Skip to content
New issue
Jump to bottom

linux: Select RANDOM_TRUST_CPU #1556

Closed
pmenzel opened this issue Dec 20, 2019 · 1 comment
Closed

linux: Select RANDOM_TRUST_CPU #1556

pmenzel opened this issue Dec 20, 2019 · 1 comment

Comments

@pmenzel
Copy link
Collaborator

pmenzel commented Dec 20, 2019

On the fast booting systems, there is not enough entropy in the beginning.

Dec 19 12:52:52 hypnotoad.molgen.mpg.de kernel: random: systemd-random-: uninitialized urandom read (512 bytes read)
Dec 19 12:52:53 hypnotoad.molgen.mpg.de kernel: random: tune3ware.pl: uninitialized urandom read (4 bytes read)
Dec 19 12:52:53 hypnotoad.molgen.mpg.de kernel: random: hostconfig: uninitialized urandom read (4 bytes read)
Dec 19 12:52:53 hypnotoad.molgen.mpg.de kernel: random: make-automaps: uninitialized urandom read (4 bytes read)
Dec 19 12:52:53 hypnotoad.molgen.mpg.de kernel: random: 5 urandom warning(s) missed due to ratelimiting

Should we trust the CPU manufacturers?

        random.trust_cpu={on,off}
                        [KNL] Enable or disable trusting the use of the
                        CPU's random number generator (if available) to
                        fully seed the kernel's CRNG. Default is controlled
                        by CONFIG_RANDOM_TRUST_CPU.

config RANDOM_TRUST_CPU
        bool "Trust the CPU manufacturer to initialize Linux's CRNG"
        depends on X86 || S390 || PPC
        default n
        help
        Assume that CPU manufacturer (e.g., Intel or AMD for RDSEED or
        RDRAND, IBM for the S390 and Power PC architectures) is trustworthy
        for the purposes of initializing Linux's CRNG.  Since this is not
        something that can be independently audited, this amounts to trusting
        that CPU manufacturer (perhaps with the insistence or mandate
        of a Nation State's intelligence or law enforcement agencies)
        has not installed a hidden back door to compromise the CPU's
        random number generation facilities. This can also be configured
        at boot with "random.trust_cpu=on/off".

deinemuddah:~> grep TRUST_CPU /boot/config-*
/boot/config-4.19.19.mx64.244:# CONFIG_RANDOM_TRUST_CPU is not set
/boot/config-4.19.40.mx64.262:# CONFIG_RANDOM_TRUST_CPU is not set
/boot/config-4.19.52.mx64.272:# CONFIG_RANDOM_TRUST_CPU is not set
/boot/config-4.19.56.mx64.274:# CONFIG_RANDOM_TRUST_CPU is not set
/boot/config-4.19.57.mx64.276:# CONFIG_RANDOM_TRUST_CPU is not set
/boot/config-4.19.57.mx64.282:# CONFIG_RANDOM_TRUST_CPU is not set
/boot/config-4.19.57.mx64.286:# CONFIG_RANDOM_TRUST_CPU is not set
/boot/config-5.4.5.mx64.305:# CONFIG_RANDOM_TRUST_CPU is not set
@donald
Copy link
Collaborator

donald commented Dec 23, 2019

I think we can switch that on.

Sign in to join this conversation on GitHub.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@donald @pmenzel