On Wed, Jan 08, 2020 at 08:17:13PM +0000, Luca Filipozzi wrote: > On Wed, Jan 08, 2020 at 02:48:13PM -0500, Noah Meyerhans wrote: > > We add haveged to the arm64 EC2 AMI. This appears to work, and is > > something we can do today. The debian-installer has previously used > > haveged to ensure reasonable entropy during installation, so there is > > some precident for this. > > Every time I propose the use of haveged to resolve entropy starvation, I > get reactions from crypto folks saying that it's not a valid solution. > They invariably suggest that passing hardware RNG through to the VM is > the appropriate choice. > > The latest such reaction being from mjg59. See: > https://twitter.com/mjg59/status/1181423056268349441 > https://twitter.com/LucaFilipozzi/status/1181426253636755457
I've seen reactions like this, but never an explanation. Has anyone written up the issues? Given that "fail to boot" isn't a workable outcome, it'd be useful to know exactly what risks one accepts when using haveged. Ross
