security(5): Check kern.entropy.needed for confident entropy.

Don't test whether a non-blocking read from /dev/random would return data. For the sake of availability, /dev/random will unblock based on sources like timer interrupts, which we can't confidently assert anything about the actual unpredictability of. Here, the goal is to highlight systems that have neither obtained entropy from an HWRNG with a confident entropy assessment, nor been seeded from a source the operator knows about. XXX pullup-10
2023-06-30 21:42:29 +00:00 · 2023-06-30 21:42:29 +00:00 · 2cfa14dfd4
parent 96b2c7de8d
commit 2cfa14dfd4
1 changed files with 2 additions and 3 deletions
--- a/etc/security
+++ b/etc/security
@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#	$NetBSD: security,v 1.129 2021/11/04 12:40:00 nia Exp $
+#	$NetBSD: security,v 1.130 2023/06/30 21:42:29 riastradh Exp $
 #	from: @(#)security	8.1 (Berkeley) 6/9/93
 #

@ -195,8 +195,7 @@ done | mtree -CM -k all > $SPECIALSPEC || exit 1
 # Check for enough entropy.
 #
 if checkyesno check_entropy; then
-	if ! dd if=/dev/random iflag=nonblock of=/dev/null bs=1 count=1 \
-	    msgfmt=quiet 2>/dev/null; then
+	if [ "$(sysctl -nq kern.entropy.needed)" != 0 ]; then
 		printf '\n'
 		printf 'Entropy:\n'
 		printf 'System may need more entropy for cryptography.\n'