next boot gets seeded differently. */
6e200d55 LP	129
	130	if (streq(argv[1], "load")) {
	131
ce179470 LP	132	seed_fd = open(RANDOM_SEED, O_RDWR\|O_CLOEXEC\|O_NOCTTY\|O_CREAT, 0600);
ce179470 LP	133	if (seed_fd < 0) {
15d961bf LP	134	int open_rw_error = -errno;
15d961bf LP	135
ac93390b	136	write_seed_file = false;
8edc2d22	137
ce179470 LP	138	seed_fd = open(RANDOM_SEED, O_RDONLY\|O_CLOEXEC\|O_NOCTTY);
ce179470 LP	139	if (seed_fd < 0) {
8edc2d22 ZJS	140	bool missing = errno == ENOENT;
	141
	142	log_full_errno(missing ? LOG_DEBUG : LOG_ERR,
	143	open_rw_error, "Failed to open " RANDOM_SEED " for writing: %m");
	144	r = log_full_errno(missing ? LOG_DEBUG : LOG_ERR,
	145	errno, "Failed to open " RANDOM_SEED " for reading: %m");
72d0d7a6	146	return missing ? 0 : r;
6e200d55	147	}
ac93390b LP	148	} else
ac93390b LP	149	write_seed_file = true;
6e200d55	150
ce179470	151	random_fd = open("/dev/urandom", O_RDWR\|O_CLOEXEC\|O_NOCTTY, 0600);
c6127c39 LP	152	if (random_fd < 0)
c6127c39 LP	153	return log_error_errno(errno, "Failed to open /dev/urandom: %m");
6e200d55	154
ac93390b	155	read_seed_file = true;
26ded557	156	synchronous = true; /* make this invocation a synchronous barrier for random pool initialization */
6e200d55 LP	157
	158	} else if (streq(argv[1], "save")) {
	159
ac93390b	160	random_fd = open("/dev/urandom", O_RDONLY\|O_CLOEXEC\|O_NOCTTY);
72d0d7a6 ZJS	161	if (random_fd < 0)
72d0d7a6 ZJS	162	return log_error_errno(errno, "Failed to open /dev/urandom: %m");
ac93390b	163
ce179470	164	seed_fd = open(RANDOM_SEED, O_WRONLY\|O_CLOEXEC\|O_NOCTTY\|O_CREAT, 0600);
72d0d7a6 ZJS	165	if (seed_fd < 0)
72d0d7a6 ZJS	166	return log_error_errno(errno, "Failed to open " RANDOM_SEED ": %m");
6e200d55	167
ac93390b LP	168	read_seed_file = false;
ac93390b LP	169	write_seed_file = true;
26ded557	170	synchronous = false;
baaa35ad ZJS	171	} else
	172	return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
	173	"Unknown verb '%s'.", argv[1]);
6e200d55	174
72d0d7a6 ZJS	175	if (fstat(seed_fd, &st) < 0)
72d0d7a6 ZJS	176	return log_error_errno(errno, "Failed to stat() seed file " RANDOM_SEED ": %m");
ac93390b LP	177
	178	/* If the seed file is larger than what we expect, then honour the existing size and save/restore as much as it says */
	179	if ((uint64_t) st.st_size > buf_size)
3e155eba	180	buf_size = MIN(st.st_size, RANDOM_POOL_SIZE_MAX);
ac93390b LP	181
ac93390b LP	182	buf = malloc(buf_size);
72d0d7a6 ZJS	183	if (!buf)
72d0d7a6 ZJS	184	return log_oom();
ac93390b LP	185
ac93390b LP	186	if (read_seed_file) {
8ba12aef	187	sd_id128_t mid;
26ded557 LP	188
	189	/* First, let's write the machine ID into /dev/urandom, not crediting entropy. Why? As an
	190	* extra protection against "golden images" that are put together sloppily, i.e. images which
	191	* are duplicated on multiple systems but where the random seed file is not properly
	192	* reset. Frequently the machine ID is properly reset on those systems however (simply
	193	* because it's easier to notice, if it isn't due to address clashes and so on, while random
	194	* seed equivalence is generally not noticed easily), hence let's simply write the machined
	195	* ID into the random pool too. */
	196	r = sd_id128_get_machine(&mid);
	197	if (r < 0)
	198	log_debug_errno(r, "Failed to get machine ID, ignoring: %m");
	199	else {
	200	r = loop_write(random_fd, &mid, sizeof(mid), false);
	201	if (r < 0)
	202	log_debug_errno(r, "Failed to write machine ID to /dev/urandom, ignoring: %m");
	203	}
ac93390b LP	204
	205	k = loop_read(seed_fd, buf, buf_size, false);
	206	if (k < 0)
26ded557 LP	207	log_error_errno(k, "Failed to read seed from " RANDOM_SEED ": %m");
26ded557 LP	208	else if (k == 0)
ac93390b	209	log_debug("Seed file " RANDOM_SEED " not yet initialized, proceeding.");
26ded557 LP	210	else {
	211	CreditEntropy lets_credit;
	212
06511ba5 JD	213	/* If we're going to later write out a seed file, initialize a hash state with
	214	* the contents of the seed file we just read, so that the new one can't regress
	215	* in entropy. */
	216	if (write_seed_file) {
	217	sha256_init_ctx(&hash_state);
	218	sha256_process_bytes(&k, sizeof(k), &hash_state); /* Hash length to distinguish from new seed. */
	219	sha256_process_bytes(buf, k, &hash_state);
	220	hashed_old_seed = true;
	221	}
	222
ac93390b LP	223	(void) lseek(seed_fd, 0, SEEK_SET);
ac93390b LP	224
26ded557	225	lets_credit = may_credit(seed_fd);
8ba12aef	226
