NetBSD Problem Report #48702

From www@NetBSD.org  Fri Apr  4 03:07:13 2014
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 48023A5807
	for <gnats-bugs@gnats.NetBSD.org>; Fri,  4 Apr 2014 03:07:13 +0000 (UTC)
Message-Id: <20140404030711.CD021A5811@mollari.NetBSD.org>
Date: Fri,  4 Apr 2014 03:07:11 +0000 (UTC)
From: fstd.lkml@gmail.com
Reply-To: fstd.lkml@gmail.com
To: gnats-bugs@NetBSD.org
Subject: early entropy does not get loaded
X-Send-Pr-Version: www-1.0

>Number:         48702
>Category:       security
>Synopsis:       early entropy does not get loaded
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    security-officer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Apr 04 03:10:01 +0000 2014
>Originator:     Timo Buhrmester
>Release:        NetBSD 6.1.3
>Organization:
>Environment:
NetBSD alix.localdomain 6.1.3 NetBSD 6.1.3 (ALIXKERN) #2: Fri Apr  4 03:18:36 CEST 2014  toor@alix.localdomain:/usr/obj/sys/arch/i386/compile/ALIXKERN i386
>Description:
Very early in the boot process, a previously stored amount of entropy is (supposed to be) loaded.  As per /boot.cfg, the default location for the file storing entropy is /var/db/entropy-file.
/var typically resides on a separate partition and seems to be not accessible by the boot loader at that early stage.

As a consequence, no entropy will be available (the attempt to open() it gives ENOENT, which makes sense without /var being mounted).  I'm not much into cryptoanalysis, but I figure this is an undesirable situation from a security point of view.

>How-To-Repeat:
1. Have /var on a separate partition
2. Do ``rndseed /var/db/entropy-file'' when booting (default as per /boot.cfg)
3. Observe early warning about /var/db/entropy-file not being accessible, and the rndseed module failing to load
>Fix:
The entropy-file should be moved to the root filesystem.  This change is invisible to the user, as the file exists only between shutdowns and the following boot processes.

Here's the fix (as a quick workaround, /boot.cfg can be changed, and random_seed can be set in rc.conf, too)

Index: etc/etc.amd64/boot.cfg
===================================================================
RCS file: /cvsroot/src/etc/etc.amd64/boot.cfg,v
retrieving revision 1.4
diff -u -r1.4 boot.cfg
--- etc/etc.amd64/boot.cfg	21 Dec 2011 14:33:13 -0000	1.4
+++ etc/etc.amd64/boot.cfg	4 Apr 2014 02:54:20 -0000
@@ -1,7 +1,7 @@
-menu=Boot normally:rndseed /var/db/entropy-file;boot netbsd
-menu=Boot single user:rndseed /var/db/entropy-file;boot netbsd -s
-menu=Disable ACPI:rndseed /var/db/entropy-file;boot netbsd -2
-menu=Disable ACPI and SMP:rndseed /var/db/entropy-file;boot netbsd -12
+menu=Boot normally:rndseed /entropy-file;boot netbsd
+menu=Boot single user:rndseed /entropy-file;boot netbsd -s
+menu=Disable ACPI:rndseed /entropy-file;boot netbsd -2
+menu=Disable ACPI and SMP:rndseed /entropy-file;boot netbsd -12
 menu=Drop to boot prompt:prompt
 default=1
 timeout=5
Index: etc/etc.i386/boot.cfg
===================================================================
RCS file: /cvsroot/src/etc/etc.i386/boot.cfg,v
retrieving revision 1.4
diff -u -r1.4 boot.cfg
--- etc/etc.i386/boot.cfg	21 Dec 2011 14:33:13 -0000	1.4
+++ etc/etc.i386/boot.cfg	4 Apr 2014 02:54:20 -0000
@@ -1,7 +1,7 @@
-menu=Boot normally:rndseed /var/db/entropy-file;boot netbsd
-menu=Boot single user:rndseed /var/db/entropy-file;boot netbsd -s
-menu=Disable ACPI:rndseed /var/db/entropy-file;boot netbsd -2
-menu=Disable ACPI and SMP:rndseed /var/db/entropy-file;boot netbsd -12
+menu=Boot normally:rndseed /entropy-file;boot netbsd
+menu=Boot single user:rndseed /entropy-file;boot netbsd -s
+menu=Disable ACPI:rndseed /entropy-file;boot netbsd -2
+menu=Disable ACPI and SMP:rndseed /entropy-file;boot netbsd -12
 menu=Drop to boot prompt:prompt
 default=1
 timeout=5
Index: etc/rc.d/random_seed
===================================================================
RCS file: /cvsroot/src/etc/rc.d/random_seed,v
retrieving revision 1.1
diff -u -r1.1 random_seed
--- etc/rc.d/random_seed	23 Nov 2011 10:47:48 -0000	1.1
+++ etc/rc.d/random_seed	4 Apr 2014 02:54:20 -0000
@@ -15,7 +15,7 @@
 start_cmd="random_load"
 stop_cmd="random_save"

-random_file=${random_file:-/var/db/entropy-file}
+random_file=${random_file:-/entropy-file}

 fs_safe()
 {

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.