Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261851AbVC1PUv (ORCPT ); Mon, 28 Mar 2005 10:20:51 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261876AbVC1PUv (ORCPT ); Mon, 28 Mar 2005 10:20:51 -0500 Received: from colin2.muc.de ([193.149.48.15]:13843 "HELO colin2.muc.de") by vger.kernel.org with SMTP id S261851AbVC1PUo (ORCPT ); Mon, 28 Mar 2005 10:20:44 -0500 Date: 28 Mar 2005 17:20:43 +0200 Date: Mon, 28 Mar 2005 17:20:43 +0200 From: Andi Kleen To: folkert@vanheusden.com Cc: Jeff Garzik , Andrew Morton , cryptoapi@lists.logix.cz, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, jmorris@redhat.com, herbert@gondor.apana.org.au Subject: Re: [PATCH] API for true Random Number Generators to add entropy (2.6.11) Message-ID: <20050328152043.GA26121@muc.de> References: <20050315133644.GA25903@beast> <20050324042708.GA2806@beast> <20050323203856.17d650ec.akpm@osdl.org> <424324F1.8040707@pobox.com> <20050327171934.GB18506@muc.de> <20050327185500.GP943@vanheusden.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050327185500.GP943@vanheusden.com> User-Agent: Mutt/1.4.1i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1221 Lines: 26 On Sun, Mar 27, 2005 at 08:55:03PM +0200, folkert@vanheusden.com wrote: > > > pool. The consensus was that the FIPS testing should be moved to userspace. > > Consensus from whom? And who says the FIPS testing is useful anyways? > > I think you just need to trust the random generator, it is like > > you need to trust any other piece of hardware in your machine. Or do you > > check regularly if you mov instruction still works? @) > > For joe-user imho it's better to do a check from a cronjob once a day. But for > high demand security, maybe make it pluggable? Like that a user can plug-in some > module which does the testing? Then you can have several kinds of tests > depending on your needs. In my old 2.4 patch there was a sysctl to turn off the kernel reseeding. If you turn it off you can do it in user space. That might be an option for the clinical paranoid. BTW what do you do when the FIPS test fails? I dont see a good fallback path for this case. -Andi - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/