[thirdparty/systemd.git] / src / random-seed / random-seed.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <errno.h>
#include <fcntl.h>
#include <getopt.h>
#include <linux/random.h>
#include <sys/ioctl.h>
#if USE_SYS_RANDOM_H
#  include <sys/random.h>
#endif
#include <sys/stat.h>
#include <sys/xattr.h>
#include <unistd.h>

#include "sd-id128.h"

#include "alloc-util.h"
#include "build.h"
#include "chase-symlinks.h"
#include "efi-loader.h"
#include "fd-util.h"
#include "find-esp.h"
#include "fs-util.h"
#include "io-util.h"
#include "log.h"
#include "main-func.h"
#include "missing_random.h"
#include "missing_syscall.h"
#include "mkdir.h"
#include "parse-argument.h"
#include "parse-util.h"
#include "path-util.h"
#include "pretty-print.h"
#include "random-util.h"
#include "string-table.h"
#include "string-util.h"
#include "strv.h"
#include "sync-util.h"
#include "sha256.h"
#include "terminal-util.h"
#include "xattr-util.h"

typedef enum SeedAction {
        ACTION_LOAD,
        ACTION_SAVE,
        _ACTION_MAX,
        _ACTION_INVALID = -EINVAL,
} SeedAction;

typedef enum CreditEntropy {
        CREDIT_ENTROPY_NO_WAY,
        CREDIT_ENTROPY_YES_PLEASE,
        CREDIT_ENTROPY_YES_FORCED,
} CreditEntropy;

static SeedAction arg_action = _ACTION_INVALID;

static CreditEntropy may_credit(int seed_fd) {
        _cleanup_free_ char *creditable = NULL;
        const char *e;
        int r;

        assert(seed_fd >= 0);

        e = getenv("SYSTEMD_RANDOM_SEED_CREDIT");
        if (!e) {
                log_debug("$SYSTEMD_RANDOM_SEED_CREDIT is not set, not crediting entropy.");
                return CREDIT_ENTROPY_NO_WAY;
        }
        if (streq(e, "force")) {
                log_debug("$SYSTEMD_RANDOM_SEED_CREDIT is set to 'force', crediting entropy.");
                return CREDIT_ENTROPY_YES_FORCED;
        }

        r = parse_boolean(e);
        if (r <= 0) {
                if (r < 0)
                        log_warning_errno(r, "Failed to parse $SYSTEMD_RANDOM_SEED_CREDIT, not crediting entropy: %m");
                else
                        log_debug("Crediting entropy is turned off via $SYSTEMD_RANDOM_SEED_CREDIT, not crediting entropy.");

                return CREDIT_ENTROPY_NO_WAY;
        }

        /* Determine if the file is marked as creditable */
        r = fgetxattr_malloc(seed_fd, "user.random-seed-creditable", &creditable);
        if (r < 0) {
                if (ERRNO_IS_XATTR_ABSENT(r))
                        log_debug_errno(r, "Seed file is not marked as creditable, not crediting.");
                else
                        log_warning_errno(r, "Failed to read extended attribute, ignoring: %m");

                return CREDIT_ENTROPY_NO_WAY;
        }

        r = parse_boolean(creditable);
        if (r <= 0) {
                if (r < 0)
                        log_warning_errno(r, "Failed to parse user.random-seed-creditable extended attribute, ignoring: %s", creditable);
                else
                        log_debug("Seed file is marked as not creditable, not crediting.");

                return CREDIT_ENTROPY_NO_WAY;
        }

        /* Don't credit the random seed if we are in first-boot mode, because we are supposed to start from
         * scratch. This is a safety precaution for cases where we people ship "golden" images with empty
         * /etc but populated /var that contains a random seed. */
        r = RET_NERRNO(access("/run/systemd/first-boot", F_OK));
        if (r == -ENOENT)
                /* All is good, we are not in first-boot mode. */
                return CREDIT_ENTROPY_YES_PLEASE;
        if (r < 0) {
                log_warning_errno(r, "Failed to check whether we are in first-boot mode, not crediting entropy: %m");
                return CREDIT_ENTROPY_NO_WAY;
        }

        log_debug("Not crediting entropy, since booted in first-boot mode.");
        return CREDIT_ENTROPY_NO_WAY;
}

static int random_seed_size(int seed_fd, size_t *ret_size) {
        struct stat st;

        assert(ret_size);
        assert(seed_fd >= 0);

        if (fstat(seed_fd, &st) < 0)
                return log_error_errno(errno, "Failed to stat() seed file " RANDOM_SEED ": %m");

        /* If the seed file is larger than what the kernel expects, then honour the existing size and
         * save/restore as much as it says */

        *ret_size = CLAMP((uint64_t)st.st_size, random_pool_size(), RANDOM_POOL_SIZE_MAX);
        return 0;
}

static void load_machine_id(int urandom_fd) {
        sd_id128_t mid;
        int r;

        assert(urandom_fd >= 0);

        /* As an extra protection against "golden images" that are put together sloppily, i.e. images which
         * are duplicated on multiple systems but where the random seed file is not properly
         * reset. Frequently the machine ID is properly reset on those systems however (simply because it's
         * easier to notice, if it isn't due to address clashes and so on, while random seed equivalence is
         * generally not noticed easily), hence let's simply write the machined ID into the random pool
         * too. */
        r = sd_id128_get_machine(&mid);
        if (r < 0)
                return (void) log_debug_errno(r, "Failed to get machine ID, ignoring: %m");

        r = random_write_entropy(urandom_fd, &mid, sizeof(mid), /* credit= */ false);
        if (r < 0)
                log_debug_errno(r, "Failed to write machine ID to /dev/urandom, ignoring: %m");
}

static int load_seed_file(
                int seed_fd,
                int urandom_fd,
                size_t seed_size,
                struct sha256_ctx **ret_hash_state) {

