From 483803413129ae3999d334b8972bb3daa71f0c9e Mon Sep 17 00:00:00 2001
From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Thu, 28 Jun 2018 20:36:32 +0200
Subject: [PATCH] random: update initskript for machines with low entropy

the script wait until crng is correct initialized before restore the
random seed and make some disc io to work around low entropy at boot
on some machines. Not really a fix but it should be better than reverting
CVE-2018-1108 fixes from kernel.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---
 config/rootfiles/common/aarch64/initscripts  |  2 +-
 config/rootfiles/common/armv5tel/initscripts |  2 +-
 config/rootfiles/common/i586/initscripts     |  2 +-
 config/rootfiles/common/x86_64/initscripts   |  2 +-
 config/rootfiles/core/122/filelists/files    |  1 +
 config/rootfiles/core/122/update.sh          |  2 ++
 lfs/initscripts                              |  5 ++-
 src/initscripts/system/random                | 35 +++++++++++++++-----
 8 files changed, 35 insertions(+), 16 deletions(-)

diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts
index 9e9e1a71a5..97ba5ad65f 100644
--- a/config/rootfiles/common/aarch64/initscripts
+++ b/config/rootfiles/common/aarch64/initscripts
@@ -117,6 +117,7 @@ etc/rc.d/rc0.d/S80mountfs
 etc/rc.d/rc0.d/S90swap
 etc/rc.d/rc0.d/S99halt
 #etc/rc.d/rc3.d
+etc/rc.d/rc3.d/S00random
 etc/rc.d/rc3.d/S01vnstat
 etc/rc.d/rc3.d/S10sysklogd
 etc/rc.d/rc3.d/S11unbound
@@ -130,7 +131,6 @@ etc/rc.d/rc3.d/S19wlanclient
 etc/rc.d/rc3.d/S20network
 etc/rc.d/rc3.d/S21leds
 etc/rc.d/rc3.d/S24cyrus-sasl
-etc/rc.d/rc3.d/S25random
 etc/rc.d/rc3.d/S30sshd
 etc/rc.d/rc3.d/S32apache
 etc/rc.d/rc3.d/S40fcron
diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts
index 9e9e1a71a5..97ba5ad65f 100644
--- a/config/rootfiles/common/armv5tel/initscripts
+++ b/config/rootfiles/common/armv5tel/initscripts
@@ -117,6 +117,7 @@ etc/rc.d/rc0.d/S80mountfs
 etc/rc.d/rc0.d/S90swap
 etc/rc.d/rc0.d/S99halt
 #etc/rc.d/rc3.d
+etc/rc.d/rc3.d/S00random
 etc/rc.d/rc3.d/S01vnstat
 etc/rc.d/rc3.d/S10sysklogd
 etc/rc.d/rc3.d/S11unbound
@@ -130,7 +131,6 @@ etc/rc.d/rc3.d/S19wlanclient
 etc/rc.d/rc3.d/S20network
 etc/rc.d/rc3.d/S21leds
 etc/rc.d/rc3.d/S24cyrus-sasl
-etc/rc.d/rc3.d/S25random
 etc/rc.d/rc3.d/S30sshd
 etc/rc.d/rc3.d/S32apache
 etc/rc.d/rc3.d/S40fcron
diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts
index cc0e4580d8..ab8d4f1080 100644
--- a/config/rootfiles/common/i586/initscripts
+++ b/config/rootfiles/common/i586/initscripts
@@ -116,6 +116,7 @@ etc/rc.d/rc0.d/S80mountfs
 etc/rc.d/rc0.d/S90swap
 etc/rc.d/rc0.d/S99halt
 #etc/rc.d/rc3.d
+etc/rc.d/rc3.d/S00random
 etc/rc.d/rc3.d/S01vnstat
 etc/rc.d/rc3.d/S10sysklogd
 etc/rc.d/rc3.d/S12acpid
@@ -129,7 +130,6 @@ etc/rc.d/rc3.d/S20network
 etc/rc.d/rc3.d/S11unbound
 etc/rc.d/rc3.d/S21leds
 etc/rc.d/rc3.d/S24cyrus-sasl
-etc/rc.d/rc3.d/S25random
 etc/rc.d/rc3.d/S30sshd
 etc/rc.d/rc3.d/S32apache
 etc/rc.d/rc3.d/S40fcron
diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts
index cc0e4580d8..ab8d4f1080 100644
--- a/config/rootfiles/common/x86_64/initscripts
+++ b/config/rootfiles/common/x86_64/initscripts
@@ -116,6 +116,7 @@ etc/rc.d/rc0.d/S80mountfs
 etc/rc.d/rc0.d/S90swap
 etc/rc.d/rc0.d/S99halt
 #etc/rc.d/rc3.d
+etc/rc.d/rc3.d/S00random
 etc/rc.d/rc3.d/S01vnstat
 etc/rc.d/rc3.d/S10sysklogd
 etc/rc.d/rc3.d/S12acpid
@@ -129,7 +130,6 @@ etc/rc.d/rc3.d/S20network
 etc/rc.d/rc3.d/S11unbound
 etc/rc.d/rc3.d/S21leds
 etc/rc.d/rc3.d/S24cyrus-sasl
-etc/rc.d/rc3.d/S25random
 etc/rc.d/rc3.d/S30sshd
 etc/rc.d/rc3.d/S32apache
 etc/rc.d/rc3.d/S40fcron
diff --git a/config/rootfiles/core/122/filelists/files b/config/rootfiles/core/122/filelists/files
index f7c692d8b2..d87145961e 100644
--- a/config/rootfiles/core/122/filelists/files
+++ b/config/rootfiles/core/122/filelists/files
@@ -5,6 +5,7 @@ etc/rc.d/init.d/collectd
 etc/rc.d/init.d/firstsetup
 etc/rc.d/init.d/leds
 etc/rc.d/init.d/partresize
+etc/rc.d/init.d/random
 etc/rc.d/rc0.d/K87acpid
 etc/rc.d/rc3.d/S12acpid
 etc/rc.d/rc6.d/K87acpid
diff --git a/config/rootfiles/core/122/update.sh b/config/rootfiles/core/122/update.sh
index 3e8cab693c..bb38696c40 100644
--- a/config/rootfiles/core/122/update.sh
+++ b/config/rootfiles/core/122/update.sh
@@ -117,6 +117,8 @@ if [ -e /boot/pakfire-kernel-update ]; then
 	/boot/pakfire-kernel-update ${KVER}
 fi
 
