[Openswan dev] Support for hardware random number generators

[Paul Wouters]

On Thu, 20 Nov 2008, Vrabete, Brad wrote:

> You're right. But the situation changes if the HW RNG was built to be FIPS
> compliant. Then (and only then) FIPS check can be disabled to save CPU
> clocks.

Then perhaps the kernel should provide a way of telling us that information,
and we could dynamically decide on doing our own fips checks.

The alternative would be to do fips checks and after a certain time,
decide everything was good and to drop the checks. That would at
least catch the really bad streams of zeros we've seen, though not the
more subtly broken things, or things that somehow actually physically
break at some point.

Paul