On Wed, Oct 09, 2019 at 08:09:29AM +0000, Pascal Van Leeuwen wrote: > There's certification and certification. Not all certificates are > created equally. But if it matches your specific requirements, why not. > There's a _lot_ of HW out there that's not x86 though ... > > And: is RDRAND certified for _all_ x86 processors? Or just Intel? > Or perhaps even only _specific (server) models_ of CPU's? > I also know for a fact that some older AMD processors had a broken > RDRAND implementation ... > > So the choice really should be up to the application or user. I'm not seriously suggesting to move rdrand here. I'm trying find the logic how to move forward with trusted keys with multiple backends (not only TPM). AKA we have a kernel rng in existence but no clear policy when it should be used and when not. This leads to throwing a dice with the design choices. Even it TPM RNG is the right choice in tpm_asym.c, the choice was not based on anything (otherwise it would have been documented). /Jarkko