Hi all, I've been tracking this issue with Mario on various threads and bugzilla for a while now. My suggestion over at bugzilla was to just disable all current AMD fTPMs by bumping the check for a major version number, so that the hardware people can reenable it i it's ever fixed, but only if this is something that the hardware people would actually respect. As I understand it, Mario was going to check into it and see. Failing that, yea, just disabling hwrng on fTPM seems like a fine enough thing to do. The reason I'm not too concerned about that is twofold: - Systems with fTPM all have RDRAND anyway, so there's no entropy problem. - fTPM *probably* uses the same random source as RDRAND -- the TRNG_OUT MMIO register -- so it's not really doing much more than what we already have available. So this all seems fine. And Jarkko's patch seems more or less the straight forward way of disabling it. But with that said, in order of priority, maybe we should first try these: 1) Adjust the version check to a major-place fTPM version that AMD's hardware team pinky swears will have this bug fixed. (Though, I can already imagine somebody on the list shouting, "we don't trust hardware teams to do anything with unreleased stuff!", which could be valid.) 2) Remove the version check, but add some other query to detect AMD fTPM vs realTPM, and ban fTPM. - Remove the version check, and just check for AMD; this is Jarrko's patch. Mario will know best the feasibility of (1) and (2). Jason
