1 files changed, 74 insertions, 0 deletions
diff --git a/sys-apps/systemd/files/250.4-random-seed-hash.patch b/sys-apps/systemd/files/250.4-random-seed-hash.patch
new file mode 100644
index 000000000000..efaa8cdfcaac
--- /dev/null
+++ b/sys-apps/systemd/files/250.4-random-seed-hash.patch
@@ -0,0 +1,74 @@
+https://github.com/systemd/systemd-stable/commit/ed46ff2bd6ca21d83cae4a94c3ed752ad1b64cce
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Mon, 3 Jan 2022 18:11:32 +0100
+Subject: [PATCH] random-seed: hash together old seed and new seed before
+ writing out file
+
+If we're consuming an on-disk seed, we usually write out a new one after
+consuming it. In that case, we might be at early boot and the randomness
+could be rather poor, and the kernel doesn't guarantee that it'll use
+the new randomness right away for us. In order to prevent the new
+entropy from getting any worse, hash together the old seed and the new
+seed, and replace the final bytes of the new seed with the hash output.
+This way, entropy strictly increases and never regresses.
+
+(cherry picked from commit da2862ef06f22fc8d31dafced6d2d6dc14f2ee0b)
+--- a/src/random-seed/random-seed.c
++++ b/src/random-seed/random-seed.c
+@@ -26,6 +26,7 @@
+ #include "random-util.h"
+ #include "string-util.h"
+ #include "sync-util.h"
++#include "sha256.h"
+ #include "util.h"
+ #include "xattr-util.h"
+ 
+@@ -106,9 +107,11 @@ static int run(int argc, char *argv[]) {
+         _cleanup_close_ int seed_fd = -1, random_fd = -1;
+         bool read_seed_file, write_seed_file, synchronous;
+         _cleanup_free_ void* buf = NULL;
++        struct sha256_ctx hash_state;
++        uint8_t hash[32];
+         size_t buf_size;
+         struct stat st;
+-        ssize_t k;
++        ssize_t k, l;
+         int r;
+ 
+         log_setup();
+@@ -242,6 +245,16 @@ static int run(int argc, char *argv[]) {
+                         if (r < 0)
+                                 log_error_errno(r, "Failed to write seed to /dev/urandom: %m");
+                 }
++                /* If we're going to later write out a seed file, initialize a hash state with
++                 * the contents of the seed file we just read, so that the new one can't regress
++                 * in entropy. */
++                if (write_seed_file) {
++                        sha256_init_ctx(&hash_state);
++                        if (k < 0)
++                                k = 0;
++                        sha256_process_bytes(&k, sizeof(k), &hash_state);
++                        sha256_process_bytes(buf, k, &hash_state);
++                }
+         }
+ 
+         if (write_seed_file) {
+@@ -277,6 +290,17 @@ static int run(int argc, char *argv[]) {
+                                                        "Got EOF while reading from /dev/urandom.");
+                 }
+ 
++                /* If we previously read in a seed file, then hash the new seed into the old one,
++                 * and replace the last 32 bytes of the seed with the hash output, so that the
++                 * new seed file can't regress in entropy. */
++                if (read_seed_file) {
++                        sha256_process_bytes(&k, sizeof(k), &hash_state);
++                        sha256_process_bytes(buf, k, &hash_state);
++                        sha256_finish_ctx(&hash_state, hash);
++                        l = MIN(k, 32);
++                        memcpy((uint8_t *)buf + k - l, hash, l);
++                }
++
+                 r = loop_write(seed_fd, buf, (size_t) k, false);
+                 if (r < 0)
+                         return log_error_errno(r, "Failed to write new random seed file: %m");