        _cleanup_free_ void *buf = NULL;
        CreditEntropy lets_credit;
        ssize_t k;
        int r;

        assert(seed_fd >= 0);
        assert(urandom_fd >= 0);

        buf = malloc(seed_size);
        if (!buf)
                return log_oom();

        k = loop_read(seed_fd, buf, seed_size, false);
        if (k < 0) {
                log_warning_errno(k, "Failed to read seed from " RANDOM_SEED ": %m");
                return 0;
        }
        if (k == 0) {
                log_debug("Seed file " RANDOM_SEED " not yet initialized, proceeding.");
                return 0;
        }

        /* If we're going to later write out a seed file, initialize a hash state with the contents of the
         * seed file we just read, so that the new one can't regress in entropy. */
        if (ret_hash_state) {
                struct sha256_ctx *hash_state;

                hash_state = new(struct sha256_ctx, 1);
                if (!hash_state)
                        return log_oom();

                sha256_init_ctx(hash_state);
                sha256_process_bytes(&k, sizeof(k), hash_state); /* Hash length to distinguish from new seed. */
                sha256_process_bytes(buf, k, hash_state);

                *ret_hash_state = hash_state;
        }

        (void) lseek(seed_fd, 0, SEEK_SET);

        lets_credit = may_credit(seed_fd);

        /* Before we credit or use the entropy, let's make sure to securely drop the creditable xattr from
         * the file, so that we never credit the same random seed again. Note that further down we'll write a
         * new seed again, and likely mark it as credible again, hence this is just paranoia to close the
         * short time window between the time we upload the random seed into the kernel and download the new
         * one from it. */

        if (fremovexattr(seed_fd, "user.random-seed-creditable") < 0) {
                if (!ERRNO_IS_XATTR_ABSENT(errno))
                        log_warning_errno(errno, "Failed to remove extended attribute, ignoring: %m");

                /* Otherwise, there was no creditable flag set, which is OK. */
        } else {
                r = fsync_full(seed_fd);
                if (r < 0) {
                        log_warning_errno(r, "Failed to synchronize seed to disk, not crediting entropy: %m");

                        if (lets_credit == CREDIT_ENTROPY_YES_PLEASE)
                                lets_credit = CREDIT_ENTROPY_NO_WAY;
                }
        }

        r = random_write_entropy(urandom_fd, buf, k,
                                 IN_SET(lets_credit, CREDIT_ENTROPY_YES_PLEASE, CREDIT_ENTROPY_YES_FORCED));
        if (r < 0)
                log_warning_errno(r, "Failed to write seed to /dev/urandom: %m");

        return 0;
}

static int save_seed_file(
                int seed_fd,
                int urandom_fd,
                size_t seed_size,
                bool synchronous,
                struct sha256_ctx *hash_state) {

        _cleanup_free_ void *buf = NULL;
        bool getrandom_worked = false;
        ssize_t k, l;
        int r;

        assert(seed_fd >= 0);
        assert(urandom_fd >= 0);

        /* This is just a safety measure. Given that we are root and most likely created the file ourselves
         * the mode and owner should be correct anyway. */
        r = fchmod_and_chown(seed_fd, 0600, 0, 0);
        if (r < 0)
                return log_error_errno(r, "Failed to adjust seed file ownership and access mode: %m");

        buf = malloc(seed_size);
        if (!buf)
                return log_oom();

        k = getrandom(buf, seed_size, GRND_NONBLOCK);
        if (k < 0 && errno == EAGAIN && synchronous) {
                /* If we're asked to make ourselves a barrier for proper initialization of the random pool
                 * make this whole job synchronous by asking getrandom() to wait until the requested number
                 * of random bytes is available. */
                log_notice("Kernel entropy pool is not initialized yet, waiting until it is.");
                k = getrandom(buf, seed_size, 0);
        }
        if (k < 0)
                log_debug_errno(errno, "Failed to read random data with getrandom(), falling back to /dev/urandom: %m");
        else if ((size_t) k < seed_size)
                log_debug("Short read from getrandom(), falling back to /dev/urandom.");
        else
                getrandom_worked = true;

        if (!getrandom_worked) {
                /* Retry with classic /dev/urandom */
                k = loop_read(urandom_fd, buf, seed_size, false);
                if (k < 0)
                        return log_error_errno(k, "Failed to read new seed from /dev/urandom: %m");
                if (k == 0)
                        return log_error_errno(SYNTHETIC_ERRNO(EIO), "Got EOF while reading from /dev/urandom.");
        }

        /* If we previously read in a seed file, then hash the new seed into the old one, and replace the
         * last 32 bytes of the seed with the hash output, so that the new seed file can't regress in
         * entropy. */
        if (hash_state) {
                uint8_t hash[SHA256_DIGEST_SIZE];

                sha256_process_bytes(&k, sizeof(k), hash_state); /* Hash length to distinguish from old seed. */
                sha256_process_bytes(buf, k, hash_state);
                sha256_finish_ctx(hash_state, hash);
                l = MIN((size_t)k, sizeof(hash));
                memcpy((uint8_t *)buf + k - l, hash, l);
        }

        r = loop_write(seed_fd, buf, (size_t) k, false);
        if (r < 0)
                return log_error_errno(r, "Failed to write new random seed file: %m");

        if (ftruncate(seed_fd, k) < 0)
                return log_error_errno(r, "Failed to truncate random seed file: %m");

        r = fsync_full(seed_fd);
        if (r < 0)
                return log_error_errno(r, "Failed to synchronize seed file: %m");

