On Sun, 14.06.15 14:11, Cristian Rodríguez (cristian.rodrig...@opensuse.org) wrote:
> On Sun, Jun 14, 2015 at 1:43 PM, Greg KH <gre...@linuxfoundation.org> wrote: > > On Sun, Jun 14, 2015 at 12:49:55PM -0300, Cristian Rodríguez wrote: > >> > >> El jun. 14, 2015 10:21, "cee1" <fykc...@gmail.com> escribió: > >> > > >> > Hi all, > >> > > >> > Why we need to read/save random seed? Can it be read from /dev/random > >> > each > >> time? > >> > >> Because the kernel is borked and still is needs to be fed of entropy at > >> system > >> startup by user space. Please read the random man page. > >> > >> I agree we shouldn't have to do this at all.. > > > > Really? And how do you suggest we "fix" the kernel when the hardware > > itself doesn't provide us with a proper random number "seed" in the > > first place? What do you suggest we do instead? > > Las time I checked , it required this userspace help even when the > machine has rdrand/rdseed or when a virtual machine is fed from the > host using the virtio-rng driver.. (may take up to 60 seconds to > report I am pretty sure that even if you have rdrand/rdseed you want to seed the system with randomness from a previous boot, simply because you might not want to trust the CPU's RNG. Sure, it's great that Intel CPUs have that now, but given the circumstances, are you sure the stuff is not backdoored by your three-letter agency of choice? I mean, this is a bit like with modern SSDs with hardware encryption: it's great that they have this, but can you really trust it? Haveing the hdd crypto stuff in kernel, and a random seed that is not just the CPU's own hwrng has the benefit that the sources are open and you review what's going on. That much harder with silicon you buy in a shop. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
