Originally posted by sdack
View Post
Announcement
Collapse
No announcement yet.
New Linux /dev/random RNG Revved For The 43rd Time
Collapse
X
-
Originally posted by sdack View PostA new revision does not imply previous versions are wrong.
Some people also do not like the idea Linux LRNG would be FIPS 140-2 compliance not even opt-in as it is implemented. Also a developer of one famous VPN kernel module, which purposely utilize only non-NIST approved algorithms, has strong opinion against FIPS compliance needed for governmental use cases.
- Likes 8
Comment
-
Originally posted by sdack View Post
A new revision does not imply previous versions are wrong.Originally posted by ddriver View Post
Only that it is not good enough.
The same applies to software. Incomplete does not mean useless, we just acknowledge improvements can (or maybe should) be made. Depending on the scope/use-case, what you have might be good enough. Just because we know General Relativity gives an incomplete description of nature does not make it useless; and the same goes for previous versions of software.
- Likes 17
Comment
-
-
- Likes 5
Comment
-
Originally posted by set135I do not know the past history of this patchset, but this response to the latest posting may be of interest:
http://lkml.iu.edu/hypermail/linux/k...1.2/05647.html
(Jason A. Donenfeld being the guy behind wireguard.)
- Likes 5
Comment
-
Originally posted by sdack View PostHe could have suggested making FIPS compatibility configurable...
Comment
-
I think the overly simplified summery is that if you want a FIPS 140-2 compliant system, it must be impossible to negotiate to use non-approved algorithms and use non-approved methods.
From the point of view of the Linux kernel, some people wish to preserve the flexibility of using non-approved algorithms.
From the point of view of people wishing to operate FIPS 140-2 compliant systems, some people wish to ensure non-approved algorithms are not available, and FIPS 140-2 approved methods of generating random numbers are used.
In the case of the random number generation method, some people can argue quite strongly that non FIPS 140-2 compliant mechanisms are more appropriate to their use-cases.
I am absolutely not an expert here: but I suspect setting a system flag that tells the kernel to operate in FIPS 140-2 compliant mode or not is not an acceptable solution for certification of FIPS 140-2 compliance, which hinders (if not completely prevents) the mainline linux kernel from being used in situations where certified FIPS 140-2 compliance is mandatory.
All of the above could be hogwash. Please do your own research. If you care to share the results of your own analysis, please do. Unfortunately, I have other things I need to do, as I'd love to get to the bottom of this, but I can't justify spending the time on it right now. Hopefully someone will be afflicted with siwoti and post a correct summary.
- Likes 7
Comment
-
Originally posted by Old Grouch View Post... From the point of view of people wishing to operate FIPS 140-2 compliant systems, some people wish to ensure non-approved algorithms are not available, and FIPS 140-2 approved methods of generating random numbers are used. ...
- Likes 3
Comment
Comment