[PATCH] KEYS: trusted: Use get_random-fallback for TPM
James Bottomley
James.Bottomley at HansenPartnership.com
Mon Dec 15 20:01:49 UTC 2025
On Mon, 2025-12-15 at 21:43 +0200, Jarkko Sakkinen wrote:
[...]
> I think there is misunderstanding with FIPS.
>
> Having FIPS certificated RNG in TPM matters but it only matters only
> in the sense that callers can be FIPS certified as they use that RNG
> as a source.
>
> Using FIPS certified RNG does not magically make callers be FIPS
> ceritified actors. The data is contaminated in that sense at the
> point when kernel acquires it.
I think FIPS certification is a red herring. The point being made in
the original thread is about RNG quality. The argument essentially
being that the quality of the TPM RNG is known at all points in time
but the quality of the kernel RNG (particularly at start of day when
the entropy pool is new) is less certain.
Regards,
James
More information about the Linux-security-module-archive
mailing list