26ded557 LP	227	/* Before we credit or use the entropy, let's make sure to securely drop the
	228	* creditable xattr from the file, so that we never credit the same random seed
	229	* again. Note that further down we'll write a new seed again, and likely mark it as
	230	* credible again, hence this is just paranoia to close the short time window between
	231	* the time we upload the random seed into the kernel and download the new one from
	232	* it. */
	233
	234	if (fremovexattr(seed_fd, "user.random-seed-creditable") < 0) {
00675c36	235	if (!ERRNO_IS_XATTR_ABSENT(errno))
26ded557 LP	236	log_warning_errno(errno, "Failed to remove extended attribute, ignoring: %m");
	237
	238	/* Otherwise, there was no creditable flag set, which is OK. */
	239	} else {
	240	r = fsync_full(seed_fd);
	241	if (r < 0) {
	242	log_warning_errno(r, "Failed to synchronize seed to disk, not crediting entropy: %m");
	243
	244	if (lets_credit == CREDIT_ENTROPY_YES_PLEASE)
	245	lets_credit = CREDIT_ENTROPY_NO_WAY;
	246	}
	247	}
	248
4dd055f9 LP	249	r = random_write_entropy(random_fd, buf, k,
	250	IN_SET(lets_credit, CREDIT_ENTROPY_YES_PLEASE, CREDIT_ENTROPY_YES_FORCED));
	251	if (r < 0)
	252	log_error_errno(r, "Failed to write seed to /dev/urandom: %m");
8ba12aef	253	}
ac93390b LP	254	}
	255
	256	if (write_seed_file) {
26ded557	257	bool getrandom_worked = false;
6e200d55	258
26ded557 LP	259	/* This is just a safety measure. Given that we are root and most likely created the file
	260	* ourselves the mode and owner should be correct anyway. */
	261	r = fchmod_and_chown(seed_fd, 0600, 0, 0);
	262	if (r < 0)
e5b90b30	263	return log_error_errno(r, "Failed to adjust seed file ownership and access mode: %m");
26ded557 LP	264
	265	/* Let's make this whole job asynchronous, i.e. let's make ourselves a barrier for
	266	* proper initialization of the random pool. */
	267	k = getrandom(buf, buf_size, GRND_NONBLOCK);
	268	if (k < 0 && errno == EAGAIN && synchronous) {
	269	log_notice("Kernel entropy pool is not initialized yet, waiting until it is.");
	270	k = getrandom(buf, buf_size, 0); /* retry synchronously */
	271	}
72d0d7a6	272	if (k < 0)
26ded557 LP	273	log_debug_errno(errno, "Failed to read random data with getrandom(), falling back to /dev/urandom: %m");
26ded557 LP	274	else if ((size_t) k < buf_size)
111a3aae	275	log_debug("Short read from getrandom(), falling back to /dev/urandom.");
26ded557 LP	276	else
	277	getrandom_worked = true;
	278
	279	if (!getrandom_worked) {
	280	/* Retry with classic /dev/urandom */
	281	k = loop_read(random_fd, buf, buf_size, false);
	282	if (k < 0)
	283	return log_error_errno(k, "Failed to read new seed from /dev/urandom: %m");
	284	if (k == 0)
	285	return log_error_errno(SYNTHETIC_ERRNO(EIO),
	286	"Got EOF while reading from /dev/urandom.");
	287	}
1509fb87	288
da2862ef JD	289	/* If we previously read in a seed file, then hash the new seed into the old one,
	290	* and replace the last 32 bytes of the seed with the hash output, so that the
	291	* new seed file can't regress in entropy. */
06511ba5	292	if (hashed_old_seed) {
00b46638	293	uint8_t hash[SHA256_DIGEST_SIZE];
06511ba5	294	sha256_process_bytes(&k, sizeof(k), &hash_state); /* Hash length to distinguish from old seed. */
da2862ef JD	295	sha256_process_bytes(buf, k, &hash_state);
da2862ef JD	296	sha256_finish_ctx(&hash_state, hash);
06511ba5	297	l = MIN((size_t)k, sizeof(hash));
da2862ef JD	298	memcpy((uint8_t *)buf + k - l, hash, l);
	299	}
	300
1509fb87 LP	301	r = loop_write(seed_fd, buf, (size_t) k, false);
1509fb87 LP	302	if (r < 0)
72d0d7a6	303	return log_error_errno(r, "Failed to write new random seed file: %m");
26ded557 LP	304
	305	if (ftruncate(seed_fd, k) < 0)
	306	return log_error_errno(r, "Failed to truncate random seed file: %m");
	307
	308	r = fsync_full(seed_fd);
	309	if (r < 0)
	310	return log_error_errno(r, "Failed to synchronize seed file: %m");
	311
	312	/* If we got this random seed data from getrandom() the data is suitable for crediting
	313	* entropy later on. Let's keep that in mind by setting an extended attribute. on the file */
	314	if (getrandom_worked)
	315	if (fsetxattr(seed_fd, "user.random-seed-creditable", "1", 1, 0) < 0)
97f1c6af	316	log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, errno,
26ded557	317	"Failed to mark seed file as creditable, ignoring: %m");
6e200d55 LP	318	}
6e200d55 LP	319
26ded557	320	return 0;
6e200d55	321	}
72d0d7a6 ZJS	322
72d0d7a6 ZJS	323	DEFINE_MAIN_FUNCTION(run);