On Wed, May 2, 2018 at 5:25 PM, Theodore Y. Ts'o <ty...@mit.edu> wrote: > On Wed, May 02, 2018 at 10:49:34AM -0700, Laura Abbott wrote: >> >> It is a Fedora patch we're carrying >> https://src.fedoraproject.org/rpms/libgcrypt/blob/master/f/libgcrypt-1.6.2-fips-ctor.patch#_23 >> so yes, it is a Fedora specific use case. >> From talking to the libgcrypt team, this is a FIPS mode requirement >> to run power on self test at the library constructor and the self >> test of libgrcypt ends up requiring a fully seeded RNG. Citation >> is in section 9.10 of >> https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Module-Validation-Program/documents/fips140-2/FIPS1402IG.pdf > > Forgive me if this is a stupid question, but does Fedora need FIPS > compliance? Or is this something which is only required for RHEL? > > ("Here's to FIPS: the cause of, and solution to, all of Life's > problems." :-) > One of the advantages of carrying such things in Fedora is we find these problems before RHEL does and hopefully there is a solution in place before they ever even see it.
>From the rawhide end, I just brought in virtio-rng as inline vs module, this works around the issue for lots of users, but not all. GCE is still impacted, and a user came to complain about it already last night. And of course any other virt platform without virtio-rng, or some hardware. Most hardware installs don't have dracut-fips so they will boot, eventually. Justin
