diff options
author | Leo Famulari <leo@famulari.name> | 2017-12-13 18:49:28 -0500 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2017-12-19 11:31:24 -0500 |
commit | 9a56cf2b5b4970843c215091ea9823a67e077310 (patch) | |
tree | d08753865b0d1c77bcc845a38f675996f0ebc20d /gnu/services | |
parent | a8db968fa48ecb3dd219833a9e393a383d842215 (diff) | |
download | gnu-guix-9a56cf2b5b4970843c215091ea9823a67e077310.tar gnu-guix-9a56cf2b5b4970843c215091ea9823a67e077310.tar.gz |
services: urandom-seed: Try using a HWRNG to seed the Linux CRNG at boot.
* gnu/services/base.scm (urandom-seed-shepherd-service): Try to read from
'/dev/hwrng' at boot, as a supplement to any saved random seed.
* doc/guix.texi (Base Services): Document the new feature.
Diffstat (limited to 'gnu/services')
-rw-r--r-- | gnu/services/base.scm | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 5e08927af3..a3654fd4d3 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -516,6 +516,24 @@ stopped before 'kill' is called." (call-with-output-file "/dev/urandom" (lambda (urandom) (dump-port seed urandom)))))) + + ;; Try writing from /dev/hwrng into /dev/urandom. + ;; It seems that the file /dev/hwrng always exists, even + ;; when there is no hardware random number generator + ;; available. So, we handle a failed read or any other error + ;; reported by the operating system. + (let ((buf (catch 'system-error + (lambda () + (call-with-input-file "/dev/hwrng" + (lambda (hwrng) + (get-bytevector-n hwrng 512)))) + ;; Silence is golden... + (const #f)))) + (when buf + (call-with-output-file "/dev/urandom" + (lambda (urandom) + (put-bytevector urandom buf))))) + ;; Immediately refresh the seed in case the system doesn't ;; shut down cleanly. (call-with-input-file "/dev/urandom" |