On 05/06/2011 08:29 PM, Cristian Rodríguez wrote:
El 06/05/11 20:59, Jeff Mahoney escribió:
Hi all -
I just removed the network device entropy-generating patches from the kernel repo. They had to be explicitly enabled for use and were consistently refused for upstream acceptance. With no better hardware entropy source, they kept the pool full but are prone to third party manipulation via packet flooding.
I noticed that since 11.4, we have installed haveged by default. Might it be a good idea to enable it by default as well? Perhaps someone with more experience with it can chime in, but it looks like it stays dormant until the entropy pool drops too low so there's not a lot of overhead.
Open a bug report and assign it to me, I will check it out, CC the security team also plz ;)
Please add me as well.
While you are at it, there is an havege kernel module  as well, but currently does not compile/work, any hope of taking a look on it ?
If we need help from upstream, ping me off-list. I used to work with these folks and know some of them personally.
Finally I got a question, why crypto devices that can feed the kernel entropy pool automatically have to use rngd ? I know something should check for the quality of that entropy, I wonder why the kernel itself doesnt do that tests.