** Changed in: linux-gke (Ubuntu) Status: New => Confirmed ** Changed in: linux-gke (Ubuntu) Importance: Low => Medium
-- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-gke in Ubuntu. https://bugs.launchpad.net/bugs/2106782 Title: virtio_rng should be the source of hardware entropy Status in linux-gke package in Ubuntu: Confirmed Bug description: SRU Justification [Impact] GKE made an inquiry about the source of entropy for /dev/hwrng. Their public documentation (https://cloud.google.com/compute/docs/instances/enabling-virtio-rng) specifies that virtio_rng is the default, but they observed that the TPM's RNG is used instead on current GKE images. Besides aligning with their public docs, using virtio_rng means that the host is responsible for providing the most secure hardware entropy source, which is a better default than assuming that the most secure source on that particular machine is the TPM (or RDRAND instructions, etc). [Fix] Configure CONFIG_HW_RANDOM_VIRTIO=y for all targeted kernels. [Test Plan] Executing $ cat /sys/devices/virtual/misc/hw_random/rng_current Should return "virtio_rng.0" [Regression potential] There should be a very low chance of regression. Hardware RNG entropy sources in theory are identical in behavior, and the test plan above can determine what the active source of entropy is. [Other] PIT: 400861474 SF: 00409265 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-gke/+bug/2106782/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp