Updated random(4) boot/shutdown scripting.

Fix the man pages as well.

Differential Revision: https://reviews.freebsd.org/D2924
Approved by: so (delphij)

2 files changed, 48 insertions, 6 deletions

diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf
index ef3b861..125d59e 100644
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@@ -630,15 +630,16 @@ kern_securelevel="-1"	# range: -1..3 ; `-1' is the most insecure
 			# in the system booting with securelevel set to 1, as
 			# init(8) will raise the level when rc(8) completes.
 update_motd="YES"	# update version info in /etc/motd (or NO)
-entropy_file="/entropy"	# Set to NO to disable caching entropy through reboots.
+entropy_boot_file="/boot/entropy"	# Set to NO to disable very early
+			# (used at early boot time) entropy caching through reboots.
+entropy_file="/entropy"	# Set to NO to disable late (used when going multi-user)
+			# entropy through reboots.
 			# /var/db/entropy-file is preferred if / is not avail.
 entropy_dir="/var/db/entropy" # Set to NO to disable caching entropy via cron.
 entropy_save_sz="4096"	# Size of the entropy cache files.
 entropy_save_num="8"	# Number of entropy cache files to save.
-harvest_interrupt="YES"	# Entropy device harvests interrupt randomness
-harvest_ethernet="YES"	# Entropy device harvests ethernet randomness
-harvest_p_to_p="YES"	# Entropy device harvests point-to-point randomness
-harvest_swi="YES"	# Entropy device harvests internal SWI randomness
+harvest_mask="511"	# Entropy device harvests all but the very invasive sources.
+			# (See 'sysctl kern.random.harvest' and random(4))
 dmesg_enable="YES"	# Save dmesg(8) to /var/run/dmesg.boot
 watchdogd_enable="NO"	# Start the software watchdog daemon
 watchdogd_flags=""	# Flags to watchdogd (if enabled)
diff --git a/etc/rc.d/random b/etc/rc.d/random
index 2420a39..13490a9 100755
--- a/etc/rc.d/random
+++ b/etc/rc.d/random
@@ -41,6 +41,13 @@ feed_dev_random()
 
 random_start()
 {
+
+	if [ ${harvest_mask} -gt 0 ]; then
+		echo -n 'Setting up harvesting:'
+		${SYSCTL} kern.random.harvest.mask=${harvest_mask} > /dev/null
+		${SYSCTL_N} kern.random.harvest.mask_symbolic
+	fi
+
 	echo -n 'Feeding entropy:'
 
 	if [ ! -w /dev/random ] ; then
@@ -68,6 +75,14 @@ random_start()
 		;;
 	esac
 
+	case ${entropy_boot_file:=/boot/entropy} in
+	[Nn][Oo] | '')
+		;;
+	*)
+		save_dev_random "${entropy_boot_file}"
+		;;
+	esac
+
 	echo '.'
 }
 
@@ -100,7 +115,33 @@ random_stop()
 			;;
 		*)
 			dd if=/dev/random of=${entropy_file_confirmed} \
-			   bs=4096 count=1 2> /dev/null
+			    bs=4096 count=1 2> /dev/null ||
+			    warn 'write failed (unwriteable file or full fs?)'
+			echo '.'
+			;;
+		esac
+		umask ${oumask}
+		;;
+	esac
+	case ${entropy_boot_file:=/boot/entropy} in
+	[Nn][Oo] | '')
+		;;
+	*)
+		echo -n 'Writing early boot entropy file:'
+		rm -f ${entropy_boot_file} 2> /dev/null
+		oumask=`umask`
+		umask 077
+		if touch ${entropy_boot_file} 2> /dev/null; then
+			entropy_boot_file_confirmed="${entropy_boot_file}"
+		fi
+		case ${entropy_boot_file_confirmed} in
+		'')
+			warn 'write failed (read-only fs?)'
+			;;
+		*)
+			dd if=/dev/random of=${entropy_boot_file_confirmed} \
+			    bs=4096 count=1 2> /dev/null ||
+			    warn 'write failed (unwriteable file or full fs?)'
 			echo '.'
 			;;
 		esac