1*0696600cSBjoern A. Zeeb#!/bin/sh 2*0696600cSBjoern A. Zeeb# 3*0696600cSBjoern A. Zeeb# $FreeBSD$ 4*0696600cSBjoern A. Zeeb# 5*0696600cSBjoern A. Zeeb 6*0696600cSBjoern A. Zeeb# PROVIDE: random 7*0696600cSBjoern A. Zeeb# REQUIRE: FILESYSTEMS 8*0696600cSBjoern A. Zeeb# BEFORE: netif 9*0696600cSBjoern A. Zeeb# KEYWORD: nojail shutdown 10*0696600cSBjoern A. Zeeb 11*0696600cSBjoern A. Zeeb. /etc/rc.subr 12*0696600cSBjoern A. Zeeb 13*0696600cSBjoern A. Zeebname="random" 14*0696600cSBjoern A. Zeebdesc="Harvest and save entropy for random device" 15*0696600cSBjoern A. Zeebstart_cmd="random_start" 16*0696600cSBjoern A. Zeebstop_cmd="random_stop" 17*0696600cSBjoern A. Zeeb 18*0696600cSBjoern A. Zeebextra_commands="saveseed" 19*0696600cSBjoern A. Zeebsaveseed_cmd="${name}_stop" 20*0696600cSBjoern A. Zeeb 21*0696600cSBjoern A. Zeebsave_dev_random() 22*0696600cSBjoern A. Zeeb{ 23*0696600cSBjoern A. Zeeb oumask=`umask` 24*0696600cSBjoern A. Zeeb umask 077 25*0696600cSBjoern A. Zeeb for f ; do 26*0696600cSBjoern A. Zeeb debug "saving entropy to $f" 27*0696600cSBjoern A. Zeeb dd if=/dev/random of="$f" bs=4096 count=1 status=none && 28*0696600cSBjoern A. Zeeb chmod 600 "$f" 29*0696600cSBjoern A. Zeeb done 30*0696600cSBjoern A. Zeeb umask ${oumask} 31*0696600cSBjoern A. Zeeb} 32*0696600cSBjoern A. Zeeb 33*0696600cSBjoern A. Zeebfeed_dev_random() 34*0696600cSBjoern A. Zeeb{ 35*0696600cSBjoern A. Zeeb for f ; do 36*0696600cSBjoern A. Zeeb if [ -f "$f" -a -r "$f" -a -s "$f" ] ; then 37*0696600cSBjoern A. Zeeb if dd if="$f" of=/dev/random bs=4096 2>/dev/null ; then 38*0696600cSBjoern A. Zeeb debug "entropy read from $f" 39*0696600cSBjoern A. Zeeb rm -f "$f" 40*0696600cSBjoern A. Zeeb fi 41*0696600cSBjoern A. Zeeb fi 42*0696600cSBjoern A. Zeeb done 43*0696600cSBjoern A. Zeeb} 44*0696600cSBjoern A. Zeeb 45*0696600cSBjoern A. Zeebrandom_start() 46*0696600cSBjoern A. Zeeb{ 47*0696600cSBjoern A. Zeeb 48*0696600cSBjoern A. Zeeb if [ ${harvest_mask} -gt 0 ]; then 49*0696600cSBjoern A. Zeeb echo -n 'Setting up harvesting: ' 50*0696600cSBjoern A. Zeeb ${SYSCTL} kern.random.harvest.mask=${harvest_mask} > /dev/null 51*0696600cSBjoern A. Zeeb ${SYSCTL_N} kern.random.harvest.mask_symbolic 52*0696600cSBjoern A. Zeeb fi 53*0696600cSBjoern A. Zeeb 54*0696600cSBjoern A. Zeeb echo -n 'Feeding entropy: ' 55*0696600cSBjoern A. Zeeb 56*0696600cSBjoern A. Zeeb if [ ! -w /dev/random ] ; then 57*0696600cSBjoern A. Zeeb warn "/dev/random is not writeable" 58*0696600cSBjoern A. Zeeb return 1 59*0696600cSBjoern A. Zeeb fi 60*0696600cSBjoern A. Zeeb 61*0696600cSBjoern A. Zeeb # Reseed /dev/random with previously stored entropy. 62*0696600cSBjoern A. Zeeb case ${entropy_dir:=/var/db/entropy} in 63*0696600cSBjoern A. Zeeb [Nn][Oo]) 64*0696600cSBjoern A. Zeeb ;; 65*0696600cSBjoern A. Zeeb *) 66*0696600cSBjoern A. Zeeb if [ -d "${entropy_dir}" ] ; then 67*0696600cSBjoern A. Zeeb feed_dev_random "${entropy_dir}"/* 68*0696600cSBjoern A. Zeeb fi 69*0696600cSBjoern A. Zeeb ;; 70*0696600cSBjoern A. Zeeb esac 71*0696600cSBjoern A. Zeeb 72*0696600cSBjoern A. Zeeb case ${entropy_file:=/entropy} in 73*0696600cSBjoern A. Zeeb [Nn][Oo]) 74*0696600cSBjoern A. Zeeb ;; 75*0696600cSBjoern A. Zeeb *) 76*0696600cSBjoern A. Zeeb feed_dev_random "${entropy_file}" /var/db/entropy-file 77*0696600cSBjoern A. Zeeb save_dev_random "${entropy_file}" 78*0696600cSBjoern A. Zeeb ;; 79*0696600cSBjoern A. Zeeb esac 80*0696600cSBjoern A. Zeeb 81*0696600cSBjoern A. Zeeb case ${entropy_boot_file:=/boot/entropy} in 82*0696600cSBjoern A. Zeeb [Nn][Oo]) 83*0696600cSBjoern A. Zeeb ;; 84*0696600cSBjoern A. Zeeb *) 85*0696600cSBjoern A. Zeeb save_dev_random "${entropy_boot_file}" 86*0696600cSBjoern A. Zeeb ;; 87*0696600cSBjoern A. Zeeb esac 88*0696600cSBjoern A. Zeeb 89*0696600cSBjoern A. Zeeb echo '.' 90*0696600cSBjoern A. Zeeb} 91*0696600cSBjoern A. Zeeb 92*0696600cSBjoern A. Zeebrandom_stop() 93*0696600cSBjoern A. Zeeb{ 94*0696600cSBjoern A. Zeeb # Write some entropy so when the machine reboots /dev/random 95*0696600cSBjoern A. Zeeb # can be reseeded 96*0696600cSBjoern A. Zeeb # 97*0696600cSBjoern A. Zeeb case ${entropy_file:=/entropy} in 98*0696600cSBjoern A. Zeeb [Nn][Oo]) 99*0696600cSBjoern A. Zeeb ;; 100*0696600cSBjoern A. Zeeb *) 101*0696600cSBjoern A. Zeeb echo -n 'Writing entropy file:' 102*0696600cSBjoern A. Zeeb rm -f ${entropy_file} 2> /dev/null 103*0696600cSBjoern A. Zeeb oumask=`umask` 104*0696600cSBjoern A. Zeeb umask 077 105*0696600cSBjoern A. Zeeb if touch ${entropy_file} 2> /dev/null; then 106*0696600cSBjoern A. Zeeb entropy_file_confirmed="${entropy_file}" 107*0696600cSBjoern A. Zeeb else 108*0696600cSBjoern A. Zeeb # Try this as a reasonable alternative for read-only 109*0696600cSBjoern A. Zeeb # roots, diskless workstations, etc. 110*0696600cSBjoern A. Zeeb rm -f /var/db/entropy-file 2> /dev/null 111*0696600cSBjoern A. Zeeb if touch /var/db/entropy-file 2> /dev/null; then 112*0696600cSBjoern A. Zeeb entropy_file_confirmed=/var/db/entropy-file 113*0696600cSBjoern A. Zeeb fi 114*0696600cSBjoern A. Zeeb fi 115*0696600cSBjoern A. Zeeb case ${entropy_file_confirmed} in 116*0696600cSBjoern A. Zeeb '') 117*0696600cSBjoern A. Zeeb warn 'write failed (read-only fs?)' 118*0696600cSBjoern A. Zeeb ;; 119*0696600cSBjoern A. Zeeb *) 120*0696600cSBjoern A. Zeeb dd if=/dev/random of=${entropy_file_confirmed} \ 121*0696600cSBjoern A. Zeeb bs=4096 count=1 2> /dev/null || 122*0696600cSBjoern A. Zeeb warn 'write failed (unwriteable file or full fs?)' 123*0696600cSBjoern A. Zeeb echo '.' 124*0696600cSBjoern A. Zeeb ;; 125*0696600cSBjoern A. Zeeb esac 126*0696600cSBjoern A. Zeeb umask ${oumask} 127*0696600cSBjoern A. Zeeb ;; 128*0696600cSBjoern A. Zeeb esac 129*0696600cSBjoern A. Zeeb case ${entropy_boot_file:=/boot/entropy} in 130*0696600cSBjoern A. Zeeb [Nn][Oo]) 131*0696600cSBjoern A. Zeeb ;; 132*0696600cSBjoern A. Zeeb *) 133*0696600cSBjoern A. Zeeb echo -n 'Writing early boot entropy file:' 134*0696600cSBjoern A. Zeeb rm -f ${entropy_boot_file} 2> /dev/null 135*0696600cSBjoern A. Zeeb oumask=`umask` 136*0696600cSBjoern A. Zeeb umask 077 137*0696600cSBjoern A. Zeeb if touch ${entropy_boot_file} 2> /dev/null; then 138*0696600cSBjoern A. Zeeb entropy_boot_file_confirmed="${entropy_boot_file}" 139*0696600cSBjoern A. Zeeb fi 140*0696600cSBjoern A. Zeeb case ${entropy_boot_file_confirmed} in 141*0696600cSBjoern A. Zeeb '') 142*0696600cSBjoern A. Zeeb warn 'write failed (read-only fs?)' 143*0696600cSBjoern A. Zeeb ;; 144*0696600cSBjoern A. Zeeb *) 145*0696600cSBjoern A. Zeeb dd if=/dev/random of=${entropy_boot_file_confirmed} \ 146*0696600cSBjoern A. Zeeb bs=4096 count=1 2> /dev/null || 147*0696600cSBjoern A. Zeeb warn 'write failed (unwriteable file or full fs?)' 148*0696600cSBjoern A. Zeeb echo '.' 149*0696600cSBjoern A. Zeeb ;; 150*0696600cSBjoern A. Zeeb esac 151*0696600cSBjoern A. Zeeb umask ${oumask} 152*0696600cSBjoern A. Zeeb ;; 153*0696600cSBjoern A. Zeeb esac 154*0696600cSBjoern A. Zeeb} 155*0696600cSBjoern A. Zeeb 156*0696600cSBjoern A. Zeebload_rc_config $name 157*0696600cSBjoern A. Zeebrun_rc_command "$1" 158