        /* If we got this random seed data from getrandom() the data is suitable for crediting entropy later
         * on. Let's keep that in mind by setting an extended attribute. on the file */
        if (getrandom_worked)
                if (fsetxattr(seed_fd, "user.random-seed-creditable", "1", 1, 0) < 0)
                        log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, errno,
                                       "Failed to mark seed file as creditable, ignoring: %m");
        return 0;
}

static int refresh_boot_seed(void) {
        uint8_t buffer[RANDOM_EFI_SEED_SIZE];
        struct sha256_ctx hash_state;
        _cleanup_free_ void *seed_file_bytes = NULL;
        _cleanup_free_ char *esp_path = NULL;
        _cleanup_close_ int seed_fd = -1, dir_fd = -1;
        size_t len;
        ssize_t n;
        int r;

        assert_cc(RANDOM_EFI_SEED_SIZE == SHA256_DIGEST_SIZE);

        r = find_esp_and_warn(NULL, NULL, /* unprivileged_mode= */ false, &esp_path,
                              NULL, NULL, NULL, NULL, NULL);
        if (r < 0) {
                if (r == -ENOKEY) {
                        log_debug_errno(r, "Couldn't find any ESP, so not updating ESP random seed.");
                        return 0;
                }
                return r; /* find_esp_and_warn() already logged */
        }

        r = chase_symlinks("/loader", esp_path, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS, NULL, &dir_fd);
        if (r < 0) {
                if (r == -ENOENT) {
                        log_debug_errno(r, "Couldn't find ESP loader directory, so not updating ESP random seed.");
                        return 0;
                }
                return log_error_errno(r, "Failed to open ESP loader directory: %m");
        }
        seed_fd = openat(dir_fd, "random-seed", O_NOFOLLOW|O_RDWR|O_CLOEXEC|O_NOCTTY);
        if (seed_fd < 0 && errno == ENOENT) {
                uint64_t features;
                r = efi_loader_get_features(&features);
                if (r == 0 && FLAGS_SET(features, EFI_LOADER_FEATURE_RANDOM_SEED))
                        seed_fd = openat(dir_fd, "random-seed", O_CREAT|O_EXCL|O_RDWR|O_CLOEXEC|O_NOCTTY, 0600);
                else {
                        log_debug_errno(seed_fd, "Couldn't find ESP random seed, and not booted with systemd-boot, so not updating ESP random seed.");
                        return 0;
                }
        }
        if (seed_fd < 0)
                return log_error_errno(errno, "Failed to open EFI seed path: %m");
        r = random_seed_size(seed_fd, &len);
        if (r < 0)
                return log_error_errno(r, "Failed to determine EFI seed path length: %m");
        seed_file_bytes = malloc(len);
        if (!seed_file_bytes)
                return log_oom();
        n = loop_read(seed_fd, seed_file_bytes, len, false);
        if (n < 0)
                return log_error_errno(n, "Failed to read EFI seed file: %m");

        /* Hash the old seed in so that we never regress in entropy. */
        sha256_init_ctx(&hash_state);
        sha256_process_bytes(&n, sizeof(n), &hash_state);
        sha256_process_bytes(seed_file_bytes, n, &hash_state);

        /* We're doing this opportunistically, so if the seeding dance before didn't manage to initialize the
         * RNG, there's no point in doing it here. Secondly, getrandom(GRND_NONBLOCK) has been around longer
         * than EFI seeding anyway, so there's no point in having non-getrandom() fallbacks here. So if this
         * fails, just return early to cut our losses. */
        n = getrandom(buffer, sizeof(buffer), GRND_NONBLOCK);
        if (n < 0) {
                if (errno == EAGAIN) {
                        log_debug_errno(errno, "Random pool not initialized yet, so skipping EFI seed update");
                        return 0;
                }
                if (errno == ENOSYS) {
                        log_debug_errno(errno, "getrandom() not available, so skipping EFI seed update");
                        return 0;
                }
                return log_error_errno(errno, "Failed to generate random bytes for EFI seed: %m");
        }
        assert(n == sizeof(buffer));

        /* Hash the new seed into the state containing the old one to generate our final seed. */
        sha256_process_bytes(&n, sizeof(n), &hash_state);
        sha256_process_bytes(buffer, n, &hash_state);
        sha256_finish_ctx(&hash_state, buffer);

        if (lseek(seed_fd, 0, SEEK_SET) < 0)
                return log_error_errno(errno, "Failed to seek to beginning of EFI seed file: %m");
        r = loop_write(seed_fd, buffer, sizeof(buffer), false);
        if (r < 0)
                return log_error_errno(r, "Failed to write new EFI seed file: %m");
        if (ftruncate(seed_fd, sizeof(buffer)) < 0)
                return log_error_errno(errno, "Failed to truncate EFI seed file: %m");
        r = fsync_full(seed_fd);
        if (r < 0)
                return log_error_errno(r, "Failed to fsync EFI seed file: %m");

        log_debug("Updated random seed in ESP");
        return 0;
}

static int help(int argc, char *argv[], void *userdata) {
        _cleanup_free_ char *link = NULL;
        int r;

        r = terminal_urlify_man("systemd-random-seed", "8", &link);
        if (r < 0)
                return log_oom();

        printf("%1$s [OPTIONS...] COMMAND\n"
               "\n%5$sLoad and save the system random seed at boot and shutdown.%6$s\n"
               "\n%3$sCommands:%4$s\n"
               "  load                Load a random seed saved on disk into the kernel entropy pool\n"
               "  save                Save a new random seed on disk\n"
               "\n%3$sOptions:%4$s\n"
               "  -h --help           Show this help\n"
               "     --version        Show package version\n"
               "\nSee the %2$s for details.\n",
               program_invocation_short_name,
               link,
               ansi_underline(),
               ansi_normal(),
               ansi_highlight(),
               ansi_normal());

        return 0;
}

static const char* const seed_action_table[_ACTION_MAX] = {
        [ACTION_LOAD] = "load",
        [ACTION_SAVE] = "save",
};

DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(seed_action, SeedAction);

static int parse_argv(int argc, char *argv[]) {
        enum {
                ARG_VERSION = 0x100,
        };

        static const struct option options[] = {
                { "help",    no_argument, NULL, 'h'         },
                { "version", no_argument, NULL, ARG_VERSION },
        };

        int c;

        assert(argc >= 0);
        assert(argv);

        while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0)
                switch (c) {
                case 'h':
                        return help(0, NULL, NULL);
                case ARG_VERSION:
                        return version();
                case '?':
                        return -EINVAL;

                default:
                        assert_not_reached();
                }

        if (optind + 1 != argc)
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "This program requires one argument.");

        arg_action = seed_action_from_string(argv[optind]);
        if (arg_action < 0)
                return log_error_errno(arg_action, "Unknown action '%s'", argv[optind]);

        return 1;
}

static int run(int argc, char *argv[]) {
        _cleanup_free_ struct sha256_ctx *hash_state = NULL;
        _cleanup_close_ int seed_fd = -1, random_fd = -1;
        bool read_seed_file, write_seed_file, synchronous;
        size_t seed_size;
        int r;

        log_setup();

        r = parse_argv(argc, argv);
        if (r <= 0)
                return r;

        umask(0022);

        r = mkdir_parents(RANDOM_SEED, 0755);
        if (r < 0)
                return log_error_errno(r, "Failed to create directory " RANDOM_SEED_DIR ": %m");

        random_fd = open("/dev/urandom", O_RDWR|O_CLOEXEC|O_NOCTTY);
        if (random_fd < 0)
                return log_error_errno(errno, "Failed to open /dev/urandom: %m");