+mv /etc/rc.d/rc3.d/S??random /etc/rc.d/rc3.d/S00random
+
 case "$(uname -m)" in
 	i?86)
 		# Force (re)install pae kernel if pae is supported
diff --git a/lfs/initscripts b/lfs/initscripts
index 0d7f40cadb..848540680a 100644
--- a/lfs/initscripts
+++ b/lfs/initscripts
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2016  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2018  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -16,7 +16,6 @@
 # You should have received a copy of the GNU General Public License           #
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
 #                                                                             #
-###############################################################################
 
 ###############################################################################
 # Definitions
@@ -131,7 +130,7 @@ $(TARGET) :
 	ln -sf ../init.d/unbound     /etc/rc.d/rc3.d/S11unbound
 	ln -sf ../init.d/unbound     /etc/rc.d/rc6.d/K79unbound
 	ln -sf ../init.d/random      /etc/rc.d/rc0.d/K45random
-	ln -sf ../init.d/random      /etc/rc.d/rc3.d/S25random
+	ln -sf ../init.d/random      /etc/rc.d/rc3.d/S00random
 	ln -sf ../init.d/random      /etc/rc.d/rc6.d/K45random
 	ln -sf ../../sysconfig/rc.local /etc/rc.d/rc3.d/S98rc.local
 	ln -sf ../init.d/client175   /etc/rc.d/rc0.d/K34client175
diff --git a/src/initscripts/system/random b/src/initscripts/system/random
index 57aef99d42..1f825cd183 100644
--- a/src/initscripts/system/random
+++ b/src/initscripts/system/random
@@ -1,28 +1,45 @@
 #!/bin/sh
-# Begin $rc_base/init.d/random
-
-# Based on sysklogd script from LFS-3.1 and earlier.
-# Rewritten by Gerard Beekmans  - gerard@linuxfromscratch.org
-# Random script elements by Larry Lawrence
-
 . /etc/sysconfig/rc
 . $rc_functions
 
+if [ -e /proc/sys/kernel/random/poolsize ]; then
+	poolsize=$(</proc/sys/kernel/random/poolsize);
+	poolsize=$(expr $poolsize / 8 );
+else
+	poolsize=512;
+fi
+
 case "$1" in
 	start)
-		boot_mesg "Initializing kernel random number generator..."
+
+		#CRNG init need 128bit so wait until there is more)
+		avail=$(</proc/sys/kernel/random/entropy_avail)
+		while [ $avail -lt 130 ]; do
+			avail=$(</proc/sys/kernel/random/entropy_avail)
+			boot_mesg -n "\rWait for entropy: $avail/130   "
+			# Generate some disc access to gather entropy
+			echo  avail > /var/tmp/random-tmpfile
+			sync
+			rm -f /var/tmp/random-tmpfile
+		done;
+
+		boot_mesg "\rInitializing kernel random number generator..."
 		if [ -f /var/tmp/random-seed ]; then
 			/bin/cat /var/tmp/random-seed >/dev/urandom
 		fi
+		touch /var/tmp/random-seed
+		chmod 600 /var/tmp/random-seed
 		/bin/dd if=/dev/urandom of=/var/tmp/random-seed \
-			count=4 &>/dev/null
+			count=1 bs=$poolsize &>/dev/null
 		evaluate_retval
 		;;
 
 	stop)
 		boot_mesg "Saving random seed..."
+		touch /var/tmp/random-seed
+		chmod 600 /var/tmp/random-seed
 		/bin/dd if=/dev/urandom of=/var/tmp/random-seed \
-			count=4 &>/dev/null
+			count=1 bs=$poolsize &>/dev/null
 		evaluate_retval
 		;;
 
-- 
2.39.2