On Fri, Feb 1, 2013 at 10:39 PM, Bill Nottingham <notting@xxxxxxxxxx> wrote: > Given FIPS paranoia about RNG sources, does this have knock-on effects in > the FIPS compliance of guests depending on how it's fed in the host? (Hoping for an answer from someone who has actually fully analyzed the FIPS RNG situation and requirements; in the meantime...) FIPS generally prefers using a deterministic RNG, seeded only once, with a fairly small amount of entropy (64-512 bits, much smaller than the 4k we usually think of as the "/dev/random entropy pool"); so this would imply asking the host for that small amount of "strong" entropy on boot, using it to seed with (some of?) it the kernel RNGs, and then seeding user-space from the kernel RNGs without asking the host for more entropy. I think that even in FIPS mode /dev/urandom continues to operate more or less unmodified (and would thus probably continuously seed from the host), but that needs confirming by someone with actual knowledge. Mirek -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