        /* When we load the seed we read it and write it to the device and then immediately update the saved
         * seed with new data, to make sure the next boot gets seeded differently. */

        switch (arg_action) {
        case ACTION_LOAD:
                /* First, let's write the machine ID into /dev/urandom, not crediting entropy. See
                 * load_machine_id() for an explanation why. */
                load_machine_id(random_fd);

                seed_fd = open(RANDOM_SEED, O_RDWR|O_CLOEXEC|O_NOCTTY|O_CREAT, 0600);
                if (seed_fd < 0) {
                        int open_rw_error = -errno;

                        write_seed_file = false;

                        seed_fd = open(RANDOM_SEED, O_RDONLY|O_CLOEXEC|O_NOCTTY);
                        if (seed_fd < 0) {
                                bool missing = errno == ENOENT;
                                int level = missing ? LOG_DEBUG : LOG_ERR;

                                log_full_errno(level, open_rw_error, "Failed to open " RANDOM_SEED " for writing: %m");
                                log_full_errno(level, errno, "Failed to open " RANDOM_SEED " for reading: %m");
                                r = -errno;

                                (void) refresh_boot_seed();
                                return missing ? 0 : r;
                        }
                } else
                        write_seed_file = true;

                read_seed_file = true;
                synchronous = true; /* make this invocation a synchronous barrier for random pool initialization */
                break;

        case ACTION_SAVE:
                (void) refresh_boot_seed();
                seed_fd = open(RANDOM_SEED, O_WRONLY|O_CLOEXEC|O_NOCTTY|O_CREAT, 0600);
                if (seed_fd < 0)
                        return log_error_errno(errno, "Failed to open " RANDOM_SEED ": %m");

                read_seed_file = false;
                write_seed_file = true;
                synchronous = false;
                break;

        default:
                assert_not_reached();
        }

        r = random_seed_size(seed_fd, &seed_size);
        if (r < 0)
                return r;

        if (read_seed_file) {
                r = load_seed_file(seed_fd, random_fd, seed_size,
                                   write_seed_file ? &hash_state : NULL);
                (void) refresh_boot_seed();
        }

        if (r >= 0 && write_seed_file)
                r = save_seed_file(seed_fd, random_fd, seed_size, synchronous, hash_state);

