[Cryptography] cheap sources of entropy
dj at deadhat.com
Sat Feb 1 18:40:25 EST 2014
On 2/1/2014 3:07 PM, Theodore Ts'o wrote:
> On Sun, Feb 02, 2014 at 07:58:58AM +1000, James A. Donald wrote:
>> Underneath all that are real material disk drives, which have
>> turbulence. The turbulence causes random and entirely unpredictable
>> timing variations, which unpredictability and variation propagate
>> all the way to the VM
> *Maybe*. There could be enough quantization errors such that you're
> not really measuring this. Consider what might happen if the VMs are
> being scheduled by the host OS with a scheduling quantum measured in
> 10's of milliseconds (servers generally get configured with a clock
> tick of 100HZ), and suppose the variability caused by air turbulence
> is measured in hundreds of microseconds. By the time the host OS has
> has done the I/O on behalf of the VM, and then scheduled the VM to
> deliver the virtual disk's interrupt, in this case you almost
> certainly won't be measuring variations which can be attributable to
> the noise on the disk.
This is one of the reasons we made RdRand an instruction that will
inject entropy into the state of a VM when it is executed, providing the
hypervisor doesn't trap it.
A VM quantizing interrupt timing on a machine with an SSD, no network
traffic (yet - it's early boot) and no keyboard or mouse leaves the VM
potentially without any entropy sources, but the poor OS may not even
know it since it is assuming the interrupts and disk timing are entropic.
It is incumbent on a provider of a hypervisor to explain and show how
entropy gets into the VM.
More information about the cryptography