On Wed, Apr 24, 2019 at 12:24 PM Lennart Poettering <mzerq...@0pointer.de> wrote: > > > But why do that in userspace at all? the "Trust CPU RNG" kernel > > > compile time option shows that these things are trivial to solve if > > > people just want to. Instead of involving rngd at all, why not add a > > > similar option for the TPM RNG (or any other non-CPU hw rng) and then > > > rngd doesn't do anything useful anymore whatsoever? I mean, to my > > > knowledge all those other RNGs already feed into the pool anyway, they > > > just don't get trusted and thus don't add to the entropy > > > estimate. Fixing that should be quite doable and given that > > > CONFIG_RANDOM_TRUST_CPU exists now it shouldn't be politically too > > > hard to argue for a CONFIG_RANDOM_TRUST_TPM either... > > > > I like the part that this is trivial to solve if people want to. > > Making people agree is an order of magnitude harder than fixing any > > code. Nevertheless, without rngd, getrandom() would block in one of > > the first services started by systemd (if it doesn't block in systemd > > itself). > > As mentioned before: systemd itself already needs entropy itself (it > assigns a random 128bit id to each service invocation, dubbed the > "invocation ID" of it, and it generates the machine ID and seeds its > hash table hash functions), hence rngd doesn't cut it anyway, since it > starts after systemd, being a service managed by systemd. If rngd was > supposed to fill up the entropy pool at boot, it would have to run as > initial PID 1 in the initrd, before systemd, and then hand over to > systemd only after the pool is full. But it doesn't, hence rngd is > pointless: it runs too late to be useful.
The goal of running rngd early was to have the system boot, not necessarily to address systemd's need for random numbers. In that it is successful. I do not disagree that it is not a clean solution. regards, Nikos _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