        return r;
}

DEFINE_MAIN_FUNCTION(run);
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
6e200d55	2
6e200d55	3	#include <errno.h>
07630cea	4	#include <fcntl.h>
0d0c6639	5	#include <getopt.h>
26ded557	6	#include <linux/random.h>
26ded557 LP	7	#include <sys/ioctl.h>
	8	#if USE_SYS_RANDOM_H
	9	# include <sys/random.h>
	10	#endif
6e200d55	11	#include <sys/stat.h>
26ded557	12	#include <sys/xattr.h>
07630cea	13	#include <unistd.h>
6e200d55	14
8ba12aef LP	15	#include "sd-id128.h"
8ba12aef LP	16
b5efdb8a	17	#include "alloc-util.h"
d6b4d1c7	18	#include "build.h"
f913c784 JD	19	#include "chase-symlinks.h"
f913c784 JD	20	#include "efi-loader.h"
3ffd4af2	21	#include "fd-util.h"
f913c784	22	#include "find-esp.h"
4b3b5bc7	23	#include "fs-util.h"
c004493c	24	#include "io-util.h"
6e200d55	25	#include "log.h"
5e332028	26	#include "main-func.h"
123aeae2	27	#include "missing_random.h"
f5947a5e	28	#include "missing_syscall.h"
49e942b2	29	#include "mkdir.h"
0d0c6639	30	#include "parse-argument.h"
26ded557	31	#include "parse-util.h"
f913c784	32	#include "path-util.h"
0d0c6639	33	#include "pretty-print.h"
3e155eba	34	#include "random-util.h"
0d0c6639	35	#include "string-table.h"
07630cea	36	#include "string-util.h"
0d0c6639	37	#include "strv.h"
bf819d3a	38	#include "sync-util.h"
da2862ef	39	#include "sha256.h"
0d0c6639	40	#include "terminal-util.h"
26ded557 LP	41	#include "xattr-util.h"
26ded557 LP	42
0d0c6639 FB	43	typedef enum SeedAction {
	44	ACTION_LOAD,
	45	ACTION_SAVE,
	46	_ACTION_MAX,
	47	_ACTION_INVALID = -EINVAL,
	48	} SeedAction;
	49
26ded557 LP	50	typedef enum CreditEntropy {
	51	CREDIT_ENTROPY_NO_WAY,
	52	CREDIT_ENTROPY_YES_PLEASE,
	53	CREDIT_ENTROPY_YES_FORCED,
	54	} CreditEntropy;
	55
0d0c6639 FB	56	static SeedAction arg_action = _ACTION_INVALID;
0d0c6639 FB	57
26ded557 LP	58	static CreditEntropy may_credit(int seed_fd) {
	59	_cleanup_free_ char *creditable = NULL;
	60	const char *e;
	61	int r;
	62
	63	assert(seed_fd >= 0);
	64
	65	e = getenv("SYSTEMD_RANDOM_SEED_CREDIT");
	66	if (!e) {
	67	log_debug("$SYSTEMD_RANDOM_SEED_CREDIT is not set, not crediting entropy.");
	68	return CREDIT_ENTROPY_NO_WAY;
	69	}
	70	if (streq(e, "force")) {
	71	log_debug("$SYSTEMD_RANDOM_SEED_CREDIT is set to 'force', crediting entropy.");
	72	return CREDIT_ENTROPY_YES_FORCED;
	73	}
	74
	75	r = parse_boolean(e);
	76	if (r <= 0) {
	77	if (r < 0)
	78	log_warning_errno(r, "Failed to parse $SYSTEMD_RANDOM_SEED_CREDIT, not crediting entropy: %m");
	79	else
	80	log_debug("Crediting entropy is turned off via $SYSTEMD_RANDOM_SEED_CREDIT, not crediting entropy.");
	81
	82	return CREDIT_ENTROPY_NO_WAY;
	83	}
	84
	85	/* Determine if the file is marked as creditable */
	86	r = fgetxattr_malloc(seed_fd, "user.random-seed-creditable", &creditable);
	87	if (r < 0) {
00675c36	88	if (ERRNO_IS_XATTR_ABSENT(r))
26ded557 LP	89	log_debug_errno(r, "Seed file is not marked as creditable, not crediting.");
	90	else
	91	log_warning_errno(r, "Failed to read extended attribute, ignoring: %m");
	92
	93	return CREDIT_ENTROPY_NO_WAY;
	94	}
	95
	96	r = parse_boolean(creditable);
	97	if (r <= 0) {
	98	if (r < 0)
	99	log_warning_errno(r, "Failed to parse user.random-seed-creditable extended attribute, ignoring: %s", creditable);
	100	else
	101	log_debug("Seed file is marked as not creditable, not crediting.");
	102
	103	return CREDIT_ENTROPY_NO_WAY;
	104	}
	105
	106	/* Don't credit the random seed if we are in first-boot mode, because we are supposed to start from
	107	* scratch. This is a safety precaution for cases where we people ship "golden" images with empty
	108	* /etc but populated /var that contains a random seed. */
249d31b0 FB	109	r = RET_NERRNO(access("/run/systemd/first-boot", F_OK));
	110	if (r == -ENOENT)
	111	/* All is good, we are not in first-boot mode. */
	112	return CREDIT_ENTROPY_YES_PLEASE;
	113	if (r < 0) {
	114	log_warning_errno(r, "Failed to check whether we are in first-boot mode, not crediting entropy: %m");
26ded557 LP	115	return CREDIT_ENTROPY_NO_WAY;
	116	}
	117
249d31b0 FB	118	log_debug("Not crediting entropy, since booted in first-boot mode.");
249d31b0 FB	119	return CREDIT_ENTROPY_NO_WAY;
26ded557	120	}
6e200d55	121
205138d8 FB	122	static int random_seed_size(int seed_fd, size_t *ret_size) {
	123	struct stat st;
	124
	125	assert(ret_size);
	126	assert(seed_fd >= 0);
	127
	128	if (fstat(seed_fd, &st) < 0)
	129	return log_error_errno(errno, "Failed to stat() seed file " RANDOM_SEED ": %m");
	130
	131	/* If the seed file is larger than what the kernel expects, then honour the existing size and
	132	* save/restore as much as it says */
	133
	134	*ret_size = CLAMP((uint64_t)st.st_size, random_pool_size(), RANDOM_POOL_SIZE_MAX);
	135	return 0;
	136	}
	137
a2f0dbb8 FB	138	static void load_machine_id(int urandom_fd) {
	139	sd_id128_t mid;
	140	int r;
	141
	142	assert(urandom_fd >= 0);
	143
	144	/* As an extra protection against "golden images" that are put together sloppily, i.e. images which
	145	* are duplicated on multiple systems but where the random seed file is not properly
	146	* reset. Frequently the machine ID is properly reset on those systems however (simply because it's
	147	* easier to notice, if it isn't due to address clashes and so on, while random seed equivalence is
	148	* generally not noticed easily), hence let's simply write the machined ID into the random pool
	149	* too. */
