On Tue, May 1, 2018 at 7:02 PM, Theodore Y. Ts'o <ty...@mit.edu> wrote: > On Tue, May 01, 2018 at 05:35:56PM -0500, Justin Forbes wrote: >> >> I have not reproduced in GCE myself. We did get some confirmation >> that removing dracut-fips does make the problem less dire (but I >> wouldn't call a 4 minute boot a win, but booting in 4 minutes is >> better than not booting at all). Specifically systemd calls libgcrypt >> before it even opens the log with fips there, and this is before >> virtio-rng modules could even load. Right now though, we are looking >> at pretty much any possible options as the majority of people are >> calling for me to backout the patches completely from rawhide. > > FWIW, Debian Testing is using systemd 238, and from what I can tell > it's calling libgcrypt and it has the same (as near as I can tell) > totally pointless hmac nonsense, and it's not a problem that I can > see. Of course, Debian and Fedora may have a different set of > patches.... > Yes, Fedora libgcrypt is carrying a patch which makes it particularly painful for us, we have reached out to the libgcrypt maintainer to follow up on that end. But as I said before, even without that code path (no dracut-fips) we are seeing some instances of 4 minute boots. This is not really a workable user experience. And are you sure that every cloud platform and VM platform offers, makes it possible to config virtio-rng?
Justin
