** Changed in: linux-gke (Ubuntu)
Status: New => Confirmed
** Changed in: linux-gke (Ubuntu)
Importance: Low => Medium
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-gke in Ubuntu.
https://bugs.launchpad.net/bugs/2106782
Title:
virtio_rng should be the source of hardware entropy
Status in linux-gke package in Ubuntu:
Confirmed
Bug description:
SRU Justification
[Impact]
GKE made an inquiry about the source of entropy for /dev/hwrng. Their
public documentation
(https://cloud.google.com/compute/docs/instances/enabling-virtio-rng)
specifies that virtio_rng is the default, but they observed that the
TPM's RNG is used instead on current GKE images. Besides aligning with
their public docs, using virtio_rng means that the host is responsible
for providing the most secure hardware entropy source, which is a
better default than assuming that the most secure source on that
particular machine is the TPM (or RDRAND instructions, etc).
[Fix]
Configure CONFIG_HW_RANDOM_VIRTIO=y for all targeted kernels.
[Test Plan]
Executing
$ cat /sys/devices/virtual/misc/hw_random/rng_current
Should return "virtio_rng.0"
[Regression potential]
There should be a very low chance of regression. Hardware RNG entropy
sources in theory are identical in behavior, and the test plan above
can determine what the active source of entropy is.
[Other]
PIT: 400861474
SF: 00409265
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-gke/+bug/2106782/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
