FS#63692 : [linux][linux-lts][linux-zen][linux-hardened] enable CONFIG_RANDOM_TRUST

FS#63692 - [linux][linux-lts][linux-zen][linux-hardened] enable CONFIG_RANDOM_TRUST_CPU

Attached to Project: Arch Linux
Opened by Eduard Toloza (edu4rdshl) - Sunday, 08 September 2019, 22:28 GMT
Last edited by Eli Schwartz (eschwartz) - Sunday, 08 September 2019, 22:59 GMT

Task Type	Feature Request
Category	Kernel
Status	Closed
Assigned To	No-one
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	1 Eduard Toloza (edu4rdshl) (2019-09-08)
Private	No

Details

Description: Enabling it option introduced in https://github.com/torvalds/linux/commit/39a8883a2b989d1d21bd8dd99f5557f0c5e89694 will allow all recent Intel and AMD CPUs to provide the CPU opcode RDRAND to acquire random bytes. Linux includes random bytes generated this way in its entropy pool, but didn’t use to credit entropy for it (i.e. data from this source wasn’t considered good enough to consider the entropy pool properly filled even though it was used). This has changed recently however, and most big distributions have turned on the CONFIG_RANDOM_TRUST_CPU=y kernel compile time option. This means systems with CPUs supporting this opcode will be able to very quickly reach the “pool filled” state. Source: https://systemd.io/RANDOM_SEEDS

Additional info:
* package version(s): 5.2.13.arch1-1
* config and/or log files etc.
* link to upstream bug report, if any

This task depends upon

Closed by Eli Schwartz (eschwartz)
Sunday, 08 September 2019, 22:59 GMT
Reason for closing: Won't implement
Additional comments about closing: We will not implement this feature, on the grounds that:
- we have rejected it in the past
- you can enable it with a boot parameter
- a biased press release from a thirdparty source is hardly justification to relax security policies by making people have to opt out of what many consider an anti-feature.

Comment by Michel Koss (MichelKoss1) - Sunday, 08 September 2019, 22:36 GMT

This was explicitly disabled: https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/linux&id=cee2512789f4695d8f5128d1ca129abdb2ea57fe

See this discussion for details: https://bugs.archlinux.org/task/58355#comment174306

Comment by Eli Schwartz (eschwartz) - Sunday, 08 September 2019, 22:56 GMT

Field changed: Task Type (Bug Report → Feature Request)
Field changed: Summary ([linux] enable CONFIG_RANDOM_TRUST_CPU in the build config file → [linux][linux-lts][linux-zen][linux-hardened] enable CONFIG_RANDOM_TRUST_CPU)
Field changed: Category (Packages: Core → Kernel)

There is utterly no reason to open the same bug four times. Even if it wasn't already discussed and rejected elsewhere, what on earth were you thinking?

	Tasks related to this task (0)

Duplicate tasks of this task (3)
~~FS#63693 - [linux-zen] enable CONFIG_RANDOM_TRUST_CPU in the build config f~~
~~FS#63694 - [linux-hardened] enable CONFIG_RANDOM_TRUST_CPU in the build con~~
~~FS#63695 - [linux-lts] enable CONFIG_RANDOM_TRUST_CPU in the build config f~~

Arch Linux

FS#63692 - [linux][linux-lts][linux-zen][linux-hardened] enable CONFIG_RANDOM_TRUST_CPU

Details

Loading...