Contributed by tbert on from the mathematically-impossible-to-guess-what-you-got-for-christmas dept.
Initial support for boot-time availability of high-quality random numbers has been committed:
From: Theo de Raadt
To: email@example.com Subject: Randomization from the bootblocks Over the holidays I've written code to do something we've talked about for a long time but never gotten around to. The bootblocks are now capable of providing entropy to the kernel very early on. This requires an upgrade of the bootblocks and at least /etc/rc (which saves an entropy file for future use). Some bootblocks will be able to use machine-dependent features to improve the entropy even further (for instance using random instructions or fast-running counters or such). As a result, the kernel can start using arc4random() exceedingly early on, even before interrupt entropy is collected. The randomization subsystem can hopefully become simpler due to this early entropy.. there is more work do here. At least i386, amd64, macppc, sparc64, hppa, and loongson are supported. Hopefully the others are not far behind.
Because many in-kernel consumers of randomness are initialised very early, this means that the in-kernel protections derived from randomness should now be much better.
(Comments are closed)