| View previous topic :: View next topic |
| Author |
Message |
Marlo
Veteran
Joined: 26 Jul 2003
Posts: 1591
|
 Posted: Mon Oct 22, 2018 7:29 pm Post subject: Kernel 4.19 CONFIG_RANDOM_TRUST_CPU> Y / N? |
 |
|
Do you have a recommendation for the new CONFIG_RANDOM_TRUST_CPU?
I have an AMD system. What should I set? Y or N?
Or should I just ignore with "is not set".
_________________
------------------------------------------------------------------
http://radio.garden/ |
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23062
|
| Posted: Tue Oct 23, 2018 1:55 am Post subject: |
|
|
| The option defaults to n. Prior to this commit adding the option, it was effectively always n, with no user choice possible. If you want to retain the same semantics you have used to date, answer n. If you want faster RNG setup and are willing to take the risk that your CPU is hostile, answer y. |
|
| Back to top |
|
|
PrSo
Tux's lil' helper
Joined: 01 Jun 2017
Posts: 136
|
| Posted: Tue Oct 23, 2018 6:43 am Post subject: |
|
|
I have couple of setups with INTEL cpus on which the CONFIG_RANDOM_TRUST_CPU is set to "N" since there are serious concerns the RdRand instruction in Intel processors was compromised by the NSA and GCHQ(link)
On my netbook with AMD apu I have set CONFIG_RANDOM_TRUST_CPU=Y since I have not seen anything that confirms those concerns on AMD hw rdrand.
Hypothetically it could be vulnerable also tough.
As Hu wrote, it depends if you put your trust in cpu manufacturer. |
|
| Back to top |
|
|
Marlo
Veteran
Joined: 26 Jul 2003
Posts: 1591
|
| Posted: Tue Oct 23, 2018 11:01 pm Post subject: |
|
|
Thanks, Hu. That seems logical to me.
And as PrSo said "... I have not seen anything that confirms these concerns with AMD ..."
(And if this happens the first time, certainly not on my little insignificant computer.)
I do not want to be an overprotective man who sees a robber behind every bush. Although it is of course necessary to protect yourself.
_________________
------------------------------------------------------------------
http://radio.garden/ |
|
| Back to top |
|
|
toralf
Developer
Joined: 01 Feb 2004
Posts: 3942
Location: Hamburg
|
| Posted: Wed Oct 24, 2018 12:14 pm Post subject: |
|
|
| Hu wrote: | | If you want faster RNG setup ... |
For embedded or IoT this might be worth, but for all others the safe choice is n. |
|
| Back to top |
|
|
freke
Veteran
Joined: 23 Jan 2003
Posts: 1050
Location: Somewhere in Denmark
|
| Posted: Wed Oct 24, 2018 6:44 pm Post subject: |
|
|
If I enabled this - should I be able to spot it in dmesg?
I don't see any differences in dmesg-output on a 4.18-box vs. 4.19-box.
(PC Engines APU2d4) |
|
| Back to top |
|
|
Marlo
Veteran
Joined: 26 Jul 2003
Posts: 1591
|
| Posted: Wed Oct 24, 2018 9:16 pm Post subject: |
|
|
| freke wrote: | If I enabled this - should I be able to spot it in dmesg?
I don't see any differences in dmesg-output on a 4.18-box vs. 4.19-box.
(PC Engines APU2d4) |
| Code: |
# cat dmesg-4.18.16-gentoo |grep random
[ 0.000000] random: get_random_bytes called from start_kernel+0xba/0x77c with crng_init=0
[ 1.003244] random: fast init done
[ 3.603845] random: crng init done
#
# cat dmesg-4.19.0-gentoo |grep random
[ 0.000000] random: get_random_bytes called from start_kernel+0xba/0x753 with crng_init=0
[ 0.007008] random: crng done (trusting CPU's manufacturer) |
It probably depends on the individual debug settings.
_________________
------------------------------------------------------------------
http://radio.garden/ |
|
| Back to top |
|
|
freke
Veteran
Joined: 23 Jan 2003
Posts: 1050
Location: Somewhere in Denmark
|
| Posted: Thu Oct 25, 2018 2:57 pm Post subject: |
|
|
Thanks
| Code: | lamp ~ # dmesg-4.19.0 | grep -i random
[ 0.501723] random: get_random_bytes called from start_kernel+0xba/0x591 with crng_init=0
[ 3.008766] random: fast init done
[ 6.058254] random: udevd: uninitialized urandom read (16 bytes read)
[ 6.058882] random: udevd: uninitialized urandom read (16 bytes read)
[ 6.058918] random: udevd: uninitialized urandom read (16 bytes read)
[ 9.815736] random: crng init done
[ 9.815745] random: 7 urandom warning(s) missed due to ratelimiting |
| Code: | mail ~ # dmesg-4.17.11 | grep -i random
[ 0.000000] random: get_random_bytes called from start_kernel+0xba/0x58c with crng_init=0
[ 2.211063] random: fast init done
[ 4.960974] random: udevd: uninitialized urandom read (16 bytes read)
[ 4.961449] random: udevd: uninitialized urandom read (16 bytes read)
[ 4.961484] random: udevd: uninitialized urandom read (16 bytes read)
[ 9.482099] random: crng init done
[ 9.482108] random: 7 urandom warning(s) missed due to ratelimiting |
So seems my | Code: | mail ~ # cat /proc/cpuinfo
processor : 0
vendor_id : AuthenticAMD
cpu family : 22
model : 48
model name : AMD GX-412TC SOC
stepping : 1
microcode : 0x7030105
cpu MHz : 598.575
cache size : 2048 KB |
isn't supported.... |
|
| Back to top |
|
|
PrSo
Tux's lil' helper
Joined: 01 Jun 2017
Posts: 136
|
| Posted: Thu Oct 25, 2018 3:39 pm Post subject: |
|
|
I also have in dmesg output:
| Code: | $ dmesg | grep rng
[ 0.241520] random: get_random_bytes called from start_kernel+0x8a/0x4a0 with crng_init=0
[ 0.441691] random: crng done (trusting CPU's manufacturer) |
but lscpu in cpu Flags is saying that "rdrand" is supported. |
|
| Back to top |
|
|
Marlo
Veteran
Joined: 26 Jul 2003
Posts: 1591
|
| Posted: Thu Oct 25, 2018 4:51 pm Post subject: |
|
|
As this page says, your GX-412TC SOC has:
AMD-V / AMD virtualization technology
EPP / Advanced Antivirus
Platform security processor
You can also ask the manufacturer: https://community.amd.com/community/support-forums/processors
I am not a specialist, but I believe that this "X-Random Warning (s)" has another reason. In the .config maybe something else is missing.
_________________
------------------------------------------------------------------
http://radio.garden/ |
|
| Back to top |
|
|
|
Kernel & Hardware
