xref: /freebsd/libexec/rc/rc.d/random (revision f99f0ee14e3af81c23150a6a340259ca8a33d01a) 
10696600cSBjoern A. Zeeb#!/bin/sh
20696600cSBjoern A. Zeeb#
30696600cSBjoern A. Zeeb#
40696600cSBjoern A. Zeeb
50696600cSBjoern A. Zeeb# PROVIDE: random
60696600cSBjoern A. Zeeb# REQUIRE: FILESYSTEMS
70696600cSBjoern A. Zeeb# BEFORE: netif
80696600cSBjoern A. Zeeb# KEYWORD: nojail shutdown
90696600cSBjoern A. Zeeb
100696600cSBjoern A. Zeeb. /etc/rc.subr
110696600cSBjoern A. Zeeb
120696600cSBjoern A. Zeebname="random"
130696600cSBjoern A. Zeebdesc="Harvest and save entropy for random device"
140696600cSBjoern A. Zeebstart_cmd="random_start"
150696600cSBjoern A. Zeebstop_cmd="random_stop"
160696600cSBjoern A. Zeeb
170696600cSBjoern A. Zeebextra_commands="saveseed"
180696600cSBjoern A. Zeebsaveseed_cmd="${name}_stop"
190696600cSBjoern A. Zeeb
200696600cSBjoern A. Zeebsave_dev_random()
210696600cSBjoern A. Zeeb{
220696600cSBjoern A. Zeeb	oumask=`umask`
230696600cSBjoern A. Zeeb	umask 077
240696600cSBjoern A. Zeeb	for f ; do
250696600cSBjoern A. Zeeb		debug "saving entropy to $f"
260696600cSBjoern A. Zeeb		dd if=/dev/random of="$f" bs=4096 count=1 status=none &&
2726c49788SConrad Meyer			( chflags nodump "$f" 2>/dev/null || : ) &&
28c849485dSConrad Meyer			chmod 600 "$f" &&
29c849485dSConrad Meyer			fsync "$f" "$(dirname "$f")"
300696600cSBjoern A. Zeeb	done
310696600cSBjoern A. Zeeb	umask ${oumask}
320696600cSBjoern A. Zeeb}
330696600cSBjoern A. Zeeb
340696600cSBjoern A. Zeebfeed_dev_random()
350696600cSBjoern A. Zeeb{
360696600cSBjoern A. Zeeb	for f ; do
370696600cSBjoern A. Zeeb		if [ -f "$f" -a -r "$f" -a -s "$f" ] ; then
380696600cSBjoern A. Zeeb			if dd if="$f" of=/dev/random bs=4096 2>/dev/null ; then
390696600cSBjoern A. Zeeb				debug "entropy read from $f"
400696600cSBjoern A. Zeeb				rm -f "$f"
410696600cSBjoern A. Zeeb			fi
420696600cSBjoern A. Zeeb		fi
430696600cSBjoern A. Zeeb	done
440696600cSBjoern A. Zeeb}
450696600cSBjoern A. Zeeb
460696600cSBjoern A. Zeebrandom_start()
470696600cSBjoern A. Zeeb{
480696600cSBjoern A. Zeeb
493bca93e0SEugene Grosbein	if [ -n "${harvest_mask}" ]; then
500696600cSBjoern A. Zeeb		echo -n 'Setting up harvesting: '
510696600cSBjoern A. Zeeb		${SYSCTL} kern.random.harvest.mask=${harvest_mask} > /dev/null
520696600cSBjoern A. Zeeb		${SYSCTL_N} kern.random.harvest.mask_symbolic
530696600cSBjoern A. Zeeb	fi
540696600cSBjoern A. Zeeb
550696600cSBjoern A. Zeeb	echo -n 'Feeding entropy: '
560696600cSBjoern A. Zeeb
570696600cSBjoern A. Zeeb	if [ ! -w /dev/random ] ; then
580696600cSBjoern A. Zeeb		warn "/dev/random is not writeable"
590696600cSBjoern A. Zeeb		return 1
600696600cSBjoern A. Zeeb	fi
610696600cSBjoern A. Zeeb
620696600cSBjoern A. Zeeb	# Reseed /dev/random with previously stored entropy.
630696600cSBjoern A. Zeeb	case ${entropy_dir:=/var/db/entropy} in
640696600cSBjoern A. Zeeb	[Nn][Oo])
650696600cSBjoern A. Zeeb		;;
660696600cSBjoern A. Zeeb	*)
670696600cSBjoern A. Zeeb		if [ -d "${entropy_dir}" ] ; then
680696600cSBjoern A. Zeeb			feed_dev_random "${entropy_dir}"/*
690696600cSBjoern A. Zeeb		fi
700696600cSBjoern A. Zeeb		;;
710696600cSBjoern A. Zeeb	esac
720696600cSBjoern A. Zeeb
730696600cSBjoern A. Zeeb	case ${entropy_file:=/entropy} in
740696600cSBjoern A. Zeeb	[Nn][Oo])
750696600cSBjoern A. Zeeb		;;
760696600cSBjoern A. Zeeb	*)
770696600cSBjoern A. Zeeb		feed_dev_random "${entropy_file}" /var/db/entropy-file
780696600cSBjoern A. Zeeb		save_dev_random "${entropy_file}"
790696600cSBjoern A. Zeeb		;;
800696600cSBjoern A. Zeeb	esac
810696600cSBjoern A. Zeeb
820696600cSBjoern A. Zeeb	case ${entropy_boot_file:=/boot/entropy} in
830696600cSBjoern A. Zeeb	[Nn][Oo])
840696600cSBjoern A. Zeeb		;;
850696600cSBjoern A. Zeeb	*)
860696600cSBjoern A. Zeeb		save_dev_random "${entropy_boot_file}"
870696600cSBjoern A. Zeeb		;;
880696600cSBjoern A. Zeeb	esac
890696600cSBjoern A. Zeeb
900696600cSBjoern A. Zeeb	echo '.'
