[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: lack of boot-time entropy on arm64 ec2 instances

On Wed, Jan 08, 2020 at 08:17:13PM +0000, Luca Filipozzi wrote:
> On Wed, Jan 08, 2020 at 02:48:13PM -0500, Noah Meyerhans wrote:
> > We add haveged to the arm64 EC2 AMI.  This appears to work, and is
> > something we can do today.  The debian-installer has previously used
> > haveged to ensure reasonable entropy during installation, so there is
> > some precident for this.
> 
> Every time I propose the use of haveged to resolve entropy starvation, I
> get reactions from crypto folks saying that it's not a valid solution.
> They invariably suggest that passing hardware RNG through to the VM is
> the appropriate choice.
> 
> The latest such reaction being from mjg59. See:
> https://twitter.com/mjg59/status/1181423056268349441
> https://twitter.com/LucaFilipozzi/status/1181426253636755457

I've seen reactions like this, but never an explanation.  Has anyone
written up the issues?  Given that "fail to boot" isn't a workable
outcome, it'd be useful to know exactly what risks one accepts when
using haveged.

Ross
Reply to: