Re: [PATCH] API for true Random Number Generators to add entropy (2.6.11)

[Andi Kleen]

On Sun, Mar 27, 2005 at 08:55:03PM +0200, folkert@xxxxxxxxxxxxxx wrote:
> > > pool.  The consensus was that the FIPS testing should be moved to userspace.
> > Consensus from whom? And who says the FIPS testing is useful anyways?
> > I think you just need to trust the random generator, it is like
> > you need to trust any other piece of hardware in your machine. Or do you 
> > check regularly if you mov instruction still works? @)
> 
> For joe-user imho it's better to do a check from a cronjob once a day. But for
> high demand security, maybe make it pluggable? Like that a user can plug-in some
> module which does the testing? Then you can have several kinds of tests
> depending on your needs.

In my old 2.4 patch there was a sysctl to turn off the kernel reseeding.
If you turn it off you can do it in user space. That might be
an option for the clinical paranoid. 

BTW what do you do when the FIPS test fails? I dont see a good fallback
path for this case.

-Andi

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/