Am Freitag, 24. März 2023, 10:27:37 CET schrieb Herbert Xu: Hi Herbert, > On Thu, Mar 23, 2023 at 08:17:14AM +0100, Stephan Müller wrote: > > @@ -138,29 +139,35 @@ static int jent_kcapi_random(struct crypto_rng *tfm, > > > > spin_lock(&rng->jent_lock); > > > > - /* Return a permanent error in case we had too many resets in a row. */ > > - if (rng->reset_cnt > (1<<10)) { > > + /* Enforce a disabled entropy source. */ > > + if (rng->disabled) { > > > > ret = -EFAULT; > > goto out; > > > > } > > Can we please get rid of this completely when we're not in FIPS > mode? Remember that jent is now used by all kernel users through > drbg. Having it fail permanently in this fashion is unacceptable. > > If we're not in FIPS mode it should simply carry on or at least > seek another source of entropy, perhaps from the kernel RNG. I will remove that from this patch. I plan to release another patch where the oversampling rate will be increased in case of such health errors. This increase in the oversampling rate would handle this issue much more gracefully. Thanks Ciao Stephan