Integrated crypto

Robert Connolly robert at linuxfromscratch.org
Tue Apr 6 13:37:08 PDT 2004


My isp's email service has gone from bad to worse (I have lost a few
messages) :\ Guess I'll use this one from now on.

I made this:
http://linuxfromscratch.org/~robert/new/linux-2.4.25-pax-frandom-1.patch

>From this:
http://frandom.sourceforge.net/

There is a mknod command at the top of the patch, the insmod command
isn't needed. I think it works, but I have never debugged a kernel so
I'm not positive its working properly. If its working it depends on
PaX ASLR, which is where its getting its entropy. After mknod
/dev/frandom will still preform as well as the vanilla version (to
fill discs with) but it won't use any kernel entropy. This patch makes
use of it:
http://linuxfromscratch.org/~robert/new/glibc-2.3.3-ssp-functions-2.patch

Durring an HLFS build the host system won't have /dev/frandom, which
is fine, it will fallback to the teminator canary. If anyone wants I
could add urandom between frandom and canary as a second fallback (or
you can symlink frandom to urandom but thats not a great idea).

This first patch might use some more changes, I just piped it on the
end of random.c. Kernel 2.6 can use it exactly the same way.

If I can get a confermation that it is indeed using ASLR entropy, then
it should go in the book. A sysctl interface would be nice too, so
this can work threw libc and sysctl in a chroot.




More information about the hlfs-dev mailing list