FS#63692 - [linux][linux-lts][linux-zen][linux-hardened] enable CONFIG_RANDOM_TRUST_CPU
Attached to Project:
Arch Linux
Opened by Eduard Toloza (edu4rdshl) - Sunday, 08 September 2019, 22:28 GMT
Last edited by Eli Schwartz (eschwartz) - Sunday, 08 September 2019, 22:59 GMT
Opened by Eduard Toloza (edu4rdshl) - Sunday, 08 September 2019, 22:28 GMT
Last edited by Eli Schwartz (eschwartz) - Sunday, 08 September 2019, 22:59 GMT
|
Details
Description: Enabling it option introduced in
https://github.com/torvalds/linux/commit/39a8883a2b989d1d21bd8dd99f5557f0c5e89694
will allow all recent Intel and AMD CPUs to provide the CPU
opcode RDRAND to acquire random bytes. Linux includes random
bytes generated this way in its entropy pool, but didn’t use
to credit entropy for it (i.e. data from this source wasn’t
considered good enough to consider the entropy pool properly
filled even though it was used). This has changed recently
however, and most big distributions have turned on the
CONFIG_RANDOM_TRUST_CPU=y kernel compile time option. This
means systems with CPUs supporting this opcode will be able
to very quickly reach the “pool filled” state. Source:
https://systemd.io/RANDOM_SEEDS
Additional info: * package version(s): 5.2.13.arch1-1 * config and/or log files etc. * link to upstream bug report, if any |
This task depends upon
Closed by Eli Schwartz (eschwartz)
Sunday, 08 September 2019, 22:59 GMT
Reason for closing: Won't implement
Additional comments about closing: We will not implement this feature, on the grounds that:
- we have rejected it in the past
- you can enable it with a boot parameter
- a biased press release from a thirdparty source is hardly justification to relax security policies by making people have to opt out of what many consider an anti-feature.
Sunday, 08 September 2019, 22:59 GMT
Reason for closing: Won't implement
Additional comments about closing: We will not implement this feature, on the grounds that:
- we have rejected it in the past
- you can enable it with a boot parameter
- a biased press release from a thirdparty source is hardly justification to relax security policies by making people have to opt out of what many consider an anti-feature.
See this discussion for details: https://bugs.archlinux.org/task/58355#comment174306