[PATCH] API for true Random Number Generators to add entropy
(2.6.11)
Jeff Garzik
jgarzik at pobox.com
Tue Mar 29 07:15:46 UTC 2005
Andi Kleen wrote:
>>We -used- to need data from RNG directly into the kernel randomness
>
>
> Are you sure? I dont think there was ever code to do this in
> mainline. There might have been something in -ac*, but not mainline.
Yes, I am positive. I wrote the code. Look at the old Intel RNG driver
code, before it grew AMD and VIA support, and became hw_random.
>>pool. The consensus was that the FIPS testing should be moved to userspace.
>
>
> Consensus from whom? And who says the FIPS testing is useful anyways?
lkml. Read the archives.
> I think you just need to trust the random generator, it is like
> you need to trust any other piece of hardware in your machine. Or do you
> check regularly if you mov instruction still works? @)
Hardware RNGs -have- failed in the past. And if you are going to credit
entropy to the data -- a very big deal -- it damn well better be random
data. Otherwise failures cascade through the system.
> I think it is a trade off between easy to use and saving of
> resources and overly paranoia. With an user space solution
> which near nobody uses currently (I am not aware of
> any distribution that runs that daemon)
Debian does.
It's under-use is mainly because nobody has an RNG.
> it means most people wont have hardware supported randomness
> in their ssh, and I think that is a big drawback.
"big drawback" == 99% of users right now.
Jeff
More information about the CryptoAPI
mailing list