• Jason A. Donenfeld's avatar
    random: remove CONFIG_ARCH_RANDOM · 9592eef7
    Jason A. Donenfeld authored
    When RDRAND was introduced, there was much discussion on whether it
    should be trusted and how the kernel should handle that. Initially, two
    mechanisms cropped up, CONFIG_ARCH_RANDOM, a compile time switch, and
    "nordrand", a boot-time switch.
    
    Later the thinking evolved. With a properly designed RNG, using RDRAND
    values alone won't harm anything, even if the outputs are malicious.
    Rather, the issue is whether those values are being *trusted* to be good
    or not. And so a new set of options were introduced as the real
    ones that people use -- CONFIG_RANDOM_TRUST_CPU and "random.trust_cpu".
    With these options, RDRAND is used, but it's not always credited. So in
    the worst case, it does nothing, and in the best case, maybe it helps.
    
    Along the way, CONFIG_ARCH_RANDOM's meaning got sort of pulled into the
    center and became something certain platforms force-select.
    
    The old options don't really help with much, and it's a bit odd to have
    special handling for these instructions when the kernel can deal fine
    with the existence or untrusted existence or broken existence or
    non-existence of that CPU capability.
    
    Simplify the situation by removing CONFIG_ARCH_RANDOM and using the
    ordinary asm-generic fallback pattern instead, keeping the two options
    that are actually used. For now it leaves "nordrand" for now, as the
    removal of that will take a different route.
    Acked-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
    Acked-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
    Acked-by: default avatarBorislav Petkov <bp@suse.de>
    Acked-by: default avatarHeiko Carstens <hca@linux.ibm.com>
    Acked-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
    9592eef7
archrandom.h 229 Bytes