urandom-seed: use seedrng for seeding the random number generator

The RNG can't actually be seeded from a shell script, due to the reliance on ioctls. For this reason, the seedrng project provides a basic script meant to be copy and pasted into projects like OpenWRT and tweaked as needed: <https://git.zx2c4.com/seedrng/about/>. This commit imports it into the urandom-seed package and wires up the init scripts to call it. This also is a significant improvement over the current init script, which does not robustly handle cleaning up of seeds and syncing to prevent reuse. Additionally, the existing script creates a new seed immediately after writing an old one, which means that the amount of entropy might actually regress, due to failing to credit the old seed. Closes: openwrt#9570 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Petr Štetiar <ynezz@true.cz> [fixed missing INSTALL_DIR]
musashino-build · Mar 28, 2022 · 2edc017 · 2edc017
1 parent 9d8f620
commit 2edc017
Show file tree

Hide file tree

Showing 5 changed files with 442 additions and 35 deletions.
diff --git a/package/system/urandom-seed/Makefile b/package/system/urandom-seed/Makefile
@@ -9,7 +9,6 @@ include $(INCLUDE_DIR)/package.mk
 define Package/urandom-seed
   SECTION:=base
   CATEGORY:=Base system
-  DEPENDS:=+getrandom
   TITLE:=/etc/urandom.seed handling for OpenWrt
   URL:=https://openwrt.org/
 endef
@@ -19,11 +18,15 @@ define Build/Prepare
 endef
 
 define Build/Compile/Default
+	$(TARGET_CC) $(TARGET_CFLAGS) $(TARGET_CPPFLAGS) $(TARGET_LDFLAGS) \
+		-std=gnu99 -o $(PKG_BUILD_DIR)/seedrng seedrng.c
 endef
 Build/Compile = $(Build/Compile/Default)
 
 define Package/urandom-seed/install
 	$(CP) ./files/* $(1)/
+	$(INSTALL_DIR) $(1)/sbin
+	$(CP) $(PKG_BUILD_DIR)/seedrng $(1)/sbin/
 endef
 
 $(eval $(call BuildPackage,urandom-seed))
diff --git a/package/system/urandom-seed/files/etc/init.d/urandom_seed b/package/system/urandom-seed/files/etc/init.d/urandom_seed
@@ -5,7 +5,7 @@ USE_PROCD=1
 
 start_service() {
     procd_open_instance "urandom_seed"
-    procd_set_param command "/sbin/urandom_seed"
+    procd_set_param command "/sbin/seedrng"
     procd_set_param stdout 1
     procd_set_param stderr 1
     procd_close_instance

diff --git a/package/system/urandom-seed/files/lib/preinit/81_urandom_seed b/package/system/urandom-seed/files/lib/preinit/81_urandom_seed
@@ -2,21 +2,11 @@ log_urandom_seed() {
     echo "urandom-seed: $1" > /dev/kmsg
 }
 
-_do_urandom_seed() {
-    [ -f "$1" ] || { log_urandom_seed "Seed file not found ($1)"; return; }
-    [ -O "$1" -a -G "$1" -a ! -x "$1" ] || { log_urandom_seed "Wrong owner / permissions for $1"; return; }
-
-    log_urandom_seed "Seeding with $1"
-    cat "$1" > /dev/urandom
-}
-
 do_urandom_seed() {
     [ -c /dev/urandom ] || { log_urandom_seed "Something is wrong with /dev/urandom"; return; }
-
-    _do_urandom_seed "/etc/urandom.seed"
-
-    SEED="$(uci -q get system.@system[0].urandom_seed)"
-    [ "${SEED:0:1}" = "/" -a "$SEED" != "/etc/urandom.seed" ] && _do_urandom_seed "$SEED"
+    seedrng 2>&1 | while read -r line; do
+        log_urandom_seed "$line"
+    done
 }
 
 boot_hook_add preinit_main do_urandom_seed
diff --git a/package/system/urandom-seed/files/sbin/urandom_seed b/package/system/urandom-seed/files/sbin/urandom_seed