03.05.2025 02:41, Theo de Raadt пишет:
> +       # The bootloader marks it consumed via the sticky bit, reset the mark.
> 
> I don't like that -- it isn't even a sentence.  Calling the sticky bit a
> mark, without explaining why it is a mark, misses the point.
> 
> Removal of the sticky bit indicates the file has fresh contents for
> use by a subsequent bootloader (who sets the sticky bit to prevent
> content reuse).

Thanks, let's use your tet as-is.

Index: distrib/miniroot/install.sub
===================================================================
RCS file: /cvs/src/distrib/miniroot/install.sub,v
diff -u -p -r1.1269 install.sub
--- distrib/miniroot/install.sub	6 Apr 2025 11:54:36 -0000	1.1269
+++ distrib/miniroot/install.sub	2 May 2025 23:50:35 -0000
@@ -2922,12 +2922,17 @@ encr_pwd() {
 	fi
 }
 
-# Store entropy for the next boot.
+# Create future seeds for the bootloader and rc(8).
 store_random() {
-	dd if=/dev/random of=/mnt/var/db/host.random bs=65536 count=1 \
-		status=none
-	dd if=/dev/random of=/mnt/etc/random.seed bs=512 count=1 status=none
-	chmod 600 /mnt/var/db/host.random /mnt/etc/random.seed
+	local _bootseed=/mnt/etc/random.seed _hostseed=/mnt/var/db/host.random
+
+	dd if=/dev/random of=$_bootseed bs=512   count=1 status=none
+	dd if=/dev/random of=$_hostseed bs=65536 count=1 status=none
+
+	# Removal of the sticky bit indicates the file has fresh contents for
+	# use by a subsequent bootloader (who sets the sticky bit to prevent
+	# content reuse).
+	chmod u=rw-t,go= $_bootseed $_hostseed
 }
 
 # Final steps common for installs and upgrades.
@@ -3058,7 +3063,7 @@ __EOT
 		fi
 	fi
 
-	# Store entropy for the next boot.
+	# Update seed files.
 	store_random
 
 	# Pat on the back.
Index: etc/rc
===================================================================
RCS file: /cvs/src/etc/rc,v
diff -u -p -r1.580 rc
--- etc/rc	7 Apr 2025 14:49:26 -0000	1.580
+++ etc/rc	2 May 2025 23:50:34 -0000
@@ -72,14 +75,20 @@ wsconsctl_conf() {
 	done
 }
 
-# Push the old seed into the kernel, create a future seed  and create a seed
-# file for the boot-loader.
-random_seed() {
-	dd if=/var/db/host.random of=/dev/random bs=65536 count=1 status=none
-	chmod 600 /var/db/host.random
-	dd if=/dev/random of=/var/db/host.random bs=65536 count=1 status=none
-	dd if=/dev/random of=/etc/random.seed bs=512 count=1 status=none
-	chmod 600 /etc/random.seed
+# Push the old seed into the kernel and create future seeds for the bootloader,
+# the installer and rc(8).
+store_random() {
+	local _bootseed=/etc/random.seed _hostseed=/var/db/host.random
+
+	dd if=$_hostseed of=/dev/random bs=65536 count=1 status=none
+
+	dd if=/dev/random of=$_bootseed bs=512   count=1 status=none
+	dd if=/dev/random of=$_hostseed bs=65536 count=1 status=none
+
+	# Removal of the sticky bit indicates the file has fresh contents for
+	# use by a subsequent bootloader (who sets the sticky bit to prevent
+	# content reuse).
+	chmod u=rw-t,go= $_bootseed $_hostseed
 }
 
 # Populate net.inet.(tcp|udp).baddynamic with the contents of /etc/services so
@@ -351,12 +360,8 @@ _rc_parse_conf
 # - execute the rc.d scripts specified by $pkg_scripts in reverse order
 # - bring carp interfaces down gracefully
 if [[ $1 == shutdown ]]; then
-	if echo 2>/dev/null >>/var/db/host.random ||
-	    echo 2>/dev/null >>/etc/random.seed; then
-		random_seed
-	else
-		echo warning: cannot write random seed to disk
-	fi
+	store_random 2>/dev/null ||
+		echo 'warning: cannot write random seed to disk'
 
 	# If we are in secure level 0, assume single user mode.
 	if (($(sysctl -n kern.securelevel) == 0)); then
@@ -490,7 +495,7 @@ sh /etc/netstart
 
 start_daemon unwind >/dev/null 2>&1
 
-random_seed
+store_random
 
 wait_reorder_libs