On Thu, Jul 17, 2014 at 01:35:15PM -0700, Andy Lutomirski wrote: > > Can we please have a mode in which getrandom(2) can neither block nor > fail? If that gets added, then this can replace things like AT_RANDOM. AT_RANDOM has been around for a long time; it's not something we can remove. > There are non-crypto things out there that will want this. There are > also probably VM systems (especially ones that have something like my > KVM_GET_RNG_SEED patches applied, or many VMs on Haswell, for that > matter) that will have perfectly fine cryptographically secure urandom > output immediately after bootup but that won't consider themselves > "initialized" for a while. At least these will be perfectly fine from > the POV of those who trust their hypervisor and Intel :) If you trust Intel, then you can either use RDRAND directly, or you can use rngd. There is also plans to set up an hw_random RDRAND that can be configured to automatically fill the entropy pool using the new khwrngd, which could be configured using the appropriate boot options for those who want to blindly trus their hypervisor and/or Intel. However, I don't think that should be the default. And on x86 systems at least, this is largely a moot point, since the /dev/urandom pool gets initialized *very* quickly after the system boots. It's only on the !@#! ARM systems that don't have a cycle counter, or apparently no reliable way to make sure the cycle counter is present, which seems to be the place where we have problems. But I'd much rather gradually apply more pressure to the ARM folks so they finally fix their CPU architecture, and this is one step down that path without forcibly breaking existing userspace. - Ted -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html