Proposed F19 Feature: Virtio RNG
Miloslav Trmač
mitr at volny.cz
Fri Feb 1 23:49:26 UTC 2013
On Fri, Feb 1, 2013 at 10:39 PM, Bill Nottingham <notting at redhat.com> wrote:
> Given FIPS paranoia about RNG sources, does this have knock-on effects in
> the FIPS compliance of guests depending on how it's fed in the host?
(Hoping for an answer from someone who has actually fully analyzed the
FIPS RNG situation and requirements; in the meantime...)
FIPS generally prefers using a deterministic RNG, seeded only once,
with a fairly small amount of entropy (64-512 bits, much smaller than
the 4k we usually think of as the "/dev/random entropy pool"); so this
would imply asking the host for that small amount of "strong" entropy
on boot, using it to seed with (some of?) it the kernel RNGs, and then
seeding user-space from the kernel RNGs without asking the host for
more entropy.
I think that even in FIPS mode /dev/urandom continues to operate more
or less unmodified (and would thus probably continuously seed from the
host), but that needs confirming by someone with actual knowledge.
Mirek
More information about the devel
mailing list