Thank you very much for sharing your scripts.

[grazzolini]

Thank you very much for sharing your scripts.

On my Raspberry Pi 4 the tor-client (tor 0.4.2.5, linux 4.19.88-1-ARCH, libevent 2.1.11-stable, openssl 1.1.1d, zlib 1.2.11, liblzma 5.2.4, libzstd 1.4.4) doesn't work in the initramfs early userland. I assume this is due to the Pi's lack of a hardware clock. The tor-client is trying to bootstrap a connection to the tor network for about 3 minutes. When giving up the tor-client is displaying the standard failure message ("Tor can't help you...") and the wrong date and time.

The netconf hook set up the eth0-interface correctly and has assigned working ip, netmask, gateway and dns. The machine is ping-able from the LAN. I'm going to add a small ntp-client as a binary to the initcpio, in case that works, I let you know if you are interested.

Originally posted by @mkfifos in https://github.com/grazzolini/mkinitcpio-tor/pull/2#issuecomment-570281058

[grazzolini]

@mkfifos,

I have made this hook for a very specific situation, where I have some machines behind networks that I can't really access from outside. Either because I don't have control over the entire network, or because I don't have IPV4 access because of CG-NAT, or things like that.

Having said that, I didn't wrote it with RPI (or arm) in mind, but I can see the appeal of having it on such devices. Unfortunately, I don't even have an arm device to be able to test this. I do think that if there's a way to do this without bringing in additional binaries, it would be more interesting. Or, even better, trying to get the tor project more friendly about constrained environments.

I took a look busybox commands, and it doesn't seem to contain any ntp capabilities either, so, I don't like the idea of bringing extra binaries for covering the case of just one platform, which I can't even test or run things onto.

p.s: I have moved your comment here, because it was on a closed PR

[ghost]

I have moved your comment here, because it was on a closed PR

aargh, sorry for necrobumping...

I do think that if there's a way to do this without bringing in additional binaries, it would be more interesting.

Arch Linux's Busybox ships with a "date" binary / applet, however it's small brother /usr/lib/initcpio/busybox does not. Therefore I had to add /usr/bin/date and decided to implement fetching date and time as a separate hook: https://github.com/mkfifos/mkinitcpio-date

With HOOKS=(base ... netconf date tor tinyssh encryptssh ...) it works now. Tor still needs about three to four minutes to bootstrap, so I might want to run it in debug mode to find out why. With enough spare time I might even upload my little script to the AUR. :-)

[grazzolini]

@mkfifos

I have discussed before with @eli-schwartz about merging mkinitcpio-busybox with the regular busybox package. I think it's doable, but I need to check if there wouldn't be an issue due to the fact it's not using glibc, but musl instead. And also, the images would be bigger. I think it's doable to add the date binary to the mkinitcpio-busybox installation, it shouldn't increase the binary size too much.

[ghost]

@grazzolini It's 555K (initcpio/busybox ) versus 1.2M (usr/bin/busybox ) on arm-architecture.

I used wget and sed binaries which are added by the base hook (I assume, didn't check), since busybox's applets sometimes have a different syntax, at least busybox's date has.

[ghost]

Tor still needs about three to four minutes to bootstrap

dmesg | rg rand
[    0.000000] random: get_random_bytes called from start_kernel+0x90/0x520 with crng_init=0
[    5.362551] random: fast init done
[  153.370159] random: crng init done

Didn't use --debug but it looks like tor needs enough entropy to initialize.

[eli-schwartz]

I used wget and sed binaries which are added by the base hook (I assume, didn't check), since busybox's applets sometimes have a different syntax, at least busybox's date has.

It's generally a good idea to stick to the minimal POSIX syntax if possible, or at least options that are widely portable. There's definitely a subset of options for "date" which are available for both busybox and GNU.

There are better reasons to not use busybox wget, including the fact that for security reasons, https support is disabled.

[grazzolini]

I guess that we need two things actually:

1) Correct time and date for tor to work 2) Enough entropy for tor to work

Also, I've noticed it blocks the boot process until enough entropy has been acquired, which is not optimal. I think one of the first things I can do, is try to find a way for it not to block. But I'm not sure what's the best way to have enough entropy on the initramfs, without relying on an external file, like systemd-boot does, for example.