# Kernel 4.19 CONFIG_RANDOM_TRUST_CPU> Y / N?

## Marlo

Do you have a recommendation for the new CONFIG_RANDOM_TRUST_CPU? 

I have an AMD system. What should I set? Y or N?

Or should I just ignore with "is not set".

----------

## Hu

The option defaults to n.  Prior to this commit adding the option, it was effectively always n, with no user choice possible.  If you want to retain the same semantics you have used to date, answer n.  If you want faster RNG setup and are willing to take the risk that your CPU is hostile, answer y.

----------

## PrSo

I have couple of setups with INTEL cpus on which the CONFIG_RANDOM_TRUST_CPU is set to "N" since there are serious concerns  the RdRand instruction in Intel processors was compromised by the NSA and GCHQ(link)

On my netbook with AMD apu I have set CONFIG_RANDOM_TRUST_CPU=Y since I have not seen anything that confirms those concerns on AMD hw rdrand.

Hypothetically it could be vulnerable also tough.

As Hu wrote, it depends if you put your trust in cpu manufacturer.

----------

## Marlo

Thanks, Hu. That seems logical to me.

And as PrSo said "... I have not seen anything that confirms these concerns with AMD ..."

(And if this happens the first time, certainly not on my little insignificant computer.)

I do not want to be an overprotective man who sees a robber behind every bush. Although it is of course necessary to protect yourself.

----------

## toralf

 *Hu wrote:*   

> If you want faster RNG setup ...

 For embedded or IoT this might be worth, but for all others the safe choice is n.

----------

## freke

If I enabled this - should I be able to spot it in dmesg?

I don't see any differences in dmesg-output on a 4.18-box vs. 4.19-box.

(PC Engines APU2d4)

----------

## Marlo

 *freke wrote:*   

> If I enabled this - should I be able to spot it in dmesg?
> 
> I don't see any differences in dmesg-output on a 4.18-box vs. 4.19-box.
> 
> (PC Engines APU2d4)

 

```

 # cat dmesg-4.18.16-gentoo |grep random

[    0.000000] random: get_random_bytes called from start_kernel+0xba/0x77c with crng_init=0

[    1.003244] random: fast init done

[    3.603845] random: crng init done

# 

# cat dmesg-4.19.0-gentoo |grep random

[    0.000000] random: get_random_bytes called from start_kernel+0xba/0x753 with crng_init=0

[    0.007008] random: crng done (trusting CPU's manufacturer)
```

It probably depends on the individual debug settings.

----------

## freke

Thanks

```
lamp ~ # dmesg-4.19.0 | grep -i random

[    0.501723] random: get_random_bytes called from start_kernel+0xba/0x591 with crng_init=0

[    3.008766] random: fast init done

[    6.058254] random: udevd: uninitialized urandom read (16 bytes read)

[    6.058882] random: udevd: uninitialized urandom read (16 bytes read)

[    6.058918] random: udevd: uninitialized urandom read (16 bytes read)

[    9.815736] random: crng init done

[    9.815745] random: 7 urandom warning(s) missed due to ratelimiting
```

```
mail ~ # dmesg-4.17.11 | grep -i random

[    0.000000] random: get_random_bytes called from start_kernel+0xba/0x58c with crng_init=0

[    2.211063] random: fast init done

[    4.960974] random: udevd: uninitialized urandom read (16 bytes read)

[    4.961449] random: udevd: uninitialized urandom read (16 bytes read)

[    4.961484] random: udevd: uninitialized urandom read (16 bytes read)

[    9.482099] random: crng init done

[    9.482108] random: 7 urandom warning(s) missed due to ratelimiting
```

So seems my

```
mail ~ # cat /proc/cpuinfo

processor       : 0

vendor_id       : AuthenticAMD

cpu family      : 22

model           : 48

model name      : AMD GX-412TC SOC

stepping        : 1

microcode       : 0x7030105

cpu MHz         : 598.575

cache size      : 2048 KB
```

isn't supported....

----------

## PrSo

I also have in dmesg output:

```
$ dmesg | grep rng

[    0.241520] random: get_random_bytes called from start_kernel+0x8a/0x4a0 with crng_init=0

[    0.441691] random: crng done (trusting CPU's manufacturer)
```

but lscpu in cpu Flags is saying that "rdrand" is supported.

----------

## Marlo

As this page says, your GX-412TC SOC has:

AMD-V / AMD virtualization technology

EPP / Advanced Antivirus

Platform security processor

You can also ask the manufacturer:  https://community.amd.com/community/support-forums/processors

I am not a specialist, but I believe that this "X-Random Warning (s)" has another reason. In the .config maybe something else is missing.

----------

