Re: lack of boot-time entropy on arm64 ec2 instances

To: debian-cloud@lists.debian.org
Subject: Re: lack of boot-time entropy on arm64 ec2 instances
From: Ross Vandegrift <rvandegrift@debian.org>
Date: Wed, 8 Jan 2020 12:50:04 -0800
Message-id: <[🔎] 20200108205004.krzsqtwtywvqbirk@vanvanmojo.kallisti.us>
In-reply-to: <[🔎] 20200108194813.GD31539@morgul.net>
References: <[🔎] 20200108194813.GD31539@morgul.net>

On Wed, Jan 08, 2020 at 02:48:13PM -0500, Noah Meyerhans wrote:
> Option 1:
> 
> We add haveged to the arm64 EC2 AMI.  This appears to work, and is
> something we can do today.  The debian-installer has previously used
> haveged to ensure reasonable entropy during installation, so there is
> some precident for this.
> 
> Option 2:
> 
> There is a mechanism by which the VM host can pass entropy to the guest
> at boot time using the EFI_RNG protocol.  This won't require any
> additional software in our images, but it has a couple of other notable
> drawbacks:
[snip]
> I'm not aware of any other options.  Given the above, it seems that
> haveged is the only really feasible choice right now.  Does anyone
> disagree with that assessment?  Are there options I've missed?

I know of two other options:
- pollinate
- jitterentropy-rngd

pollinate downloads seeds remotely, which feels wrong - and itself may
require random numbers.  I've never tried jitterentropy.

Ross

Reply to:

Follow-Ups:
- Re: lack of boot-time entropy on arm64 ec2 instances
  - From: Noah Meyerhans <noahm@debian.org>

References:
- lack of boot-time entropy on arm64 ec2 instances
  - From: Noah Meyerhans <noahm@debian.org>

Prev by Date: Prevencion Lavado de Dinero
Next by Date: Re: lack of boot-time entropy on arm64 ec2 instances
Previous by thread: Re: lack of boot-time entropy on arm64 ec2 instances
Next by thread: Re: lack of boot-time entropy on arm64 ec2 instances
Index(es):
- Date
- Thread