On Tue, Jan 11, 2022, at 5:06 AM, Jason A. Donenfeld wrote: > Hi Andy, > > On Tue, Jan 11, 2022 at 2:44 AM Andy Lutomirski <luto@xxxxxxxxxx> wrote: >> So let’s solve it for real. Have a driver (in a module) that > > Um, let's not. This really isn't something the kernel needs to solve > here at all. There's a viable userspace solution. I see that the > discussion of something finally slightly technical (as opposed to just > compliance BS) has nerd sniped you a bit, but keep in mind what the > actual overall picture is. This isn't something that needs to be done. > My little CUSE thing (which I'm happy to develop out a bit more, even) > has the intent of fulfilling a compliance checkbox and nothing more. > Can you develop your CUSE thing enough that it’s credibly safe against side channels? If so, fine. I admit this is all rather absurd. FIPS aware userspace can do whatever it wants, and It should be aware that /dev/urandom IS NOT FIPS. What’s the problem? rand(3) isn’t FIPS either, but no one puts person-years of effort into trying to paint it FIPS-colored
