On Wed, Aug 21, 2019 at 09:39:28AM +0300, Ard Biesheuvel wrote: > > Whether to trust the firmware provided entropy is a policy decision, > and typically, we try to avoid dictating policy in the kernel, and > instead, we try to provide a sane default but give the user control > over it. > > So in this case, we should probably introduce > add_firmware_randomness() with a Kconfig/cmdline option pair to decide > whether it should be trusted or not (or reuse the one we have for > trusting RDRAND etc) I'd call it add_bootloader_randomness(), since we are trusting the *bootloader*; it's the bootloader which is vouching for the security / validity of the passed-in entropy. Furthermore, the bootloader on some architectures might be fetching directly from some secure element. And for that reason, I'd use a different Kconfig/cmdline option pair than the one used for trusting CPU-provided randomness. - Ted
