VeritySetup create Requires /dev/random

[GoogleCodeExporter]

When running veritysetup create, it complains about a missing /dev/random and 
/dev/urandom device.

Since veritysetup create is about adding the dm-verity module for an already 
existing verity-partition, I do not really see, where entropy was needed.

The scenario is the usage in the initram-disk, where no udev or similar is yet 
existent and /dev is as minimal as possible.

Current workaround is an extra mknod for random/urandom, but it would be great 
if that could be omitted.

If I overlooked the necessity for randomness, please forgive me. I haven't 
studied the sources in that regards.

Original issue reported on code.google.com by AndreasFuchsSIT on 30 Aug 2013 at 8:05

[GoogleCodeExporter]

You are right that veritysetup create command doesn't need to read from 
/dev/[u]random.

But it need to initialize crypto backend (RNG init is part of it) and RNG nodes 
are required here. (In FIPS mode is RNG from gcrypt used, it is initialised in 
the same place as part of crypto library. So these are paired together.) 

I really do not think it is worth to implement workaround for such simplified 
system. Many other commands will fail terribly with rng missing.

Existing /dev/[u]random is simply requirement for libcryptsetup initialization 
and I think you have simple workaround with mknod.

Also I think you should start udev before mapping your image - you will have 
working automatic loop devices as a bonus :)
(I think mounting /dev/ as devtmpfs here should work here. I know that static 
/dev has some advantages but unfortunately not with combination with udev - 
they are not supporting it IIRC.)

Sorry, but I am not going to fix this one - /dev/random is simply prerequisite 
for using libcryptsetup.

Original comment by gmazyl...@gmail.com on 30 Aug 2013 at 9:23

• Changed state: WontFix