slackware-current/source/a/util-linux/seedrng.8

.TH seedrng 8
.SH NAME
seedrng \- seed the Linux kernel random number generator
.SH SYNOPSIS
.B seedrng
.SH DESCRIPTION
.B SeedRNG
SeedRNG is a simple program made for seeding the Linux kernel random
number generator from seed files. The program takes no arguments, must
be run as root, and always attempts to do something useful.

This program is useful in light of the fact that the Linux kernel RNG
cannot be initialized from shell scripts, and new seeds cannot be safely
generated from boot time shell scripts either.

It should be run once at init time and once at shutdown time. It can be
run at other times without detriment as well. Whenever it is run, it writes
existing seed files into the RNG pool, and then creates a new seed file.
If the RNG is initialized at the time of creating a new seed file, then that
new seed file is marked as "creditable", which means it can be used to
initialize the RNG. Otherwise, it is marked as "non-creditable", in which
case it is still used to seed the RNG's pool, but will not initialize the
RNG.

In order to ensure that entropy only ever stays the same or increases from
one seed file to the next, old seed values are hashed together with new seed
values when writing new seed files:

.BR
new_seed = new_seed[:-32] || HASH(fixed_prefix || real_time || boot_time || old_seed_len || old_seed || new_seed_len || new_seed)

The seed is stored in /var/lib/seedrng/, which can be adjusted at
compile time. If the SEEDRNG_SKIP_CREDIT environment variable is set to 1,
true, yes, or y, then seeds never credit the RNG, even if the seed file
is creditable.

.SH FILES
.IR /var/lib/seedrng/seed.credit
.IR /var/lib/seedrng/seed.no-credit
.SH AUTHOR
Jason A. Donenfeld <Jason@zx2c4.com>
Wed Apr 6 20:23:46 UTC 2022 a/haveged-1.9.17-x86_64-2.txz: Rebuilt. Install /etc/rc.d/rc.haveged as non-executable. For existing installations running a recent kernel, it is safe to turn this off. Back when we added the haveged package we were using the 4.4 kernel, but since Linux 5.4 this same entropy generating algorithm has been built into the kernel, so there's no reason to also run it in userspace. We'll keep the package around (for now, anyway) in case someone might be running an old kernel. Thanks to Jason A. Donenfeld. a/sysvinit-scripts-15.0-noarch-10.txz: Rebuilt. rc.S, rc.6: use the seedrng utility to seed and initialize the kernel random number generator and generate a new seed. If seedrng is missing, we'll attempt to do these things with scripting. Thanks to Jason A. Donenfeld for hints about how to make a modest improvement in that regard (blame me for any problems with my own changes), but because you can't force the kernel RNG to initialize with a script (it needs an ioctl), you won't get the same guarantees that you do when using the new seedrng utility. a/util-linux-2.38-x86_64-2.txz: Rebuilt. Added seedrng utility, used to seed and initialize the kernel random number generator and to generate new seeds for carrying entropy across reboots. Thanks to Jason A. Donenfeld. n/libmnl-1.0.5-x86_64-1.txz: Upgraded. n/libnfnetlink-1.0.2-x86_64-1.txz: Upgraded. xap/mozilla-thunderbird-91.8.0-x86_64-1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: https://www.mozilla.org/en-US/thunderbird/91.8.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2022-15/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1097 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28281 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1197 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1196 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28282 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28285 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28286 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24713 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28289 (* Security fix *) 2022-04-06 22:23:46 +02:00			`.TH seedrng 8`
			`.SH NAME`
			`seedrng \- seed the Linux kernel random number generator`
			`.SH SYNOPSIS`
			`.B seedrng`
			`.SH DESCRIPTION`
			`.B SeedRNG`
			`SeedRNG is a simple program made for seeding the Linux kernel random`
			`number generator from seed files. The program takes no arguments, must`
			`be run as root, and always attempts to do something useful.`

			`This program is useful in light of the fact that the Linux kernel RNG`
			`cannot be initialized from shell scripts, and new seeds cannot be safely`
			`generated from boot time shell scripts either.`

			`It should be run once at init time and once at shutdown time. It can be`
			`run at other times without detriment as well. Whenever it is run, it writes`
			`existing seed files into the RNG pool, and then creates a new seed file.`
			`If the RNG is initialized at the time of creating a new seed file, then that`
			`new seed file is marked as "creditable", which means it can be used to`
			`initialize the RNG. Otherwise, it is marked as "non-creditable", in which`
			`case it is still used to seed the RNG's pool, but will not initialize the`
			`RNG.`

			`In order to ensure that entropy only ever stays the same or increases from`
			`one seed file to the next, old seed values are hashed together with new seed`
			`values when writing new seed files:`

			`.BR`
			`new_seed = new_seed[:-32] \|\| HASH(fixed_prefix \|\| real_time \|\| boot_time \|\| old_seed_len \|\| old_seed \|\| new_seed_len \|\| new_seed)`

			`The seed is stored in /var/lib/seedrng/, which can be adjusted at`
			`compile time. If the SEEDRNG_SKIP_CREDIT environment variable is set to 1,`
			`true, yes, or y, then seeds never credit the RNG, even if the seed file`
			`is creditable.`

			`.SH FILES`
			`.IR /var/lib/seedrng/seed.credit`
			`.IR /var/lib/seedrng/seed.no-credit`
			`.SH AUTHOR`
			`Jason A. Donenfeld <Jason@zx2c4.com>`