urandom-seed: use seedrng for seeding the random number generator

The RNG can't actually be seeded from a shell script, due to the
reliance on ioctls. For this reason, the seedrng project provides a
basic script meant to be copy and pasted into projects like OpenWRT
and tweaked as needed: <https://git.zx2c4.com/seedrng/about/>.

This commit imports it into the urandom-seed package and wires up the
init scripts to call it. This also is a significant improvement over the
current init script, which does not robustly handle cleaning up of seeds
and syncing to prevent reuse. Additionally, the existing script creates
a new seed immediately after writing an old one, which means that the
amount of entropy might actually regress, due to failing to credit the
old seed.

Closes: openwrt#9570
Signed-off-by: Jason A. Donenfeld <[email protected]>
Signed-off-by: Petr Štetiar <[email protected]> [fixed missing INSTALL_DIR]

package/system/urandom-seed/Makefile

@@ -9,7 +9,6 @@ include $(INCLUDE_DIR)/package.mk
 define Package/urandom-seed
   SECTION:=base
   CATEGORY:=Base system
-  DEPENDS:=+getrandom
   TITLE:=/etc/urandom.seed handling for OpenWrt
   URL:=https://openwrt.org/
 endef
@@ -19,11 +18,15 @@ define Build/Prepare
 endef
 
 define Build/Compile/Default
+	$(TARGET_CC) $(TARGET_CFLAGS) $(TARGET_CPPFLAGS) $(TARGET_LDFLAGS) \
+		-std=gnu99 -o $(PKG_BUILD_DIR)/seedrng seedrng.c
 endef
 Build/Compile = $(Build/Compile/Default)
 
 define Package/urandom-seed/install
 	$(CP) ./files/* $(1)/
+	$(INSTALL_DIR) $(1)/sbin
+	$(CP) $(PKG_BUILD_DIR)/seedrng $(1)/sbin/
 endef
 
 $(eval $(call BuildPackage,urandom-seed))

package/system/urandom-seed/files/etc/init.d/urandom_seed

@@ -5,7 +5,7 @@ USE_PROCD=1
 
 start_service() {
     procd_open_instance "urandom_seed"
-    procd_set_param command "/sbin/urandom_seed"
+    procd_set_param command "/sbin/seedrng"
     procd_set_param stdout 1
     procd_set_param stderr 1
     procd_close_instance

package/system/urandom-seed/files/lib/preinit/81_urandom_seed

@@ -2,21 +2,11 @@ log_urandom_seed() {
     echo "urandom-seed: $1" > /dev/kmsg
 }
 
-_do_urandom_seed() {
-    [ -f "$1" ] || { log_urandom_seed "Seed file not found ($1)"; return; }
-    [ -O "$1" -a -G "$1" -a ! -x "$1" ] || { log_urandom_seed "Wrong owner / permissions for $1"; return; }
-
-    log_urandom_seed "Seeding with $1"
-    cat "$1" > /dev/urandom
-}
-
 do_urandom_seed() {
     [ -c /dev/urandom ] || { log_urandom_seed "Something is wrong with /dev/urandom"; return; }
-
-    _do_urandom_seed "/etc/urandom.seed"
-
-    SEED="$(uci -q get system.@system[0].urandom_seed)"
-    [ "${SEED:0:1}" = "/" -a "$SEED" != "/etc/urandom.seed" ] && _do_urandom_seed "$SEED"
+    seedrng 2>&1 | while read -r line; do
+        log_urandom_seed "$line"
+    done
 }
 
 boot_hook_add preinit_main do_urandom_seed