Closed ereshetova closed 3 months ago
This issue has been extensively discussed in lkml. Some references:
https://lkml.org/lkml/2024/1/30/352 https://lwn.net/Articles/961121/
The final solution has been agreed on: https://lore.kernel.org/lkml/20240224011921.2663985-1-Jason@zx2c4.com/
Merged commit to the mainline: https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=99485c4c026f024e7cb82da84c7951dbe3deb584
Linux RNG is one of the primary sources of cryptographically strong random numbers available for both kernel and userspace. The default sources of entropy for Linux RNG are timing and interrupts, which are both observable (at least in theory) by a host/VMM under a CoCo threat model. The only source that is not observable is CPU DRNG, which is on x86 can be accessed by RDRAND/RDSEED instructions. However, currently RDSEED can be made to fail if enough pressure is applied to it, and RDRAND can also fail in case of HW failure. In such cases we cannot allow a CoCo guest to proceed, since the Linux RNG won't be providing cryptographically secure random numbers.