	150	r = sd_id128_get_machine(&mid);
	151	if (r < 0)
	152	return (void) log_debug_errno(r, "Failed to get machine ID, ignoring: %m");
	153
	154	r = random_write_entropy(urandom_fd, &mid, sizeof(mid), /* credit= */ false);
	155	if (r < 0)
	156	log_debug_errno(r, "Failed to write machine ID to /dev/urandom, ignoring: %m");
	157	}
	158
d3fa881a FB	159	static int load_seed_file(
	160	int seed_fd,
	161	int urandom_fd,
	162	size_t seed_size,
	163	struct sha256_ctx **ret_hash_state) {
	164
	165	_cleanup_free_ void *buf = NULL;
	166	CreditEntropy lets_credit;
d3fa881a FB	167	ssize_t k;
	168	int r;
	169
	170	assert(seed_fd >= 0);
	171	assert(urandom_fd >= 0);
	172
d3fa881a FB	173	buf = malloc(seed_size);
	174	if (!buf)
	175	return log_oom();
	176
	177	k = loop_read(seed_fd, buf, seed_size, false);
	178	if (k < 0) {
ea37e1ed	179	log_warning_errno(k, "Failed to read seed from " RANDOM_SEED ": %m");
d3fa881a FB	180	return 0;
	181	}
	182	if (k == 0) {
	183	log_debug("Seed file " RANDOM_SEED " not yet initialized, proceeding.");
	184	return 0;
	185	}
	186
	187	/* If we're going to later write out a seed file, initialize a hash state with the contents of the
	188	* seed file we just read, so that the new one can't regress in entropy. */
	189	if (ret_hash_state) {
	190	struct sha256_ctx *hash_state;
	191
f913c784	192	hash_state = new(struct sha256_ctx, 1);
d3fa881a FB	193	if (!hash_state)
	194	return log_oom();
	195
	196	sha256_init_ctx(hash_state);
	197	sha256_process_bytes(&k, sizeof(k), hash_state); /* Hash length to distinguish from new seed. */
	198	sha256_process_bytes(buf, k, hash_state);
	199
	200	*ret_hash_state = hash_state;
	201	}
	202
	203	(void) lseek(seed_fd, 0, SEEK_SET);
	204
	205	lets_credit = may_credit(seed_fd);
	206
	207	/* Before we credit or use the entropy, let's make sure to securely drop the creditable xattr from
	208	* the file, so that we never credit the same random seed again. Note that further down we'll write a
	209	* new seed again, and likely mark it as credible again, hence this is just paranoia to close the
	210	* short time window between the time we upload the random seed into the kernel and download the new
	211	* one from it. */
	212
	213	if (fremovexattr(seed_fd, "user.random-seed-creditable") < 0) {
	214	if (!ERRNO_IS_XATTR_ABSENT(errno))
	215	log_warning_errno(errno, "Failed to remove extended attribute, ignoring: %m");
	216
	217	/* Otherwise, there was no creditable flag set, which is OK. */
	218	} else {
	219	r = fsync_full(seed_fd);
	220	if (r < 0) {
	221	log_warning_errno(r, "Failed to synchronize seed to disk, not crediting entropy: %m");
	222
	223	if (lets_credit == CREDIT_ENTROPY_YES_PLEASE)
	224	lets_credit = CREDIT_ENTROPY_NO_WAY;
	225	}
	226	}
	227
	228	r = random_write_entropy(urandom_fd, buf, k,
	229	IN_SET(lets_credit, CREDIT_ENTROPY_YES_PLEASE, CREDIT_ENTROPY_YES_FORCED));
	230	if (r < 0)
ea37e1ed	231	log_warning_errno(r, "Failed to write seed to /dev/urandom: %m");
d3fa881a FB	232
	233	return 0;
	234	}
	235
	236	static int save_seed_file(
	237	int seed_fd,
	238	int urandom_fd,
	239	size_t seed_size,
	240	bool synchronous,
	241	struct sha256_ctx *hash_state) {
	242
	243	_cleanup_free_ void *buf = NULL;
	244	bool getrandom_worked = false;
	245	ssize_t k, l;
	246	int r;
	247
	248	assert(seed_fd >= 0);
	249	assert(urandom_fd >= 0);
	250
	251	/* This is just a safety measure. Given that we are root and most likely created the file ourselves
	252	* the mode and owner should be correct anyway. */
	253	r = fchmod_and_chown(seed_fd, 0600, 0, 0);
	254	if (r < 0)
	255	return log_error_errno(r, "Failed to adjust seed file ownership and access mode: %m");
	256
	257	buf = malloc(seed_size);
	258	if (!buf)
	259	return log_oom();
	260
d3fa881a FB	261	k = getrandom(buf, seed_size, GRND_NONBLOCK);
d3fa881a FB	262	if (k < 0 && errno == EAGAIN && synchronous) {
46e0b5dc FB	263	/* If we're asked to make ourselves a barrier for proper initialization of the random pool
	264	* make this whole job synchronous by asking getrandom() to wait until the requested number
	265	* of random bytes is available. */
d3fa881a	266	log_notice("Kernel entropy pool is not initialized yet, waiting until it is.");
46e0b5dc	267	k = getrandom(buf, seed_size, 0);
d3fa881a FB	268	}
	269	if (k < 0)
	270	log_debug_errno(errno, "Failed to read random data with getrandom(), falling back to /dev/urandom: %m");
	271	else if ((size_t) k < seed_size)
	272	log_debug("Short read from getrandom(), falling back to /dev/urandom.");
	273	else
	274	getrandom_worked = true;
	275
	276	if (!getrandom_worked) {
	277	/* Retry with classic /dev/urandom */
	278	k = loop_read(urandom_fd, buf, seed_size, false);
	279	if (k < 0)
	280	return log_error_errno(k, "Failed to read new seed from /dev/urandom: %m");
	281	if (k == 0)
	282	return log_error_errno(SYNTHETIC_ERRNO(EIO), "Got EOF while reading from /dev/urandom.");
	283	}
	284
	285	/* If we previously read in a seed file, then hash the new seed into the old one, and replace the
	286	* last 32 bytes of the seed with the hash output, so that the new seed file can't regress in
	287	* entropy. */
	288	if (hash_state) {
	289	uint8_t hash[SHA256_DIGEST_SIZE];
	290
	291	sha256_process_bytes(&k, sizeof(k), hash_state); /* Hash length to distinguish from old seed. */
	292	sha256_process_bytes(buf, k, hash_state);
	293	sha256_finish_ctx(hash_state, hash);
