From: "Theodore Ts'o" <tytso@mit.edu>
To: Dan Williams <dan.j.williams@intel.com>
Cc: "Reshetova, Elena" <elena.reshetova@intel.com>,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
"H. Peter Anvin" <hpa@zytor.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
"x86@kernel.org" <x86@kernel.org>,
Kuppuswamy Sathyanarayanan
<sathyanarayanan.kuppuswamy@linux.intel.com>,
"Nakajima, Jun" <jun.nakajima@intel.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
"Kalra, Ashish" <ashish.kalra@amd.com>,
Sean Christopherson <seanjc@google.com>,
"linux-coco@lists.linux.dev" <linux-coco@lists.linux.dev>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 1/2] x86/random: Retry on RDSEED failure
Date: Tue, 13 Feb 2024 18:13:41 -0500 [thread overview]
Message-ID: <20240213231341.GB394352@mit.edu> (raw)
In-Reply-To: <65cb1a1fe2dda_29b1294e@dwillia2-mobl3.amr.corp.intel.com.notmuch>
On Mon, Feb 12, 2024 at 11:28:31PM -0800, Dan Williams wrote:
> Sure there is, that is what, for example, PCI TDISP (TEE Device
> Interface Security Protocol) is about. Set aside the difficulty of doing
> the PCI TDISP flow early in boot, and validating the device certficate
> and measurements based on golden values without talking to a remote
> verifier etc..., but if such a device has been accepted and its driver
> calls hwrng_register() it should be added as an entropy source.
How real is TDISP? What hardware exists today and how much of this
support is ready to land in the kernel? Looking at the news articles,
it appears to me like bleeding edge technology, and what an unkind
person might call "vaporware"? Is that an unfair characterization?
There have plenty of things that have squirted out of standards
bodies, like for example, "objected base storage", which has turned
out to be a complete commercial failure and was never actually
deployed in any real numbers, other than sample hardare being provided
to academic researchers. How can we be sure that PCI TDISP won't end
up going down that route?
In any case, if we are going to go down this path, we will need to
have some kind of policy engine hwrng_register() reject
non-authenticated hardware if Confidential Compute is enabled (and
possibly in other cases).
- Ted
next prev parent reply other threads:[~2024-02-13 23:14 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-30 8:30 [PATCH 1/2] x86/random: Retry on RDSEED failure Kirill A. Shutemov
2024-01-30 8:30 ` [PATCH 2/2] x86/random: Issue a warning if RDRAND or RDSEED fails Kirill A. Shutemov
2024-01-30 12:37 ` Jason A. Donenfeld
2024-01-30 13:45 ` Reshetova, Elena
2024-01-30 14:21 ` Jason A. Donenfeld
2024-01-30 14:55 ` Reshetova, Elena
2024-01-30 15:00 ` Jason A. Donenfeld
2024-01-30 17:31 ` Dave Hansen
2024-01-30 17:49 ` Jason A. Donenfeld
2024-01-30 17:58 ` Dave Hansen
2024-01-30 18:15 ` H. Peter Anvin
2024-01-30 18:23 ` Jason A. Donenfeld
2024-01-30 18:23 ` Jason A. Donenfeld
2024-01-30 18:37 ` Dave Hansen
2024-01-30 18:05 ` Daniel P. Berrangé
2024-01-30 18:24 ` Jason A. Donenfeld
2024-01-30 18:31 ` Jason A. Donenfeld
2024-01-30 18:40 ` H. Peter Anvin
2024-01-31 8:16 ` Reshetova, Elena
2024-01-31 11:59 ` Dr. Greg
2024-01-31 13:06 ` Jason A. Donenfeld
