On Mon, Aug 25, 2025 at 11:30 AM Masahiko Sawada <sawada.mshk@gmail.com> wrote:
> > Gathering a couple of considerations from upthread:
> > - FIPS behavior
>
> Do you mean random numbers generated by getrandom() complaints FIPS?
> Based on my research, there doesn't appear to be any explicit
> statement indicating that Linux's CSPRNG module complies with FIPS
> requirements. However, there is a proposal to implement LRNG[1], which
> would be FIPS-compliant.
Right. I guess what I'm asking with that particular bullet point is:
If, tomorrow, I threw caution to the wind and proposed that we use
getrandom() on Linux over OpenSSL by default, would any FIPS users
complain? Or are they all using distributions that have already
applied FIPS patches to the getrandom() part of the kernel anyway?
(But I intended for that to be a possible future point of discussion,
not a blocker for your smaller proposal.)
Thanks,
--Jacob
