Page MenuHome GnuPG

jitter entropy RNG update
Open, NormalPublic

Description

http://www.chronox.de/jent.html has new version.

It will be good for libgcrypt to import new version.

Event Timeline

werner triaged this task as Normal priority.Aug 16 2021, 11:08 AM
werner added a project: FIPS.

For Linux and FIPS, we should be actually fine with using /dev/random or getrandom().

I also noticed the file random/random-fips.c, which looks like some outdated version of fips random number, which was not updated for ages. Would it make sense to remove it? I think it is not used anywhere.

Yes, it makes sense to remove it.

We should update jitterentropy to 3.0.2 or newer, which should be easier to get through certification, if we will go this way. From FIPS perspective, we should be fine with either going through getrandom only or with jitter entropy, but the bottom-line was that we should probably keep both as we do now.

We do it with the following patch:

https://src.fedoraproject.org/rpms/libgcrypt/blob/rawhide/f/libgcrypt-1.8.5-getrandom.patch

I see this patch has already some history, but the latest bug I was able to find related to this patch was https://bugzilla.redhat.com/show_bug.cgi?id=1380866 which handles the libgcrypt preventing boot of the system. It will probably require some clarifications, so please ask.

werner moved this task from Backlog to Next on the FIPS board.