Received: by 10.192.165.148 with SMTP id m20csp1779824imm; Thu, 3 May 2018 05:24:49 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqHJ0sU0tpnnfe01ldOL71uM9lJgJC3J4ZcfmDahj/IfHha5eRiehfmmQgPZ9cxI3JwKjm2 X-Received: by 2002:a63:744c:: with SMTP id e12-v6mr14277981pgn.4.1525350289084; Thu, 03 May 2018 05:24:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525350289; cv=none; d=google.com; s=arc-20160816; b=C+ra8DxAPUO1ahsk115tLV75BR/YHZbzZAoXgqxzCXt6EuL9UqEl8962z53l8snEDO 7rPJuvUrH6JYDqqBNn2KQZU3Gedm0V2zqYdfCuy9BXAg+LynYLP5eescAid6H8b3FOSA 0+LOYQWmjHIlnuLtCqwArwbJ1FOCeZ3K7V/sWqVsraDNeWx0pWjpZ9jIeaIZ8XX2BJW2 n2eUmhk104pPMMjkPpKeZraG4FnZw1JSKFQghvdz4LDe1j7pBSxfY17Erad5sO9ot+CC cn3LJZ8oBvcKMRKcyU8Pgn03AZiMk98cXxC+eZwrQwoiIZk2nU8BbCyMMR7pepNmX4xc aZKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=8tOixaU8Pw4zkJZxkpow6XPdECHzScE3xVd2bNcOt+s=; b=Uqwr1r6W3yExgt+OJHiLCn1vhMz5kHS/wzoyGDeDzZ1bsmCRzZdwp25fpKSG+Z4nan nxon9zHl5g3yafr+J9GoTxvQTl1USBTQaR/Px7nogbtCkSU6PSxTRPygqTCh2u20tis3 OxduyhCPlUvm2g3XAuMkv05PZh7TmNvVfwOMbyZyJ+c18mMmHnRvT8MnXSvMtbCOM+E/ jh2fotA6fYzUlPdaPAhg+US4Uq5OUVyLOJC9eNFWAnl8rSPwzfudyxXCahH/pqxzafYf fEgcxC1Htrzn9g3o3tEi8/7OH9E1jIgQntLhu378dBK126fSZuFpAvMVobA4GwzUwxNE AyXw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxtx.org header.s=google header.b=Ic/3eR7+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 60-v6si13512252plc.453.2018.05.03.05.24.35; Thu, 03 May 2018 05:24:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxtx.org header.s=google header.b=Ic/3eR7+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752192AbeECMXv (ORCPT + 99 others); Thu, 3 May 2018 08:23:51 -0400 Received: from mail-io0-f193.google.com ([209.85.223.193]:38698 "EHLO mail-io0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752017AbeECMXo (ORCPT ); Thu, 3 May 2018 08:23:44 -0400 Received: by mail-io0-f193.google.com with SMTP id z4-v6so21388769iof.5 for ; Thu, 03 May 2018 05:23:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxtx.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=8tOixaU8Pw4zkJZxkpow6XPdECHzScE3xVd2bNcOt+s=; b=Ic/3eR7+YSP3+s8oslBIhHQvVeNlt8DhjzEIv1mqCxNUnyHIm861TrReIWlD3gO+ui Ga8o0ITkuzBoxZZv+/K65gQgTibVWaAd+kg/1ZuAKIYiRAbJvCUJ+nXlOVFTep373u/+ UGd66oIQF17Xtqnws5BPzZ9IyXjckBn+e0F08= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=8tOixaU8Pw4zkJZxkpow6XPdECHzScE3xVd2bNcOt+s=; b=piaTE91cgBYm2hs4waPfWO9zDBsSsrUpJgmdiiLN3A9IkVIiy2yS8hC8Cx1Zb86uM2 Rq1bnS4Pkl2b3wwoQDSUy9lIkm8KbOoo0LDqsqhspfojz9t0+/Xdc74lSp7QFMilwdAh H4Gsc9ahTKsH1gvK4ZC6jJ56gV2joDtSCv6kSQN3LvrUh2+1yJD0WH9T2BOHWto6x5Bz izTWYVokwXxnNrEa2bQnlu3HwZ0bYpABCZ7MNzHZOYlx51X9Qx+jHCtWMDMVO5AaMIu9 V2+E2t01wpz7LTGUdkGqduHzjmS76eOpRRjrC23D7DcKTC45VjNt8S1xgJq2/v24b93c 3sBQ== X-Gm-Message-State: ALQs6tBW9nunaoGbVOAzU/W5Q/SPiyIGwZBYDomNQ/vQIO/euPL5G3fX 0q7zBhCsJtVh1Byxg1Ip7g7c6TZqk0yYDInZUD42Dw== X-Received: by 2002:a6b:6b02:: with SMTP id g2-v6mr18087690ioc.250.1525350223738; Thu, 03 May 2018 05:23:43 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a4f:a349:0:0:0:0:0 with HTTP; Thu, 3 May 2018 05:23:42 -0700 (PDT) In-Reply-To: <20180502222522.GA15457@thunk.org> References: <20180429202033.ysmc42mj2rrk3h7p@sultan-box> <20180429220519.GQ5965@thunk.org> <01000163186628e6-3fe4abfc-eaaf-470c-90c8-2d8ad91db8f1-000000@email.amazonses.com> <20180501125518.GI20585@thunk.org> <20180502000250.GI10479@thunk.org> <20180502162653.GB3461@thunk.org> <3851ac8b-357d-3c82-2195-936e3c459212@redhat.com> <20180502222522.GA15457@thunk.org> From: Justin Forbes Date: Thu, 3 May 2018 07:23:42 -0500 Message-ID: Subject: Re: Linux messages full of `random: get_random_u32 called from` To: "Theodore Y. Ts'o" , Laura Abbott , Justin Forbes , Jeremy Cline , Sultan Alsawaf , Pavel Machek , LKML , Jann Horn Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 2, 2018 at 5:25 PM, Theodore Y. Ts'o wrote: > On Wed, May 02, 2018 at 10:49:34AM -0700, Laura Abbott wrote: >> >> It is a Fedora patch we're carrying >> https://src.fedoraproject.org/rpms/libgcrypt/blob/master/f/libgcrypt-1.6.2-fips-ctor.patch#_23 >> so yes, it is a Fedora specific use case. >> From talking to the libgcrypt team, this is a FIPS mode requirement >> to run power on self test at the library constructor and the self >> test of libgrcypt ends up requiring a fully seeded RNG. Citation >> is in section 9.10 of >> https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Module-Validation-Program/documents/fips140-2/FIPS1402IG.pdf > > Forgive me if this is a stupid question, but does Fedora need FIPS > compliance? Or is this something which is only required for RHEL? > > ("Here's to FIPS: the cause of, and solution to, all of Life's > problems." :-) > One of the advantages of carrying such things in Fedora is we find these problems before RHEL does and hopefully there is a solution in place before they ever even see it. From the rawhide end, I just brought in virtio-rng as inline vs module, this works around the issue for lots of users, but not all. GCE is still impacted, and a user came to complain about it already last night. And of course any other virt platform without virtio-rng, or some hardware. Most hardware installs don't have dracut-fips so they will boot, eventually. Justin