	294	l = MIN((size_t)k, sizeof(hash));
	295	memcpy((uint8_t *)buf + k - l, hash, l);
	296	}
	297
	298	r = loop_write(seed_fd, buf, (size_t) k, false);
	299	if (r < 0)
	300	return log_error_errno(r, "Failed to write new random seed file: %m");
	301
	302	if (ftruncate(seed_fd, k) < 0)
	303	return log_error_errno(r, "Failed to truncate random seed file: %m");
	304
	305	r = fsync_full(seed_fd);
	306	if (r < 0)
	307	return log_error_errno(r, "Failed to synchronize seed file: %m");
	308
	309	/* If we got this random seed data from getrandom() the data is suitable for crediting entropy later
	310	* on. Let's keep that in mind by setting an extended attribute. on the file */
	311	if (getrandom_worked)
	312	if (fsetxattr(seed_fd, "user.random-seed-creditable", "1", 1, 0) < 0)
	313	log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, errno,
	314	"Failed to mark seed file as creditable, ignoring: %m");
	315	return 0;
	316	}
	317
f913c784 JD	318	static int refresh_boot_seed(void) {
	319	uint8_t buffer[RANDOM_EFI_SEED_SIZE];
	320	struct sha256_ctx hash_state;
	321	_cleanup_free_ void *seed_file_bytes = NULL;
	322	_cleanup_free_ char *esp_path = NULL;
3daeef08	323	_cleanup_close_ int seed_fd = -1, dir_fd = -1;
f913c784	324	size_t len;
3daeef08 JD	325	ssize_t n;
3daeef08 JD	326	int r;
f913c784 JD	327
	328	assert_cc(RANDOM_EFI_SEED_SIZE == SHA256_DIGEST_SIZE);
	329
	330	r = find_esp_and_warn(NULL, NULL, /* unprivileged_mode= */ false, &esp_path,
	331	NULL, NULL, NULL, NULL, NULL);
	332	if (r < 0) {
	333	if (r == -ENOKEY) {
	334	log_debug_errno(r, "Couldn't find any ESP, so not updating ESP random seed.");
	335	return 0;
	336	}
	337	return r; /* find_esp_and_warn() already logged */
	338	}
	339
3daeef08 JD	340	r = chase_symlinks("/loader", esp_path, CHASE_PREFIX_ROOT\|CHASE_PROHIBIT_SYMLINKS, NULL, &dir_fd);
	341	if (r < 0) {
	342	if (r == -ENOENT) {
	343	log_debug_errno(r, "Couldn't find ESP loader directory, so not updating ESP random seed.");
	344	return 0;
	345	}
	346	return log_error_errno(r, "Failed to open ESP loader directory: %m");
	347	}
	348	seed_fd = openat(dir_fd, "random-seed", O_NOFOLLOW\|O_RDWR\|O_CLOEXEC\|O_NOCTTY);
	349	if (seed_fd < 0 && errno == ENOENT) {
f913c784	350	uint64_t features;
f913c784	351	r = efi_loader_get_features(&features);
3daeef08 JD	352	if (r == 0 && FLAGS_SET(features, EFI_LOADER_FEATURE_RANDOM_SEED))
	353	seed_fd = openat(dir_fd, "random-seed", O_CREAT\|O_EXCL\|O_RDWR\|O_CLOEXEC\|O_NOCTTY, 0600);
	354	else {
	355	log_debug_errno(seed_fd, "Couldn't find ESP random seed, and not booted with systemd-boot, so not updating ESP random seed.");
	356	return 0;
f913c784 JD	357	}
f913c784 JD	358	}
3daeef08 JD	359	if (seed_fd < 0)
3daeef08 JD	360	return log_error_errno(errno, "Failed to open EFI seed path: %m");
f913c784 JD	361	r = random_seed_size(seed_fd, &len);
	362	if (r < 0)
	363	return log_error_errno(r, "Failed to determine EFI seed path length: %m");
	364	seed_file_bytes = malloc(len);
	365	if (!seed_file_bytes)
	366	return log_oom();
3daeef08 JD	367	n = loop_read(seed_fd, seed_file_bytes, len, false);
	368	if (n < 0)
	369	return log_error_errno(n, "Failed to read EFI seed file: %m");
f913c784 JD	370
	371	/* Hash the old seed in so that we never regress in entropy. */
	372	sha256_init_ctx(&hash_state);
3daeef08 JD	373	sha256_process_bytes(&n, sizeof(n), &hash_state);
3daeef08 JD	374	sha256_process_bytes(seed_file_bytes, n, &hash_state);
f913c784 JD	375
	376	/* We're doing this opportunistically, so if the seeding dance before didn't manage to initialize the
	377	* RNG, there's no point in doing it here. Secondly, getrandom(GRND_NONBLOCK) has been around longer
	378	* than EFI seeding anyway, so there's no point in having non-getrandom() fallbacks here. So if this
	379	* fails, just return early to cut our losses. */
3daeef08 JD	380	n = getrandom(buffer, sizeof(buffer), GRND_NONBLOCK);
3daeef08 JD	381	if (n < 0) {
f913c784 JD	382	if (errno == EAGAIN) {
	383	log_debug_errno(errno, "Random pool not initialized yet, so skipping EFI seed update");
	384	return 0;
	385	}
	386	if (errno == ENOSYS) {
	387	log_debug_errno(errno, "getrandom() not available, so skipping EFI seed update");
	388	return 0;
	389	}
	390	return log_error_errno(errno, "Failed to generate random bytes for EFI seed: %m");
	391	}
3daeef08	392	assert(n == sizeof(buffer));
f913c784 JD	393
f913c784 JD	394	/* Hash the new seed into the state containing the old one to generate our final seed. */
3daeef08 JD	395	sha256_process_bytes(&n, sizeof(n), &hash_state);
3daeef08 JD	396	sha256_process_bytes(buffer, n, &hash_state);
f913c784 JD	397	sha256_finish_ctx(&hash_state, buffer);
	398
	399	if (lseek(seed_fd, 0, SEEK_SET) < 0)
	400	return log_error_errno(errno, "Failed to seek to beginning of EFI seed file: %m");
	401	r = loop_write(seed_fd, buffer, sizeof(buffer), false);
	402	if (r < 0)
	403	return log_error_errno(r, "Failed to write new EFI seed file: %m");
	404	if (ftruncate(seed_fd, sizeof(buffer)) < 0)
	405	return log_error_errno(errno, "Failed to truncate EFI seed file: %m");
	406	r = fsync_full(seed_fd);
	407	if (r < 0)
3daeef08	408	return log_error_errno(r, "Failed to fsync EFI seed file: %m");
f913c784 JD	409
	410	log_debug("Updated random seed in ESP");
	411	return 0;
	412	}
	413
0d0c6639 FB	414	static int help(int argc, char argv[], void userdata) {
