| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5446f517848338b4ccac8d7bbedf4cc1ed315cb4.camel@HansenPartnership.com> Date: Mon, 15 Dec 2025 21:01:49 +0100 From: James Bottomley <James.Bottomley@...senPartnership.com> To: Jarkko Sakkinen <jarkko@...nel.org> Cc: linux-integrity@...r.kernel.org, David Howells <dhowells@...hat.com>, Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, Mimi Zohar <zohar@...ux.ibm.com>, "open list:KEYS/KEYRINGS" <keyrings@...r.kernel.org>, "open list:SECURITY SUBSYSTEM" <linux-security-module@...r.kernel.org>, open list <linux-kernel@...r.kernel.org> Subject: Re: [PATCH] KEYS: trusted: Use get_random-fallback for TPM On Mon, 2025-12-15 at 21:43 +0200, Jarkko Sakkinen wrote: [...] > I think there is misunderstanding with FIPS. > > Having FIPS certificated RNG in TPM matters but it only matters only > in the sense that callers can be FIPS certified as they use that RNG > as a source. > > Using FIPS certified RNG does not magically make callers be FIPS > ceritified actors. The data is contaminated in that sense at the > point when kernel acquires it. I think FIPS certification is a red herring. The point being made in the original thread is about RNG quality. The argument essentially being that the quality of the TPM RNG is known at all points in time but the quality of the kernel RNG (particularly at start of day when the entropy pool is new) is less certain. Regards, James
Powered by blists - more mailing lists