On Mon, Jan 10, 2022 at 07:44:23PM +0100, Jason A. Donenfeld wrote: > b) Userspace to use some other RNG. > > (b) can be accomplished in userspace by just (i) disabling getrandom() > (making it return ENOSYS), and then (ii) replacing the /dev/urandom > path with a CUSE device or similar. I don't think you even need to do this. In general, you need FIPS certification for some specific use cases / application. For example, if you're going for PCI compliance, then you might only need FIPS compliance for your OpenSSL library. What the FIPS certification lab might consider acceptable for its entropy for its DRBG is an interesting question. For some, simply having the OpenSSL library use RDSEED or RDRAND might be sufficient. Or it could talk to an actual physical RNG device. So disabling getrandom() is probably not necessary, just so long as you can demonstrate that the FIPS cryptographic module --- i.e., the OpenSSL library --- is getting its entropy from an acceptable source. I suspect what's actually going on is that some enterprise customers have FIPS complaince on a check-off list, and they aren't actually getting a formal FIPS certification. Or they only need something to wave under the noses of their PCI certification company, and so the question is what makes them happy. Going into the details of whether ChaCha20 is blessed by FIPS is probably more into technical weeds than most of the people who *say* they want FIPS certification actually will go. After all, the in-kernel DRBG is using as its "entropy source" the timing instructions from a bunch of x86 assembly instructions which is **soooo** complicated that people are willing to drink from the snake oil and claim that it is secure. Is it really? Has FIPS said that it's OK? Not any more than they've said anything about ChaCha20! And this is why some FIPS certification have gotten by just *fine* with a pure userspace OpenSSL library as their FIPS cryptographic module. Where you draw the line between a "blessed" entropy source and one that's just hand-waving is really at the discretion of the certification lab. Personally, if I was doing something that I really, *really* wanted to be secure, I'd be mixing in several hardware RNG's. Given that most server and client platforms have a TPM, or some other hardened security module, using that is probably the best bet of I was architecting some that *really* needed to be secure. But of course, we're not talking about real security in this thread; we're talking about whatever security theater will make the FIPS certification labs, and the people who say they want FIPS on their check-off list, happy. :-) - Ted