summaryrefslogtreecommitdiffstats
path: root/src/random-seed/random-seed.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/random-seed/random-seed.c')
-rw-r--r--src/random-seed/random-seed.c111
1 files changed, 2 insertions, 109 deletions
diff --git a/src/random-seed/random-seed.c b/src/random-seed/random-seed.c
index a50fdc12ae..c3353e5518 100644
--- a/src/random-seed/random-seed.c
+++ b/src/random-seed/random-seed.c
@@ -16,10 +16,7 @@
#include "alloc-util.h"
#include "build.h"
-#include "chase-symlinks.h"
-#include "efi-loader.h"
#include "fd-util.h"
-#include "find-esp.h"
#include "fs-util.h"
#include "io-util.h"
#include "log.h"
@@ -27,17 +24,13 @@
#include "missing_random.h"
#include "missing_syscall.h"
#include "mkdir.h"
-#include "parse-argument.h"
#include "parse-util.h"
-#include "path-util.h"
#include "pretty-print.h"
#include "random-util.h"
#include "string-table.h"
#include "string-util.h"
-#include "strv.h"
#include "sync-util.h"
#include "sha256.h"
-#include "terminal-util.h"
#include "xattr-util.h"
typedef enum SeedAction {
@@ -313,100 +306,6 @@ static int save_seed_file(
return 0;
}
-static int refresh_boot_seed(void) {
- uint8_t buffer[RANDOM_EFI_SEED_SIZE];
- struct sha256_ctx hash_state;
- _cleanup_free_ void *seed_file_bytes = NULL;
- _cleanup_free_ char *esp_path = NULL;
- _cleanup_close_ int seed_fd = -EBADF, dir_fd = -EBADF;
- size_t len;
- ssize_t n;
- int r;
-
- assert_cc(RANDOM_EFI_SEED_SIZE == SHA256_DIGEST_SIZE);
-
- r = find_esp_and_warn(NULL, NULL, /* unprivileged_mode= */ false, &esp_path,
- NULL, NULL, NULL, NULL, NULL);
- if (r < 0) {
- if (r == -ENOKEY) {
- log_debug_errno(r, "Couldn't find any ESP, so not updating ESP random seed.");
- return 0;
- }
- return r; /* find_esp_and_warn() already logged */
- }
-
- r = chase_symlinks("/loader", esp_path, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS, NULL, &dir_fd);
- if (r < 0) {
- if (r == -ENOENT) {
- log_debug_errno(r, "Couldn't find ESP loader directory, so not updating ESP random seed.");
- return 0;
- }
- return log_error_errno(r, "Failed to open ESP loader directory: %m");
- }
- seed_fd = openat(dir_fd, "random-seed", O_NOFOLLOW|O_RDWR|O_CLOEXEC|O_NOCTTY);
- if (seed_fd < 0 && errno == ENOENT) {
- uint64_t features;
- r = efi_loader_get_features(&features);
- if (r == 0 && FLAGS_SET(features, EFI_LOADER_FEATURE_RANDOM_SEED))
- seed_fd = openat(dir_fd, "random-seed", O_CREAT|O_EXCL|O_RDWR|O_CLOEXEC|O_NOCTTY, 0600);
- else {
- log_debug_errno(seed_fd, "Couldn't find ESP random seed, and not booted with systemd-boot, so not updating ESP random seed.");
- return 0;
- }
- }
- if (seed_fd < 0)
- return log_error_errno(errno, "Failed to open EFI seed path: %m");
- r = random_seed_size(seed_fd, &len);
- if (r < 0)
- return log_error_errno(r, "Failed to determine EFI seed path length: %m");
- seed_file_bytes = malloc(len);
- if (!seed_file_bytes)
- return log_oom();
- n = loop_read(seed_fd, seed_file_bytes, len, false);
- if (n < 0)
- return log_error_errno(n, "Failed to read EFI seed file: %m");
-
- /* Hash the old seed in so that we never regress in entropy. */
- sha256_init_ctx(&hash_state);
- sha256_process_bytes_and_size(seed_file_bytes, n, &hash_state);
-
- /* We're doing this opportunistically, so if the seeding dance before didn't manage to initialize the
- * RNG, there's no point in doing it here. Secondly, getrandom(GRND_NONBLOCK) has been around longer
- * than EFI seeding anyway, so there's no point in having non-getrandom() fallbacks here. So if this
- * fails, just return early to cut our losses. */
- n = getrandom(buffer, sizeof(buffer), GRND_NONBLOCK);
- if (n < 0) {
- if (errno == EAGAIN) {
- log_debug_errno(errno, "Random pool not initialized yet, so skipping EFI seed update");
- return 0;
- }
- if (errno == ENOSYS) {
- log_debug_errno(errno, "getrandom() not available, so skipping EFI seed update");
- return 0;
- }
- return log_error_errno(errno, "Failed to generate random bytes for EFI seed: %m");
- }
- assert(n == sizeof(buffer));
-
- /* Hash the new seed into the state containing the old one to generate our final seed. */
- sha256_process_bytes_and_size(buffer, n, &hash_state);
- sha256_finish_ctx(&hash_state, buffer);
-
- if (lseek(seed_fd, 0, SEEK_SET) < 0)
- return log_error_errno(errno, "Failed to seek to beginning of EFI seed file: %m");
- r = loop_write(seed_fd, buffer, sizeof(buffer), false);
- if (r < 0)
- return log_error_errno(r, "Failed to write new EFI seed file: %m");
- if (ftruncate(seed_fd, sizeof(buffer)) < 0)
- return log_error_errno(errno, "Failed to truncate EFI seed file: %m");
- r = fsync_full(seed_fd);
- if (r < 0)
- return log_error_errno(r, "Failed to fsync EFI seed file: %m");
-
- log_debug("Updated random seed in ESP");
- return 0;
-}
-
static int help(int argc, char *argv[], void *userdata) {
_cleanup_free_ char *link = NULL;
int r;
@@ -524,10 +423,7 @@ static int run(int argc, char *argv[]) {
log_full_errno(level, open_rw_error, "Failed to open " RANDOM_SEED " for writing: %m");
log_full_errno(level, errno, "Failed to open " RANDOM_SEED " for reading: %m");
- r = -errno;
-
- (void) refresh_boot_seed();
- return missing ? 0 : r;
+ return missing ? 0 : -errno;
}
} else
write_seed_file = true;
@@ -537,7 +433,6 @@ static int run(int argc, char *argv[]) {
break;
case ACTION_SAVE:
- (void) refresh_boot_seed();
seed_fd = open(RANDOM_SEED, O_WRONLY|O_CLOEXEC|O_NOCTTY|O_CREAT, 0600);
if (seed_fd < 0)
return log_error_errno(errno, "Failed to open " RANDOM_SEED ": %m");
@@ -555,11 +450,9 @@ static int run(int argc, char *argv[]) {
if (r < 0)
return r;
- if (read_seed_file) {
+ if (read_seed_file)
r = load_seed_file(seed_fd, random_fd, seed_size,
write_seed_file ? &hash_state : NULL);
- (void) refresh_boot_seed();
- }
if (r >= 0 && write_seed_file)
r = save_seed_file(seed_fd, random_fd, seed_size, synchronous, hash_state);