gcrypt by default uses an userspace RNG, which cannot know when it is time to discard/invalidate its buffer (suspend, resume, vm forks, other corner cases) as a "when to discard" event is unavailable to userspace.
Set GCRYCTL_SET_PREFERRED_RNG_TYPE to GCRY_RNG_TYPE_SYSTEM which must be done before the first call to gcry_check_version() Signed-off-by: Cristian Rodríguez <[email protected]> --- crypto/init.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/init.c b/crypto/init.c index fb7f1bff10..0c3fe6a841 100644 --- a/crypto/init.c +++ b/crypto/init.c @@ -60,6 +60,7 @@ int qcrypto_init(Error **errp) #endif #ifdef CONFIG_GCRYPT + gcry_control(GCRYCTL_SET_PREFERRED_RNG_TYPE, GCRY_RNG_TYPE_SYSTEM); if (!gcry_check_version(NULL)) { error_setg(errp, "Unable to initialize gcrypt"); return -1; -- 2.43.0
