On Wed, Jan 08, 2020 at 02:48:13PM -0500, Noah Meyerhans wrote: > Option 1: > > We add haveged to the arm64 EC2 AMI. This appears to work, and is > something we can do today. The debian-installer has previously used > haveged to ensure reasonable entropy during installation, so there is > some precident for this. > > Option 2: > > There is a mechanism by which the VM host can pass entropy to the guest > at boot time using the EFI_RNG protocol. This won't require any > additional software in our images, but it has a couple of other notable > drawbacks: [snip] > I'm not aware of any other options. Given the above, it seems that > haveged is the only really feasible choice right now. Does anyone > disagree with that assessment? Are there options I've missed?
I know of two other options: - pollinate - jitterentropy-rngd pollinate downloads seeds remotely, which feels wrong - and itself may require random numbers. I've never tried jitterentropy. Ross
