10696600cSBjoern A. Zeeb#!/bin/sh 20696600cSBjoern A. Zeeb# 30696600cSBjoern A. Zeeb# 40696600cSBjoern A. Zeeb 50696600cSBjoern A. Zeeb# PROVIDE: random 60696600cSBjoern A. Zeeb# REQUIRE: FILESYSTEMS 70696600cSBjoern A. Zeeb# BEFORE: netif 80696600cSBjoern A. Zeeb# KEYWORD: nojail shutdown 90696600cSBjoern A. Zeeb 100696600cSBjoern A. Zeeb. /etc/rc.subr 110696600cSBjoern A. Zeeb 120696600cSBjoern A. Zeebname="random" 130696600cSBjoern A. Zeebdesc="Harvest and save entropy for random device" 140696600cSBjoern A. Zeebstart_cmd="random_start" 150696600cSBjoern A. Zeebstop_cmd="random_stop" 160696600cSBjoern A. Zeeb 170696600cSBjoern A. Zeebextra_commands="saveseed" 180696600cSBjoern A. Zeebsaveseed_cmd="${name}_stop" 190696600cSBjoern A. Zeeb 200696600cSBjoern A. Zeebsave_dev_random() 210696600cSBjoern A. Zeeb{ 220696600cSBjoern A. Zeeb oumask=`umask` 230696600cSBjoern A. Zeeb umask 077 240696600cSBjoern A. Zeeb for f ; do 250696600cSBjoern A. Zeeb debug "saving entropy to $f" 260696600cSBjoern A. Zeeb dd if=/dev/random of="$f" bs=4096 count=1 status=none && 2726c49788SConrad Meyer ( chflags nodump "$f" 2>/dev/null || : ) && 28c849485dSConrad Meyer chmod 600 "$f" && 29c849485dSConrad Meyer fsync "$f" "$(dirname "$f")" 300696600cSBjoern A. Zeeb done 310696600cSBjoern A. Zeeb umask ${oumask} 320696600cSBjoern A. Zeeb} 330696600cSBjoern A. Zeeb 340696600cSBjoern A. Zeebfeed_dev_random() 350696600cSBjoern A. Zeeb{ 360696600cSBjoern A. Zeeb for f ; do 370696600cSBjoern A. Zeeb if [ -f "$f" -a -r "$f" -a -s "$f" ] ; then 380696600cSBjoern A. Zeeb if dd if="$f" of=/dev/random bs=4096 2>/dev/null ; then 390696600cSBjoern A. Zeeb debug "entropy read from $f" 400696600cSBjoern A. Zeeb rm -f "$f" 410696600cSBjoern A. Zeeb fi 420696600cSBjoern A. Zeeb fi 430696600cSBjoern A. Zeeb done 440696600cSBjoern A. Zeeb} 450696600cSBjoern A. Zeeb 460696600cSBjoern A. Zeebrandom_start() 470696600cSBjoern A. Zeeb{ 480696600cSBjoern A. Zeeb 493bca93e0SEugene Grosbein if [ -n "${harvest_mask}" ]; then 500696600cSBjoern A. Zeeb echo -n 'Setting up harvesting: ' 510696600cSBjoern A. Zeeb ${SYSCTL} kern.random.harvest.mask=${harvest_mask} > /dev/null 520696600cSBjoern A. Zeeb ${SYSCTL_N} kern.random.harvest.mask_symbolic 530696600cSBjoern A. Zeeb fi 540696600cSBjoern A. Zeeb 550696600cSBjoern A. Zeeb echo -n 'Feeding entropy: ' 560696600cSBjoern A. Zeeb 570696600cSBjoern A. Zeeb if [ ! -w /dev/random ] ; then 580696600cSBjoern A. Zeeb warn "/dev/random is not writeable" 590696600cSBjoern A. Zeeb return 1 600696600cSBjoern A. Zeeb fi 610696600cSBjoern A. Zeeb 620696600cSBjoern A. Zeeb # Reseed /dev/random with previously stored entropy. 630696600cSBjoern A. Zeeb case ${entropy_dir:=/var/db/entropy} in 640696600cSBjoern A. Zeeb [Nn][Oo]) 650696600cSBjoern A. Zeeb ;; 660696600cSBjoern A. Zeeb *) 670696600cSBjoern A. Zeeb if [ -d "${entropy_dir}" ] ; then 680696600cSBjoern A. Zeeb feed_dev_random "${entropy_dir}"/* 690696600cSBjoern A. Zeeb fi 700696600cSBjoern A. Zeeb ;; 710696600cSBjoern A. Zeeb esac 720696600cSBjoern A. Zeeb 730696600cSBjoern A. Zeeb case ${entropy_file:=/entropy} in 740696600cSBjoern A. Zeeb [Nn][Oo]) 750696600cSBjoern A. Zeeb ;; 760696600cSBjoern A. Zeeb *) 770696600cSBjoern A. Zeeb feed_dev_random "${entropy_file}" /var/db/entropy-file 780696600cSBjoern A. Zeeb save_dev_random "${entropy_file}" 790696600cSBjoern A. Zeeb ;; 800696600cSBjoern A. Zeeb esac 810696600cSBjoern A. Zeeb 820696600cSBjoern A. Zeeb case ${entropy_boot_file:=/boot/entropy} in 830696600cSBjoern A. Zeeb [Nn][Oo]) 840696600cSBjoern A. Zeeb ;; 850696600cSBjoern A. Zeeb *) 860696600cSBjoern A. Zeeb save_dev_random "${entropy_boot_file}" 870696600cSBjoern A. Zeeb ;; 880696600cSBjoern A. Zeeb esac 890696600cSBjoern A. Zeeb 900696600cSBjoern A. Zeeb echo '.' 