Set CONFIG_RANDOM_TRUST_CPU=y
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-aws (Ubuntu) |
Fix Released
|
High
|
Seth Forshee | ||
linux-azure (Ubuntu) |
Fix Released
|
High
|
Seth Forshee | ||
linux-gcp (Ubuntu) |
Fix Released
|
High
|
Seth Forshee | ||
linux-kvm (Ubuntu) |
Fix Released
|
High
|
Seth Forshee |
Bug Description
SRU Justification
Impact: Turning this option on will make our kernels by default trust the CPU's random number generator for the purpose of initializing the kernel's CRNG on Intel, AMD, and IBM CPUs. Users can disable this at boot time by passing random.
Regression Potential: No user-visible regressions are expected. Some security-conscious users may prefer to not trust the CPU maker's RNG, but in that case the boot options is available.
Test Case: The benefit is difficult to verify empirically in Ubuntu kernels since we carry a patch to avoid problems with getrandom(2) blocking immediately following boot. However, it is possible to see whether or not the kernel used the CPU RNG for initializing the CRNG by searching for the string "random: crng done (trusting CPU's manufacturer)" in dmesg.
CVE References
Changed in linux-aws (Ubuntu): | |
assignee: | nobody → Seth Forshee (sforshee) |
importance: | Undecided → High |
status: | New → In Progress |
Changed in linux-gcp (Ubuntu): | |
assignee: | nobody → Seth Forshee (sforshee) |
importance: | Undecided → High |
status: | New → In Progress |
Changed in linux-kvm (Ubuntu): | |
assignee: | nobody → Seth Forshee (sforshee) |
importance: | Undecided → High |
status: | New → In Progress |
Changed in linux-aws (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in linux-azure (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in linux-gcp (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in linux-kvm (Ubuntu): | |
status: | In Progress → Fix Committed |
This bug was fixed in the package linux-aws - 5.0.0-1002.2
---------------
linux-aws (5.0.0-1002.2) disco; urgency=medium
* linux-aws: 5.0.0-1002.2 -proposed tracker (LP: #1823219)
* Set CONFIG_ RANDOM_ TRUST_CPU= y (LP: #1823754) RANDOM_ TRUST_CPU= y
- [Config] CONFIG_
* net and ftrace selftests failures due to missing test modules (LP: #1823407)
- SAUCE: selftests: net: don't fail test_bpf when module is not present
- SAUCE: selftests: ftrace: don't fail for unresolved tests
* Please ship the ib_uverbs driver module in the main modules package
(LP: #1822692)
- [config] AWS: ib_uverbs.ko, ib_umad.ko moved to linux-modules package
* Miscellaneous Ubuntu changes
- [Config] update configs following rebase to 5.0.0-10.11
-- Seth Forshee <email address hidden> Tue, 09 Apr 2019 11:13:53 -0500