Public bug reported: SRU Justification
[Impact] GKE made an inquiry about the source of entropy for /dev/hwrng. Their public documentation (https://cloud.google.com/compute/docs/instances/enabling-virtio-rng) specifies that virtio_rng is the default, but they observed that the TPM's RNG is used instead on current GKE images. Besides aligning with their public docs, using virtio_rng means that the host is responsible for providing the most secure hardware entropy source, which is a better default than assuming that the most secure source on that particular machine is the TPM (or RDRAND instructions, etc). [Fix] Configure CONFIG_HW_RANDOM_VIRTIO=y for all targeted kernels. [Test Plan] Executing $ cat /sys/devices/virtual/misc/hw_random/rng_current Should return "virtio_rng.0" [Regression potential] There should be a very low chance of regression. Hardware RNG entropy sources in theory are identical in behavior, and the test plan above can determine what the active source of entropy is. ** Affects: linux-gke (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2106782 Title: virtio_rng should be the source of hardware entropy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-gke/+bug/2106782/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
