On Wed, May 02, 2018 at 01:02:34AM +0000, Linus Torvalds wrote: > On Tue, May 1, 2018 at 4:34 PM Tobin C. Harding <m...@tobin.cc> wrote: > > > > This option should NOT be enabled on production kernels. > > I think with your fixes to get_random_bytes_arch(), it's perfectly fine to > use on production kernels (and doesn't even need a kernel command line > option). > > It was only with the "use weak crypto" (that get_random_bytes_arch() used > to fall back on) that it was a problem. That fixed "verify that > get_random_bytes_arch() really uses hw crypto" is certainly not weak crypto.
Ok, I'll wait to see if anyone with a more paranoid disposition adds to this otherwise will implement as suggested. thanks, Tobin.