random: update initskript for machines with low entropy

the script wait until crng is correct initialized before restore the
random seed and make some disc io to work around low entropy at boot
on some machines. Not really a fix but it should be better than reverting
CVE-2018-1108 fixes from kernel.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts
index 9e9e1a71a50d893dae15ccbf7e324b12552993b0..97ba5ad65fb0a950e15203bd0c2bbd69a5c1839a 100644 (file)
--- a/config/rootfiles/common/aarch64/initscripts
+++ b/config/rootfiles/common/aarch64/initscripts
@@ -117,6 +117,7 @@ etc/rc.d/rc0.d/S80mountfs
 etc/rc.d/rc0.d/S90swap
 etc/rc.d/rc0.d/S99halt
 #etc/rc.d/rc3.d
+etc/rc.d/rc3.d/S00random
 etc/rc.d/rc3.d/S01vnstat
 etc/rc.d/rc3.d/S10sysklogd
 etc/rc.d/rc3.d/S11unbound
@@ -130,7 +131,6 @@ etc/rc.d/rc3.d/S19wlanclient
 etc/rc.d/rc3.d/S20network
 etc/rc.d/rc3.d/S21leds
 etc/rc.d/rc3.d/S24cyrus-sasl
-etc/rc.d/rc3.d/S25random
 etc/rc.d/rc3.d/S30sshd
 etc/rc.d/rc3.d/S32apache
 etc/rc.d/rc3.d/S40fcron

diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts
index 9e9e1a71a50d893dae15ccbf7e324b12552993b0..97ba5ad65fb0a950e15203bd0c2bbd69a5c1839a 100644 (file)
--- a/config/rootfiles/common/armv5tel/initscripts
+++ b/config/rootfiles/common/armv5tel/initscripts
@@ -117,6 +117,7 @@ etc/rc.d/rc0.d/S80mountfs
 etc/rc.d/rc0.d/S90swap
 etc/rc.d/rc0.d/S99halt
 #etc/rc.d/rc3.d
+etc/rc.d/rc3.d/S00random
 etc/rc.d/rc3.d/S01vnstat
 etc/rc.d/rc3.d/S10sysklogd
 etc/rc.d/rc3.d/S11unbound
@@ -130,7 +131,6 @@ etc/rc.d/rc3.d/S19wlanclient
 etc/rc.d/rc3.d/S20network
 etc/rc.d/rc3.d/S21leds
 etc/rc.d/rc3.d/S24cyrus-sasl
-etc/rc.d/rc3.d/S25random
 etc/rc.d/rc3.d/S30sshd
 etc/rc.d/rc3.d/S32apache
 etc/rc.d/rc3.d/S40fcron

diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts
index cc0e4580d8d1c65c75a3e584be48e5509a18230e..ab8d4f1080f2528845e9a282ebf16d692a78fb3e 100644 (file)
--- a/config/rootfiles/common/i586/initscripts
+++ b/config/rootfiles/common/i586/initscripts
@@ -116,6 +116,7 @@ etc/rc.d/rc0.d/S80mountfs
 etc/rc.d/rc0.d/S90swap
 etc/rc.d/rc0.d/S99halt
 #etc/rc.d/rc3.d
+etc/rc.d/rc3.d/S00random
 etc/rc.d/rc3.d/S01vnstat
 etc/rc.d/rc3.d/S10sysklogd
 etc/rc.d/rc3.d/S12acpid
@@ -129,7 +130,6 @@ etc/rc.d/rc3.d/S20network
 etc/rc.d/rc3.d/S11unbound
 etc/rc.d/rc3.d/S21leds
 etc/rc.d/rc3.d/S24cyrus-sasl
-etc/rc.d/rc3.d/S25random
 etc/rc.d/rc3.d/S30sshd
 etc/rc.d/rc3.d/S32apache
 etc/rc.d/rc3.d/S40fcron

diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts
index cc0e4580d8d1c65c75a3e584be48e5509a18230e..ab8d4f1080f2528845e9a282ebf16d692a78fb3e 100644 (file)
--- a/config/rootfiles/common/x86_64/initscripts
+++ b/config/rootfiles/common/x86_64/initscripts
@@ -116,6 +116,7 @@ etc/rc.d/rc0.d/S80mountfs
 etc/rc.d/rc0.d/S90swap
 etc/rc.d/rc0.d/S99halt
 #etc/rc.d/rc3.d
+etc/rc.d/rc3.d/S00random
 etc/rc.d/rc3.d/S01vnstat
 etc/rc.d/rc3.d/S10sysklogd
 etc/rc.d/rc3.d/S12acpid
@@ -129,7 +130,6 @@ etc/rc.d/rc3.d/S20network
 etc/rc.d/rc3.d/S11unbound
 etc/rc.d/rc3.d/S21leds
 etc/rc.d/rc3.d/S24cyrus-sasl
-etc/rc.d/rc3.d/S25random
 etc/rc.d/rc3.d/S30sshd
 etc/rc.d/rc3.d/S32apache
 etc/rc.d/rc3.d/S40fcron

