urandom-seed: go back to seeding with shell script temporarily

This reverts commit 2edc017. We shouldn't be using a shell script here, but the SeedRNG integration into OpenWRT requires a bit more thought. Etienne raised some important points immediately after this was merged and planned to send some follow up commits, but became busy with other things. The points he raised are important enough that we should actually back this out until it's ready to go, and then merge it as a cohesive unit. So let's revert this for now, and come back to it later on. Cc: Etienne Champetier <champetier.etienne@gmail.com> Cc: Petr Štetiar <ynezz@true.cz> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
musashino-build · Apr 14, 2022 · a001630 · a001630
1 parent 9a22943
commit a001630
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 442 deletions.
diff --git a/package/system/urandom-seed/Makefile b/package/system/urandom-seed/Makefile
@@ -9,6 +9,7 @@ include $(INCLUDE_DIR)/package.mk
 define Package/urandom-seed
   SECTION:=base
   CATEGORY:=Base system
+  DEPENDS:=+getrandom
   TITLE:=/etc/urandom.seed handling for OpenWrt
   URL:=https://openwrt.org/
 endef
@@ -18,15 +19,11 @@ define Build/Prepare
 endef
 
 define Build/Compile/Default
-	$(TARGET_CC) $(TARGET_CFLAGS) $(TARGET_CPPFLAGS) $(TARGET_LDFLAGS) \
-		-std=gnu99 -o $(PKG_BUILD_DIR)/seedrng seedrng.c
 endef
 Build/Compile = $(Build/Compile/Default)
 
 define Package/urandom-seed/install
 	$(CP) ./files/* $(1)/
-	$(INSTALL_DIR) $(1)/sbin
-	$(CP) $(PKG_BUILD_DIR)/seedrng $(1)/sbin/
 endef
 
 $(eval $(call BuildPackage,urandom-seed))
diff --git a/package/system/urandom-seed/files/etc/init.d/urandom_seed b/package/system/urandom-seed/files/etc/init.d/urandom_seed
@@ -5,7 +5,7 @@ USE_PROCD=1
 
 start_service() {
     procd_open_instance "urandom_seed"
-    procd_set_param command "/sbin/seedrng"
+    procd_set_param command "/sbin/urandom_seed"
     procd_set_param stdout 1
     procd_set_param stderr 1
     procd_close_instance

diff --git a/package/system/urandom-seed/files/lib/preinit/81_urandom_seed b/package/system/urandom-seed/files/lib/preinit/81_urandom_seed
@@ -2,11 +2,21 @@ log_urandom_seed() {
     echo "urandom-seed: $1" > /dev/kmsg
 }
 
+_do_urandom_seed() {
+    [ -f "$1" ] || { log_urandom_seed "Seed file not found ($1)"; return; }
+    [ -O "$1" -a -G "$1" -a ! -x "$1" ] || { log_urandom_seed "Wrong owner / permissions for $1"; return; }
+
+    log_urandom_seed "Seeding with $1"
+    cat "$1" > /dev/urandom
+}
+
 do_urandom_seed() {
     [ -c /dev/urandom ] || { log_urandom_seed "Something is wrong with /dev/urandom"; return; }
-    seedrng 2>&1 | while read -r line; do
-        log_urandom_seed "$line"
-    done
+
+    _do_urandom_seed "/etc/urandom.seed"
+
+    SEED="$(uci -q get system.@system[0].urandom_seed)"
+    [ "${SEED:0:1}" = "/" -a "$SEED" != "/etc/urandom.seed" ] && _do_urandom_seed "$SEED"
 }
 
 boot_hook_add preinit_main do_urandom_seed
diff --git a/package/system/urandom-seed/files/sbin/urandom_seed b/package/system/urandom-seed/files/sbin/urandom_seed
@@ -0,0 +1,20 @@
+#!/bin/sh
+set -e
+
+trap '[ "$?" -eq 0 ] || echo "An error occured" >&2' EXIT
+
+save() {
+    touch "$1.tmp"
+    chown root:root "$1.tmp"
+    chmod 600 "$1.tmp"
+    getrandom 512 > "$1.tmp"
+    mv "$1.tmp" "$1"
+    echo "Seed saved ($1)"
+}
+
+SEED="$(uci -q get system.@system[0].urandom_seed || true)"
+[ "${SEED:0:1}" = "/" ] && save "$SEED"
+
+SEED=/etc/urandom.seed
+[ ! -f $SEED ] && save "$SEED"
+true