On Wed, May 02, 2018 at 07:09:11AM -0500, Justin Forbes wrote:
Yes, Fedora libgcrypt is carrying a patch which makes it particularly
painful for us, we have reached out to the libgcrypt maintainer to
follow up on that end. But as I said before, even without that code
path (no dracut-fips) we are seeing some instances of 4 minute boots.
This is not really a workable user experience. And are you sure that
every cloud platform and VM platform offers, makes it possible to
config virtio-rng?
Unfortunately, the answer is no. Google Compute Engine, alas, does
not currently support virtio-rng. With my Google hat on, I can't
comment on future product features. With my upstream developer hat
on, I'll give you three guesses what I have been advocating and
pushing for internally, and the first two don't count. :-)
That being said, I just booted a Debian 9 (Stable, aka Stretch)
standard kernel, and then installed 4.17-rc3 (which has the
CVE-2018-1108 patches). The crng_init=2 message doesn't appear
immediately, and it does appear quite a bit later comapred to
the standard 4.9.0-6-amd64 Debian 9 kernel. However, the lack of a
fully initialized random pool doesn't prevent the standard Debian 9
image from booting:
May 2 15:33:42 localhost kernel: [ 0.000000] Linux version 4.17.0-rc3-xfstests (tytso@cwcc) (gcc version 7.3.0 (Debian 7.3.0-16)) #169 SMP Wed May 2 11:28:17 EDT 2018
May 2 15:33:42 localhost kernel: [ 1.456883] random: fast init done
May 2 15:33:46 rng-testing systemd[1]: Startup finished in 3.202s (kernel) + 5.963s (userspace) = 9.166s.
May 2 15:33:46 rng-testing google-accounts: INFO Starting Google Accounts daemon.
May 2 15:44:39 rng-testing kernel: [ 661.436664] random: crng init done
So it really does appear to be something going on with Fedora's
userspace; can you help try to track down what it is?
Thanks,
- Ted