diff --git a/config/rootfiles/core/122/filelists/files b/config/rootfiles/core/122/filelists/files
index f7c692d8b26ff34b38b708769891f6d7e9c7b738..d87145961edc0b59a4050d9a245c4afc922d3947 100644 (file)
--- a/config/rootfiles/core/122/filelists/files
+++ b/config/rootfiles/core/122/filelists/files
@@ -5,6 +5,7 @@ etc/rc.d/init.d/collectd
 etc/rc.d/init.d/firstsetup
 etc/rc.d/init.d/leds
 etc/rc.d/init.d/partresize
+etc/rc.d/init.d/random
 etc/rc.d/rc0.d/K87acpid
 etc/rc.d/rc3.d/S12acpid
 etc/rc.d/rc6.d/K87acpid

diff --git a/config/rootfiles/core/122/update.sh b/config/rootfiles/core/122/update.sh
index 3e8cab693c4b2207d634e7ecffc00bf57f09a78c..bb38696c40069ed3410f6555d6577f1bedca6a68 100644 (file)
--- a/config/rootfiles/core/122/update.sh
+++ b/config/rootfiles/core/122/update.sh
@@ -117,6 +117,8 @@ if [ -e /boot/pakfire-kernel-update ]; then
        /boot/pakfire-kernel-update ${KVER}
 fi
 
+mv /etc/rc.d/rc3.d/S??random /etc/rc.d/rc3.d/S00random
+
 case "$(uname -m)" in
        i?86)
                # Force (re)install pae kernel if pae is supported

diff --git a/lfs/initscripts b/lfs/initscripts
index 0d7f40cadb8951c47ee6b18615ed4d7ac145d79f..848540680aa43c27bad907ad62c437e9f007e0d6 100644 (file)
--- a/lfs/initscripts
+++ b/lfs/initscripts
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2016  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2018  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -16,7 +16,6 @@
 # You should have received a copy of the GNU General Public License           #
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
 #                                                                             #
-###############################################################################
 
 ###############################################################################
 # Definitions
@@ -131,7 +130,7 @@ $(TARGET) :
        ln -sf ../init.d/unbound     /etc/rc.d/rc3.d/S11unbound
        ln -sf ../init.d/unbound     /etc/rc.d/rc6.d/K79unbound
        ln -sf ../init.d/random      /etc/rc.d/rc0.d/K45random
-       ln -sf ../init.d/random      /etc/rc.d/rc3.d/S25random
+       ln -sf ../init.d/random      /etc/rc.d/rc3.d/S00random
        ln -sf ../init.d/random      /etc/rc.d/rc6.d/K45random
        ln -sf ../../sysconfig/rc.local /etc/rc.d/rc3.d/S98rc.local
        ln -sf ../init.d/client175   /etc/rc.d/rc0.d/K34client175

diff --git a/src/initscripts/system/random b/src/initscripts/system/random
index 57aef99d42bb2fb689015011ce86f675698481fa..1f825cd183e4ad9191e720791f17e4b0da8d1bb1 100644 (file)
--- a/src/initscripts/system/random
+++ b/src/initscripts/system/random
@@ -1,28 +1,45 @@
 #!/bin/sh
-# Begin $rc_base/init.d/random
-
-# Based on sysklogd script from LFS-3.1 and earlier.
-# Rewritten by Gerard Beekmans  - gerard@linuxfromscratch.org
-# Random script elements by Larry Lawrence
-
 . /etc/sysconfig/rc
 . $rc_functions
 
+if [ -e /proc/sys/kernel/random/poolsize ]; then
+       poolsize=$(</proc/sys/kernel/random/poolsize);
+       poolsize=$(expr $poolsize / 8 );
+else
+       poolsize=512;
+fi
+
 case "$1" in
        start)
-               boot_mesg "Initializing kernel random number generator..."
+
+               #CRNG init need 128bit so wait until there is more)
+               avail=$(</proc/sys/kernel/random/entropy_avail)
+               while [ $avail -lt 130 ]; do
+                       avail=$(</proc/sys/kernel/random/entropy_avail)
+                       boot_mesg -n "\rWait for entropy: $avail/130   "
+                       # Generate some disc access to gather entropy
+                       echo  avail > /var/tmp/random-tmpfile
+                       sync
+                       rm -f /var/tmp/random-tmpfile
+               done;
+
+               boot_mesg "\rInitializing kernel random number generator..."
                if [ -f /var/tmp/random-seed ]; then
                        /bin/cat /var/tmp/random-seed >/dev/urandom
                fi
+               touch /var/tmp/random-seed
+               chmod 600 /var/tmp/random-seed
                /bin/dd if=/dev/urandom of=/var/tmp/random-seed \
-                       count=4 &>/dev/null
+                       count=1 bs=$poolsize &>/dev/null
                evaluate_retval
                ;;
 
        stop)
                boot_mesg "Saving random seed..."
+               touch /var/tmp/random-seed
+               chmod 600 /var/tmp/random-seed
                /bin/dd if=/dev/urandom of=/var/tmp/random-seed \
-                       count=4 &>/dev/null
+                       count=1 bs=$poolsize &>/dev/null
                evaluate_retval
                ;;