[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: lack of boot-time entropy on arm64 ec2 instances

On Wed, Jan 08, 2020 at 07:18:33PM -0500, Theodore Y. Ts'o wrote:
> Another approach would be to cherry pick 50ee7529ec45 ("random: try to
> actively add entropy rather than passively wait for it").  I'm pretty
> confident that it's probably fine ("it's fine.  it's fine.  Really,
> it's fine") for x86.  In particular, at least x86 has RDRAND, so even
> if it's utterly predictable to someone who has detailed information
> about the CPU's microarchitecture, it probably won't be a diaster.

Of course, another possibility would be to use the 5.4 kernel from
buster-backports, once it's uploaded, since it'll contain 50ee7529ec45
already.  I can confirm that ssh host key generation under Linux 5.4
does not block for lack of entropy.  We'll also at that point have the
option of using the cloud kernel flavour, when that's available.  I
don't really like the idea of using something that doesn't get support
from the security team, and I'd probably want to switch to the
buster-backports kernel for amd64 as well, if we were to do this.  It's
not what I prefer, but it is an option worth mentioning.

noah
Reply to: