Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 517942

Summary: sys-apps/rng-tools does not allow large fill-watermark for big entropy pools
Product: Gentoo Linux Reporter: cilly <cilly>
Component: [OLD] Core systemAssignee: Göktürk Yüksek <gokturk>
Status: RESOLVED WONTFIX    
Severity: normal CC: base-system, hardened
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: http://bugs.debian.org/274479
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: larger poolsize patch

Description cilly 2014-07-24 08:37:52 UTC 
Created attachment 381484 [details, diff]
larger poolsize patch

I built myself an rngd that would let me set the watermark higher than 4096 and checks /proc/sys/kernel/random/poolsize for maximum poolsize. I.e. in hardened, /proc/sys/kernel/random/poolsize is set to: 16384.

By default rngd stops filling the pool at 4096 bits leaving the larger entropy of hardened systems or systems with a larger poolsize alone.

This patch allows rngd to use the maximum poolsize which is defined in the kernel in /proc/sys/kernel/random/poolsize.
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2015-07-17 09:31:48 UTC 
  17 Jul 2015; Ian Delaney <idella4@gentoo.org> +files/larger-poolsize.patch,
  rng-tools-5-r1.ebuild, rng-tools-5.ebuild:
  patch to fix Bug 517942, sourced from Debian, attached to bug #517942 by
  cilly, also prompted by proxy maintainer
Comment 2 Göktürk Yüksek archtester gentoo-dev 2015-07-17 21:51:12 UTC 
Linux kernel doesn't allow the entropy pool size to be modified. Grsecurity used to have a kernel option to double the entropy pool size but it has been removed:

https://grsecurity.net/changelog-stable2.txt
"""
commit c223ecf11b6afea9bcd450630eceab2c65d1d307
Author: Brad Spengler <spender@grsecurity.net>
Date:   Thu Aug 21 20:33:45 2014 -0400

    Remove GRKERNSEC_RANDNET -- it has been unnecessary for quite some
    time now, at least since get_random_bytes started to be used directly
    for filling of AT_RANDOM on each exec -- it's not really possible
    anymore to store up sufficient entropy such that this option would
    have any effect.
"""

Therefore, none of the recent systems should have the entropy pool size other than 4096. The patch isn't necessary.

@hardened: can you confirm that GRKERNSEC_RANDNET isn't supported by any of the sys-kernel/hardened-sources-*

Feel free to re-open the bug if this is not the case.