910696600cSBjoern A. Zeeb} 920696600cSBjoern A. Zeeb 930696600cSBjoern A. Zeebrandom_stop() 940696600cSBjoern A. Zeeb{ 950696600cSBjoern A. Zeeb # Write some entropy so when the machine reboots /dev/random 960696600cSBjoern A. Zeeb # can be reseeded 970696600cSBjoern A. Zeeb # 980696600cSBjoern A. Zeeb case ${entropy_file:=/entropy} in 990696600cSBjoern A. Zeeb [Nn][Oo]) 1000696600cSBjoern A. Zeeb ;; 1010696600cSBjoern A. Zeeb *) 1020696600cSBjoern A. Zeeb echo -n 'Writing entropy file: ' 1030696600cSBjoern A. Zeeb rm -f ${entropy_file} 2> /dev/null 1040696600cSBjoern A. Zeeb oumask=`umask` 1050696600cSBjoern A. Zeeb umask 077 1060696600cSBjoern A. Zeeb if touch ${entropy_file} 2> /dev/null; then 1070696600cSBjoern A. Zeeb entropy_file_confirmed="${entropy_file}" 1080696600cSBjoern A. Zeeb else 1090696600cSBjoern A. Zeeb # Try this as a reasonable alternative for read-only 1100696600cSBjoern A. Zeeb # roots, diskless workstations, etc. 1110696600cSBjoern A. Zeeb rm -f /var/db/entropy-file 2> /dev/null 1120696600cSBjoern A. Zeeb if touch /var/db/entropy-file 2> /dev/null; then 1130696600cSBjoern A. Zeeb entropy_file_confirmed=/var/db/entropy-file 1140696600cSBjoern A. Zeeb fi 1150696600cSBjoern A. Zeeb fi 1160696600cSBjoern A. Zeeb case ${entropy_file_confirmed} in 1170696600cSBjoern A. Zeeb '') 1180696600cSBjoern A. Zeeb warn 'write failed (read-only fs?)' 1190696600cSBjoern A. Zeeb ;; 1200696600cSBjoern A. Zeeb *) 12126c49788SConrad Meyer save_dev_random "${entropy_file_confirmed}" 1220696600cSBjoern A. Zeeb echo '.' 1230696600cSBjoern A. Zeeb ;; 1240696600cSBjoern A. Zeeb esac 1250696600cSBjoern A. Zeeb umask ${oumask} 1260696600cSBjoern A. Zeeb ;; 1270696600cSBjoern A. Zeeb esac 1280696600cSBjoern A. Zeeb case ${entropy_boot_file:=/boot/entropy} in 1290696600cSBjoern A. Zeeb [Nn][Oo]) 1300696600cSBjoern A. Zeeb ;; 1310696600cSBjoern A. Zeeb *) 1320696600cSBjoern A. Zeeb echo -n 'Writing early boot entropy file: ' 1330696600cSBjoern A. Zeeb rm -f ${entropy_boot_file} 2> /dev/null 1340696600cSBjoern A. Zeeb oumask=`umask` 1350696600cSBjoern A. Zeeb umask 077 1360696600cSBjoern A. Zeeb if touch ${entropy_boot_file} 2> /dev/null; then 1370696600cSBjoern A. Zeeb entropy_boot_file_confirmed="${entropy_boot_file}" 1380696600cSBjoern A. Zeeb fi 1390696600cSBjoern A. Zeeb case ${entropy_boot_file_confirmed} in 1400696600cSBjoern A. Zeeb '') 1410696600cSBjoern A. Zeeb warn 'write failed (read-only fs?)' 1420696600cSBjoern A. Zeeb ;; 1430696600cSBjoern A. Zeeb *) 14426c49788SConrad Meyer save_dev_random "${entropy_boot_file_confirmed}" 1450696600cSBjoern A. Zeeb echo '.' 1460696600cSBjoern A. Zeeb ;; 1470696600cSBjoern A. Zeeb esac 1480696600cSBjoern A. Zeeb umask ${oumask} 1490696600cSBjoern A. Zeeb ;; 1500696600cSBjoern A. Zeeb esac 1510696600cSBjoern A. Zeeb} 1520696600cSBjoern A. Zeeb 1530696600cSBjoern A. Zeebload_rc_config $name 154*f99f0ee1SAlexander Leidinger 155*f99f0ee1SAlexander Leidinger# doesn't make sense to run in a svcj: config setting 156*f99f0ee1SAlexander Leidingerrandom_svcj="NO" 157*f99f0ee1SAlexander Leidinger 1580696600cSBjoern A. Zeebrun_rc_command "$1" 159