From a535e1222665f3fe5e195573649b7000e8bc9d34 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sat, 28 May 2016 13:41:21 -0400 Subject: services: Add urandom-seed-service. Fixes . * gnu/services/base.scm (urandom-seed-service): New procedure. (%random-seed-file, urandom-seed-service-type): New variables. (%urandom-seed-shepherd-service): New procedure. (%base-services): Call 'urandom-seed-service'. * doc/guix.texi (Base Services): Document it. --- gnu/services/base.scm | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 61 insertions(+), 1 deletion(-) (limited to 'gnu/services/base.scm') diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 96bf8da02a..a45f219643 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -3,6 +3,7 @@ ;;; Copyright © 2015, 2016 Alex Kost ;;; Copyright © 2015 Mark H Weaver ;;; Copyright © 2015 Sou Bunnbu +;;; Copyright © 2016 Leo Famulari ;;; ;;; This file is part of GNU Guix. ;;; @@ -93,6 +94,8 @@ gpm-service-type gpm-service + urandom-seed-service + %base-services)) ;;; Commentary: @@ -420,6 +423,63 @@ stopped before 'kill' is called." (service user-processes-service-type (list (filter file-system-mount? file-systems) grace-delay))) + +;;; +;;; Preserve entropy to seed /dev/urandom on boot. +;;; + +(define %random-seed-file + "/var/lib/random-seed") + +(define %urandom-seed-activation + ;; Activation gexp for the urandom seed + #~(begin + (use-modules (guix build utils)) + + (mkdir-p (dirname #$%random-seed-file)) + (close-port (open-file #$%random-seed-file "a0b")) + (chmod #$%random-seed-file #o600))) + +(define (urandom-seed-shepherd-service _) + "Return a shepherd service for the /dev/urandom seed." + (list (shepherd-service + (documentation "Preserve entropy across reboots for /dev/urandom.") + (provision '(urandom-seed)) + (requirement '(user-processes)) + (start #~(lambda _ + ;; On boot, write random seed into /dev/urandom. + (when (file-exists? #$%random-seed-file) + (call-with-input-file #$%random-seed-file + (lambda (seed) + (call-with-output-file "/dev/urandom" + (lambda (urandom) + (dump-port seed urandom)))))) + #t)) + (stop #~(lambda _ + ;; During shutdown, write from /dev/urandom into random seed. + (let ((buf (make-bytevector 512))) + (call-with-input-file "/dev/urandom" + (lambda (urandom) + (get-bytevector-n! urandom buf 0 512) + (call-with-output-file #$%random-seed-file + (lambda (seed) + (put-bytevector seed buf))) + #t))))) + (modules `((rnrs bytevectors) + (rnrs io ports) + ,@%default-modules))))) + +(define urandom-seed-service-type + (service-type (name 'urandom-seed) + (extensions + (list (service-extension shepherd-root-service-type + urandom-seed-shepherd-service) + (service-extension activation-service-type + (const %urandom-seed-activation)))))) + +(define (urandom-seed-service) + (service urandom-seed-service-type #f)) + ;;; ;;; System-wide environment variables. @@ -1200,7 +1260,6 @@ extra rules from the packages listed in @var{rules}." "Return a service that uses @var{device} as a swap device." (service swap-service-type device)) - (define-record-type* gpm-configuration make-gpm-configuration gpm-configuration? (gpm gpm-configuration-gpm) ;package @@ -1281,6 +1340,7 @@ This is the GNU operating system, welcome!\n\n"))) (static-networking-service "lo" "127.0.0.1" #:provision '(loopback)) (syslog-service) + (urandom-seed-service) (guix-service) (nscd-service) -- cgit 1.4.1 From 8fe5d95e6653a8ca2f40048b71bb596c80bb264f Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sun, 29 May 2016 11:13:59 -0400 Subject: services: urandom-seed: Set umask to 077 while shutting down. * gnu/services/base.scm (urandom-seed-shepherd-service): Call 'umask'. --- gnu/services/base.scm | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'gnu/services/base.scm') diff --git a/gnu/services/base.scm b/gnu/services/base.scm index a45f219643..b8e4741739 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -460,10 +460,12 @@ stopped before 'kill' is called." (let ((buf (make-bytevector 512))) (call-with-input-file "/dev/urandom" (lambda (urandom) - (get-bytevector-n! urandom buf 0 512) - (call-with-output-file #$%random-seed-file - (lambda (seed) - (put-bytevector seed buf))) + (let ((previous-umask (umask #o077))) + (get-bytevector-n! urandom buf 0 512) + (call-with-output-file #$%random-seed-file + (lambda (seed) + (put-bytevector seed buf))) + (umask previous-umask)) #t))))) (modules `((rnrs bytevectors) (rnrs io ports) -- cgit 1.4.1 From 71cb237a7d98dafda7dfbb5f3ba7c68463310383 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 3 Jun 2016 02:44:32 -0400 Subject: services: urandom-seed: Refresh seed at boot. * gnu/services/base.scm (urandom-seed-shepherd-service): Refresh the random seed unconditionally at boot. Ensure directory structure for %random-seed-file exists when shutting down. (%urandom-seed-activation): Remove variable. (urandom-seed-service-type): Remove deleted variable from list of extensions. --- gnu/services/base.scm | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) (limited to 'gnu/services/base.scm') diff --git a/gnu/services/base.scm b/gnu/services/base.scm index b8e4741739..2780d124c7 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -431,15 +431,6 @@ stopped before 'kill' is called." (define %random-seed-file "/var/lib/random-seed") -(define %urandom-seed-activation - ;; Activation gexp for the urandom seed - #~(begin - (use-modules (guix build utils)) - - (mkdir-p (dirname #$%random-seed-file)) - (close-port (open-file #$%random-seed-file "a0b")) - (chmod #$%random-seed-file #o600))) - (define (urandom-seed-shepherd-service _) "Return a shepherd service for the /dev/urandom seed." (list (shepherd-service @@ -454,6 +445,18 @@ stopped before 'kill' is called." (call-with-output-file "/dev/urandom" (lambda (urandom) (dump-port seed urandom)))))) + ;; Immediately refresh the seed in case the system doesn't + ;; shut down cleanly. + (call-with-input-file "/dev/urandom" + (lambda (urandom) + (let ((previous-umask (umask #o077)) + (buf (make-bytevector 512))) + (mkdir-p (dirname #$%random-seed-file)) + (get-bytevector-n! urandom buf 0 512) + (call-with-output-file #$%random-seed-file + (lambda (seed) + (put-bytevector seed buf))) + (umask previous-umask)))) #t)) (stop #~(lambda _ ;; During shutdown, write from /dev/urandom into random seed. @@ -462,6 +465,7 @@ stopped before 'kill' is called." (lambda (urandom) (let ((previous-umask (umask #o077))) (get-bytevector-n! urandom buf 0 512) + (mkdir-p (dirname #$%random-seed-file)) (call-with-output-file #$%random-seed-file (lambda (seed) (put-bytevector seed buf))) @@ -475,9 +479,7 @@ stopped before 'kill' is called." (service-type (name 'urandom-seed) (extensions (list (service-extension shepherd-root-service-type - urandom-seed-shepherd-service) - (service-extension activation-service-type - (const %urandom-seed-activation)))))) + urandom-seed-shepherd-service))))) (define (urandom-seed-service) (service urandom-seed-service-type #f)) -- cgit 1.4.1