On Wed, Apr 17, 2019 at 11:36 AM Lennart Poettering
<mzerqung(a)0pointer.de> wrote:
Yeah, all that stuff is stuff the kernel could do better on its
own. If the CPU jitter stuff or the TPM stuff is a good idea, then why
not add that to the kernel natively, why involve userspace with that?
i.e. if the TPM and the CPU jitter stuff can be trusted, then the same
thing as for CONFIG_RANDOM_TRUST_CPU=y should be done: pass the random
data into the pool directly inside in the kernel.
$ grep CONFIG_HW_RANDOM_TPM /boot/config-5.0.6-300.fc30.x86_64
CONFIG_HW_RANDOM_TPM=y
I've got no idea if this is for TPM 1.x or 2.x or both.
Well, no. I mean, the only way you can do that is by turning rngd
into
its own init system, if you want it to run before the init
system.
/usr/lib/systemd/system/rngd.service contains
WantedBy=multi-user.target
I'm gonna guess Steve Grubb is wondering whether it could be wanted by
an earlier target, possibly cryptsetup-pre.target? I don't see a
service file in the upstream project so this may have been selected by
the Fedora packager as a known to work option.
--
Chris Murphy