From 08f9170ba4011ca6acac9b6192ca909135874f2d Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Fri, 7 Mar 2014 16:40:36 +0000 Subject: [PATCH] [linux] Avoid starting currticks() from zero every time iPXE uses currticks() (along with the MAC address(es) of any network devices) to seed the (non-cryptographic) random number generator. The current implementation of linux_currticks() ensures that the first call to currticks() will always return zero; this results in identical random number sequences on each run of iPXE on a given machine. This can cause odd-looking behaviour due to e.g. the reuse of local TCP port numbers. Fix by effectively rounding down the start time recorded by linux_currticks() to the nearest whole second; this makes it unlikely that consecutive runs of iPXE will use the exact same RNG sequence. (Note that none of this affects the cryptographic RNG, which uses /dev/random as a source of entropy.) Signed-off-by: Michael Brown --- src/interface/linux/linux_timer.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/interface/linux/linux_timer.c b/src/interface/linux/linux_timer.c index bf55cd188..7a994517b 100644 --- a/src/interface/linux/linux_timer.c +++ b/src/interface/linux/linux_timer.c @@ -55,6 +55,12 @@ static unsigned long linux_ticks_per_sec(void) * linux doesn't provide an easy access to jiffies so implement it by measuring * the time since the first call to this function. * + * Since this function is used to seed the (non-cryptographic) random + * number generator, we round the start time down to the nearest whole + * second. This minimises the chances of generating identical RNG + * sequences (and hence identical TCP port numbers, etc) on + * consecutive invocations of iPXE. + * * @ret ticks Current time, in ticks */ static unsigned long linux_currticks(void) @@ -71,7 +77,7 @@ static unsigned long linux_currticks(void) linux_gettimeofday(&now, NULL); unsigned long ticks = (now.tv_sec - start.tv_sec) * linux_ticks_per_sec(); - ticks += (now.tv_usec - start.tv_usec) / (long)(1000000 / linux_ticks_per_sec()); + ticks += now.tv_usec / (long)(1000000 / linux_ticks_per_sec()); return ticks; }