910696600cSBjoern A. Zeeb}
920696600cSBjoern A. Zeeb
930696600cSBjoern A. Zeebrandom_stop()
940696600cSBjoern A. Zeeb{
950696600cSBjoern A. Zeeb	# Write some entropy so when the machine reboots /dev/random
960696600cSBjoern A. Zeeb	# can be reseeded
970696600cSBjoern A. Zeeb	#
980696600cSBjoern A. Zeeb	case ${entropy_file:=/entropy} in
990696600cSBjoern A. Zeeb	[Nn][Oo])
1000696600cSBjoern A. Zeeb		;;
1010696600cSBjoern A. Zeeb	*)
1020696600cSBjoern A. Zeeb		echo -n 'Writing entropy file: '
1030696600cSBjoern A. Zeeb		rm -f ${entropy_file} 2> /dev/null
1040696600cSBjoern A. Zeeb		oumask=`umask`
1050696600cSBjoern A. Zeeb		umask 077
1060696600cSBjoern A. Zeeb		if touch ${entropy_file} 2> /dev/null; then
1070696600cSBjoern A. Zeeb			entropy_file_confirmed="${entropy_file}"
1080696600cSBjoern A. Zeeb		else
1090696600cSBjoern A. Zeeb			# Try this as a reasonable alternative for read-only
1100696600cSBjoern A. Zeeb			# roots, diskless workstations, etc.
1110696600cSBjoern A. Zeeb			rm -f /var/db/entropy-file 2> /dev/null
1120696600cSBjoern A. Zeeb			if touch /var/db/entropy-file 2> /dev/null; then
1130696600cSBjoern A. Zeeb				entropy_file_confirmed=/var/db/entropy-file
1140696600cSBjoern A. Zeeb			fi
1150696600cSBjoern A. Zeeb		fi
1160696600cSBjoern A. Zeeb		case ${entropy_file_confirmed} in
1170696600cSBjoern A. Zeeb		'')
1180696600cSBjoern A. Zeeb			warn 'write failed (read-only fs?)'
1190696600cSBjoern A. Zeeb			;;
1200696600cSBjoern A. Zeeb		*)
12126c49788SConrad Meyer			save_dev_random "${entropy_file_confirmed}"
1220696600cSBjoern A. Zeeb			echo '.'
1230696600cSBjoern A. Zeeb			;;
1240696600cSBjoern A. Zeeb		esac
1250696600cSBjoern A. Zeeb		umask ${oumask}
1260696600cSBjoern A. Zeeb		;;
1270696600cSBjoern A. Zeeb	esac
1280696600cSBjoern A. Zeeb	case ${entropy_boot_file:=/boot/entropy} in
1290696600cSBjoern A. Zeeb	[Nn][Oo])
1300696600cSBjoern A. Zeeb		;;
1310696600cSBjoern A. Zeeb	*)
1320696600cSBjoern A. Zeeb		echo -n 'Writing early boot entropy file: '
1330696600cSBjoern A. Zeeb		rm -f ${entropy_boot_file} 2> /dev/null
1340696600cSBjoern A. Zeeb		oumask=`umask`
1350696600cSBjoern A. Zeeb		umask 077
1360696600cSBjoern A. Zeeb		if touch ${entropy_boot_file} 2> /dev/null; then
1370696600cSBjoern A. Zeeb			entropy_boot_file_confirmed="${entropy_boot_file}"
1380696600cSBjoern A. Zeeb		fi
1390696600cSBjoern A. Zeeb		case ${entropy_boot_file_confirmed} in
1400696600cSBjoern A. Zeeb		'')
1410696600cSBjoern A. Zeeb			warn 'write failed (read-only fs?)'
1420696600cSBjoern A. Zeeb			;;
1430696600cSBjoern A. Zeeb		*)
14426c49788SConrad Meyer			save_dev_random "${entropy_boot_file_confirmed}"
1450696600cSBjoern A. Zeeb			echo '.'
1460696600cSBjoern A. Zeeb			;;
1470696600cSBjoern A. Zeeb		esac
1480696600cSBjoern A. Zeeb		umask ${oumask}
1490696600cSBjoern A. Zeeb		;;
1500696600cSBjoern A. Zeeb	esac
1510696600cSBjoern A. Zeeb}
1520696600cSBjoern A. Zeeb
1530696600cSBjoern A. Zeebload_rc_config $name
154*f99f0ee1SAlexander Leidinger
155*f99f0ee1SAlexander Leidinger# doesn't make sense to run in a svcj: config setting
156*f99f0ee1SAlexander Leidingerrandom_svcj="NO"
157*f99f0ee1SAlexander Leidinger
1580696600cSBjoern A. Zeebrun_rc_command "$1"
159