2024-01-31 18:02 ` Reshetova, Elena
2024-01-31 20:35 ` Dr. Greg
2024-02-01 4:47 ` Theodore Ts'o
2024-02-01 9:54 ` Dr. Greg
2024-02-01 11:08 ` Daniel P. Berrangé
2024-02-01 21:04 ` Dr. Greg
2024-02-02 7:56 ` Reshetova, Elena
2024-02-01 7:26 ` Reshetova, Elena
2024-02-01 10:52 ` Dr. Greg
2024-02-06 1:12 ` Dr. Greg
2024-02-06 8:04 ` Daniel P. Berrangé
2024-02-06 12:04 ` Dr. Greg
2024-02-06 13:00 ` Daniel P. Berrangé
2024-02-08 10:31 ` Dr. Greg
2024-02-06 13:50 ` Daniel P. Berrangé
2024-02-06 15:35 ` Borislav Petkov
2024-02-08 11:44 ` Dr. Greg
2024-02-09 17:31 ` Borislav Petkov
2024-02-09 19:49 ` Jason A. Donenfeld
2024-02-09 20:37 ` Dave Hansen
2024-02-09 21:45 ` Borislav Petkov
2024-02-06 18:49 ` H. Peter Anvin
2024-02-08 16:38 ` Dr. Greg
2024-01-30 15:50 ` Kuppuswamy Sathyanarayanan
2024-01-30 12:29 ` [PATCH 1/2] x86/random: Retry on RDSEED failure Jason A. Donenfeld
2024-01-30 12:51 ` Jason A. Donenfeld
2024-01-30 13:10 ` Reshetova, Elena
2024-01-30 14:06 ` Jason A. Donenfeld
2024-01-30 14:43 ` Daniel P. Berrangé
2024-01-30 15:12 ` Jason A. Donenfeld
2024-01-30 18:35 ` Jason A. Donenfeld
2024-01-30 19:06 ` Reshetova, Elena
2024-01-30 19:16 ` Jason A. Donenfeld
2024-01-31 7:56 ` Reshetova, Elena
2024-01-31 13:14 ` Jason A. Donenfeld
2024-01-31 14:07 ` Theodore Ts'o
2024-01-31 14:45 ` Jason A. Donenfeld
2024-01-31 14:52 ` Jason A. Donenfeld
2024-01-31 17:10 ` Theodore Ts'o
2024-01-31 17:37 ` Reshetova, Elena
2024-01-31 18:01 ` Jason A. Donenfeld
2024-02-01 4:57 ` Theodore Ts'o
2024-02-01 18:09 ` Jason A. Donenfeld
2024-02-01 18:46 ` Dave Hansen
2024-02-01 19:02 ` H. Peter Anvin
2024-02-02 7:25 ` Reshetova, Elena
2024-02-02 15:39 ` Theodore Ts'o
2024-02-03 10:12 ` Jason A. Donenfeld
2024-02-09 19:53 ` Jason A. Donenfeld
2024-02-12 8:25 ` Reshetova, Elena
2024-02-12 16:32 ` Theodore Ts'o
2024-02-13 7:28 ` Dan Williams
2024-02-13 23:13 ` Theodore Ts'o [this message]
2024-02-14 0:53 ` Dan Williams
2024-02-14 4:32 ` Theodore Ts'o
2024-02-14 6:48 ` Dan Williams
2024-02-14 6:54 ` Reshetova, Elena
2024-02-14 8:34 ` Nikolay Borisov
2024-02-14 9:34 ` Dr. Greg
2024-02-14 17:30 ` Jason A. Donenfeld
2024-02-14 15:18 ` Reshetova, Elena
2024-02-14 17:21 ` Jason A. Donenfeld
2024-02-14 17:59 ` Reshetova, Elena
2024-02-14 19:32 ` Jason A. Donenfeld
2024-02-15 7:07 ` Reshetova, Elena
2024-02-15 12:58 ` Jason A. Donenfeld
2024-02-14 19:46 ` Tom Lendacky
2024-02-14 20:04 ` Jason A. Donenfeld
2024-02-14 20:11 ` Theodore Ts'o
2024-02-15 13:01 ` Jason A. Donenfeld
2024-02-14 20:14 ` Dave Hansen
2024-02-02 15:47 ` James Bottomley
2024-02-02 16:05 ` Theodore Ts'o
2024-02-02 21:28 ` James Bottomley
2024-02-03 14:35 ` Theodore Ts'o
2024-02-06 19:12 ` H. Peter Anvin
2024-01-30 15:20 ` H. Peter Anvin
2024-01-30 15:44 ` Kuppuswamy Sathyanarayanan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240213231341.GB394352@mit.edu \
--to=tytso@mit.edu \
--cc=Jason@zx2c4.com \
--cc=ashish.kalra@amd.com \
--cc=bp@alien8.de \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=elena.reshetova@intel.com \
--cc=hpa@zytor.com \
--cc=jun.nakajima@intel.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=seanjc@google.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).