FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=main 2025-10-22T06:59:59Z 2025-10-22T06:59:59Z David E. O'Brien obrien@FreeBSD.org 2025-10-17T03:20:23Z urn:sha1:3a12982962ce330c37c154bb2eb8ae0539fc6f48 NIST SP800-90B allows for only a single entropy source to be claimed in a FIPS-140-3 certificate. In addition, only hardware sources that have a NIST Entropy Source Validation (ESV) certificate, backed by a SP800-90B Entropy Assessment Report, are usable. Intel has obtained ESV certificates for several of their processors, so RDSEED is a FIPS-140-3 suitable entropy source. However, even though RDRAND is seeded by RDSEED internally, RDRAND would need a RBG certificate and CAVP testing run on the DRBG in order to use it for FIPS-140-3 (SP800-90B) purposes. So we need to know down in the CSPRNG-subsystem which source the entropy came from. In light of the potential issues surrounding AMD Zen 5 CPU's RDSEED implementation[*], allow RDSEED to be disabled in loader.conf. [*] https://www.phoronix.com/news/AMD-EPYC-Turin-RDSEED-Bug Reviewed by: cem MFC after: 3 days Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D53150