[d-kernel] [PATCH un-def/sisyphus] config: Enable seeding CRNG from CPU and bootleader
Andrey Savchenko
bircoph на altlinux.org
Ср Май 11 09:01:49 MSK 2022
On Wed, 11 May 2022 00:43:37 +0300 Vladimir D. Seleznev wrote:
> On Mon, May 09, 2022 at 07:05:01PM +0300, Andrey Savchenko wrote:
> > On Mon, 9 May 2022 17:23:00 +0300 Vitaly Chikunov wrote:
> > > This can be disabled at boot time with:
> > > random.trust_cpu=off
> > > random.trust_bootloader=off
> > >
> > > Signed-off-by: Vitaly Chikunov <vt на altlinux.org>
> > > ---
> > > config | 4 ++--
> > > 1 file changed, 2 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/config b/config
> > > index e529911fd5dc..5b817e945274 100644
> > > --- a/config
> > > +++ b/config
> > > @@ -4479,8 +4479,8 @@ CONFIG_XILLYBUS_CLASS=m
> > > CONFIG_XILLYBUS=m
> > > CONFIG_XILLYBUS_PCIE=m
> > > # CONFIG_XILLYUSB is not set
> > > -# CONFIG_RANDOM_TRUST_CPU is not set
> > > -# CONFIG_RANDOM_TRUST_BOOTLOADER is not set
> > > +CONFIG_RANDOM_TRUST_CPU=y
> > > +CONFIG_RANDOM_TRUST_BOOTLOADER=y
> >
> > These sources are not trusted in most cases, so please avoid
> > enabling them by default for everyone.
>
> It's a very horrible world where you cannot trust to your CPU.
The concept of trust is not binary. I do not trust RDRAND for
sensitive materials. Even more so I do not trust UEFI platform
generators. E.g. see:
https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543
Welcome to the real world.
Best regards,
Andrew Savchenko
----------- следующая часть -----------
Было удалено вложение не в текстовом формате...
Имя : отсутствует
Тип : application/pgp-signature
Размер : 833 байтов
Описание: отсутствует
Url : <http://lists.altlinux.org/pipermail/devel-kernel/attachments/20220511/8f0f02be/attachment.bin>
Подробная информация о списке рассылки devel-kernel