	415	_cleanup_free_ char *link = NULL;
	416	int r;
	417
	418	r = terminal_urlify_man("systemd-random-seed", "8", &link);
	419	if (r < 0)
	420	return log_oom();
	421
	422	printf("%1$s [OPTIONS...] COMMAND\n"
	423	"\n%5$sLoad and save the system random seed at boot and shutdown.%6$s\n"
	424	"\n%3$sCommands:%4$s\n"
	425	" load Load a random seed saved on disk into the kernel entropy pool\n"
	426	" save Save a new random seed on disk\n"
	427	"\n%3$sOptions:%4$s\n"
	428	" -h --help Show this help\n"
	429	" --version Show package version\n"
	430	"\nSee the %2$s for details.\n",
	431	program_invocation_short_name,
	432	link,
	433	ansi_underline(),
	434	ansi_normal(),
	435	ansi_highlight(),
	436	ansi_normal());
	437
	438	return 0;
	439	}
	440
	441	static const char* const seed_action_table[_ACTION_MAX] = {
	442	[ACTION_LOAD] = "load",
	443	[ACTION_SAVE] = "save",
	444	};
	445
	446	DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(seed_action, SeedAction);
	447
	448	static int parse_argv(int argc, char *argv[]) {
	449	enum {
	450	ARG_VERSION = 0x100,
	451	};
	452
	453	static const struct option options[] = {
	454	{ "help", no_argument, NULL, 'h' },
	455	{ "version", no_argument, NULL, ARG_VERSION },
	456	};
	457
	458	int c;
	459
	460	assert(argc >= 0);
	461	assert(argv);
	462
	463	while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0)
	464	switch (c) {
	465	case 'h':
	466	return help(0, NULL, NULL);
	467	case ARG_VERSION:
	468	return version();
	469	case '?':
	470	return -EINVAL;
	471
	472	default:
	473	assert_not_reached();
	474	}
	475
	476	if (optind + 1 != argc)
	477	return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "This program requires one argument.");
478
479	arg_action = seed_action_from_string(argv[optind]);
480	if (arg_action < 0)
481	return log_error_errno(arg_action, "Unknown action '%s'", argv[optind]);
482
483	return 1;
484	}
485
72d0d7a6	486	static int run(int argc, char *argv[]) {
d3fa881a	487	_cleanup_free_ struct sha256_ctx *hash_state = NULL;
ce179470	488	_cleanup_close_ int seed_fd = -1, random_fd = -1;
d3fa881a FB	489	bool read_seed_file, write_seed_file, synchronous;
d3fa881a FB	490	size_t seed_size;
ac93390b	491	int r;
6e200d55	492
d2acb93d	493	log_setup();
6e200d55	494
0d0c6639 FB	495	r = parse_argv(argc, argv);
	496	if (r <= 0)
	497	return r;
72d0d7a6	498
4c12626c LP	499	umask(0022);
4c12626c LP	500
5468d9af	501	r = mkdir_parents(RANDOM_SEED, 0755);
72d0d7a6 ZJS	502	if (r < 0)
72d0d7a6 ZJS	503	return log_error_errno(r, "Failed to create directory " RANDOM_SEED_DIR ": %m");
b56e5747	504
f913c784 JD	505	random_fd = open("/dev/urandom", O_RDWR\|O_CLOEXEC\|O_NOCTTY);
	506	if (random_fd < 0)
	507	return log_error_errno(errno, "Failed to open /dev/urandom: %m");
	508
0d0c6639 FB	509	/* When we load the seed we read it and write it to the device and then immediately update the saved
0d0c6639 FB	510	* seed with new data, to make sure the next boot gets seeded differently. */
6e200d55	511
0d0c6639 FB	512	switch (arg_action) {
0d0c6639 FB	513	case ACTION_LOAD:
a2f0dbb8 FB	514	/* First, let's write the machine ID into /dev/urandom, not crediting entropy. See
	515	* load_machine_id() for an explanation why. */
	516	load_machine_id(random_fd);
	517
ce179470 LP	518	seed_fd = open(RANDOM_SEED, O_RDWR\|O_CLOEXEC\|O_NOCTTY\|O_CREAT, 0600);
ce179470 LP	519	if (seed_fd < 0) {
15d961bf LP	520	int open_rw_error = -errno;
15d961bf LP	521
ac93390b	522	write_seed_file = false;
8edc2d22	523
ce179470 LP	524	seed_fd = open(RANDOM_SEED, O_RDONLY\|O_CLOEXEC\|O_NOCTTY);
ce179470 LP	525	if (seed_fd < 0) {
8edc2d22	526	bool missing = errno == ENOENT;
3f6fbfe6	527	int level = missing ? LOG_DEBUG : LOG_ERR;
8edc2d22	528
3f6fbfe6 FB	529	log_full_errno(level, open_rw_error, "Failed to open " RANDOM_SEED " for writing: %m");
3f6fbfe6 FB	530	log_full_errno(level, errno, "Failed to open " RANDOM_SEED " for reading: %m");
f913c784	531	r = -errno;
3f6fbfe6	532
f913c784 JD	533	(void) refresh_boot_seed();
f913c784 JD	534	return missing ? 0 : r;
6e200d55	535	}
ac93390b LP	536	} else
ac93390b LP	537	write_seed_file = true;
6e200d55	538
ac93390b	539	read_seed_file = true;
26ded557	540	synchronous = true; /* make this invocation a synchronous barrier for random pool initialization */
0d0c6639	541	break;
6e200d55	542
0d0c6639	543	case ACTION_SAVE:
f913c784	544	(void) refresh_boot_seed();
ce179470	545	seed_fd = open(RANDOM_SEED, O_WRONLY\|O_CLOEXEC\|O_NOCTTY\|O_CREAT, 0600);
72d0d7a6 ZJS	546	if (seed_fd < 0)
72d0d7a6 ZJS	547	return log_error_errno(errno, "Failed to open " RANDOM_SEED ": %m");
6e200d55	548
ac93390b LP	549	read_seed_file = false;
ac93390b LP	550	write_seed_file = true;
26ded557	551	synchronous = false;
0d0c6639 FB	552	break;
	553
	554	default:
	555	assert_not_reached();
	556	}
6e200d55	557
d3fa881a	558	r = random_seed_size(seed_fd, &seed_size);
205138d8 FB	559	if (r < 0)
205138d8 FB	560	return r;
ac93390b	561
f913c784	562	if (read_seed_file) {
d3fa881a FB	563	r = load_seed_file(seed_fd, random_fd, seed_size,
d3fa881a FB	564	write_seed_file ? &hash_state : NULL);
f913c784 JD	565	(void) refresh_boot_seed();
f913c784 JD	566	}
26ded557	567
d3fa881a FB	568	if (r >= 0 && write_seed_file)
d3fa881a FB	569	r = save_seed_file(seed_fd, random_fd, seed_size, synchronous, hash_state);
26ded557	570
d3fa881a	571	return r;
6e200d55	572	}
72d0d7a6 ZJS	573
72d0d7a6 ZJS	574	DEFINE_MAIN_FUNCTION(run);