[Cryptography] cheap sources of entropy

James A. Donald Jamesd at echeque.com
Sun Feb 2 13:08:08 EST 2014 

On 2014-02-02 23:35, Theodore Ts'o wrote:
> Most VM providers, not being Mafia fronts trying to launder money,
> prefer not to lose money and go out of business, which means that
> their machines are not idle, but in fact there are dozens, if not
> hundreds of VM's running on each physical host.  That means on a disk
> interrupt, the wakeup() function puts the process (such as the guest
> VM) on a linked list of processes that should be run the next time
> there is a free CPU and their turn is up.  This *can* happen due to
> all other guest OS's getting blocked on I/O, but if you have
> processes/VM's which are CPU bound, they will get to run until their
> scheduling quanta runs out, which is measured in units of 100HZ clock
> ticks.  Which is why you can see quantization effects.

OK then,  In the case that the real machine is CPU bound, and not IO 
bound or cache thrashing, then you will not see turbulence randomness at 
the VM level.

However, when starting up a new program, you generally are IO bound, 
though by no means guaranteed to be IO bound.

>
> The bottom line is that when the guest OS gets the virtualized disk
> interrupt delivered to it is going to be based not on "disk
> turbulence" (the theoretical underpinning of which was a paper written
> in '94, and disk drive technologies have changed a wee bit since
> then), but based on when other VM's might be blocking, or when some
> other cpu-bound guest OS gives up its CPU on a clock tick boundary.
>
> Now, all of this might not be predictable to an outside observer who
> doesn't have full information about the internal state of the Host OS,
> and all of the guest OS's running on it.  But it's not based on
> chaotic air patterns, but rather something else.
>
> Is it good enough?  Maybe.  My preference, as others have suggested,
> is to mix in something purpose built, such as RDRAND, and if that has
> been backdoored somehow, either by the NSA or the MSS, to also mix in
> as much environmental noise as you can get.  Belt and suspenders....
>
>     		      	       	       - Ted

More information about the cryptography mailing list