Re: [PATCH] crypto/gcrypt: prefer kernel as direct source of entropy

On Mon, Jan 22, 2024 at 5:19 PM Daniel P. Berrangé wrote: > > If the DRBG is required for FIPS compliance, and QEMU hardcoded > the system RNG, then QEMU can't be used in a FIPS environment. > No, the library overrides this choice.. the DRBG has higher priority.

Re: [PATCH] crypto/gcrypt: prefer kernel as direct source of entropy

On Mon, Jan 22, 2024 at 05:08:16PM -0300, Cristian Rodríguez wrote: > On Mon, Jan 22, 2024 at 11:48 AM Daniel P. Berrangé > wrote: > > > On Fri, Jan 19, 2024 at 05:39:40PM -0300, Cristian Rodríguez wrote: > > > gcrypt by default uses an userspace RNG, which cannot know > > > when it is time to

Re: [PATCH] crypto/gcrypt: prefer kernel as direct source of entropy

On Mon, Jan 22, 2024 at 11:48 AM Daniel P. Berrangé wrote: > On Fri, Jan 19, 2024 at 05:39:40PM -0300, Cristian Rodríguez wrote: > > gcrypt by default uses an userspace RNG, which cannot know > > when it is time to discard/invalidate its buffer > > (suspend, resume, vm forks, other corner cases)

Re: [PATCH] crypto/gcrypt: prefer kernel as direct source of entropy

On Fri, Jan 19, 2024 at 05:39:40PM -0300, Cristian Rodríguez wrote: > gcrypt by default uses an userspace RNG, which cannot know > when it is time to discard/invalidate its buffer > (suspend, resume, vm forks, other corner cases) > as a "when to discard" event is unavailable to userspace. So in

[PATCH] crypto/gcrypt: prefer kernel as direct source of entropy

gcrypt by default uses an userspace RNG, which cannot know when it is time to discard/invalidate its buffer (suspend, resume, vm forks, other corner cases) as a "when to discard" event is unavailable to userspace. Set GCRYCTL_SET_PREFERRED_RNG_TYPE to GCRY_RNG_TYPE_SYSTEM which must be done