** Changed in: linux-gke (Ubuntu)
       Status: New => Confirmed

** Changed in: linux-gke (Ubuntu)
   Importance: Low => Medium

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-gke in Ubuntu.
https://bugs.launchpad.net/bugs/2106782

Title:
  virtio_rng should be the source of hardware entropy

Status in linux-gke package in Ubuntu:
  Confirmed

Bug description:
  SRU Justification

  [Impact]

  GKE made an inquiry about the source of entropy for /dev/hwrng. Their
  public documentation
  (https://cloud.google.com/compute/docs/instances/enabling-virtio-rng)
  specifies that virtio_rng is the default, but they observed that the
  TPM's RNG is used instead on current GKE images. Besides aligning with
  their public docs, using virtio_rng means that the host is responsible
  for providing the most secure hardware entropy source, which is a
  better default than assuming that the most secure source on that
  particular machine is the TPM (or RDRAND instructions, etc).

  [Fix]

  Configure CONFIG_HW_RANDOM_VIRTIO=y for all targeted kernels.

  [Test Plan]

  Executing
  $ cat /sys/devices/virtual/misc/hw_random/rng_current
  Should return "virtio_rng.0"

  [Regression potential]

  There should be a very low chance of regression. Hardware RNG entropy
  sources in theory are identical in behavior, and the test plan above
  can determine what the active source of entropy is.

  [Other]

  PIT: 400861474
  SF: 00409265

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-gke/+bug/2106782/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to