[Cryptography] request for consideration: VM guest entropy: specific constructive suggestions

John Denker jsd at av8n.com
Mon Feb 3 15:55:57 EST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/02/2014 11:22 PM, Bill Stewart wrote:
> 
> I'm mainly worried about the "new virtual machine, cloned from a
> standard image" case, which needs to set up ssh keys, ssl keys, and
> seed /dev/random before it's ready to deal with the rest of the
> world in ways that would give it some more entropy to work with.

That is indeed an interesting thing to "worry" about.

The question arises, will the "worrying" be limited to feckless
hand-wringing, or are we "worried" enough to actually do something?

Specifically:

  Qemu already knows how to provide the guest with a virtual /dev/hwrng
   device ... it's just not the default.  References:
      http://wiki.qemu.org/Features-Done/VirtIORNG
      https://www.kernel.org/doc/Documentation/hw_random.txt

  Suggestion #1:  Make it the default, for security reasons.

==============

  There is code in the linux kernel to check for the availability of the
   RDRAND instruction
     http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/arch/x86/include/asm/archrandom.h
   and some versions of /dev/random seem to know about this:
     http://git.kernel.org/cgit/linux/kernel/git/tytso/random.git/tree/drivers/char/random.c#n940
   However, AFAICT there is no place in the kernel that makes use of the
   /dev/hwrng device, even if it is available.

   Suggestion #2:  On hardware where a satisfactory RDRAND instruction is 
    not native, one could teach qemu to trap and emulate this instruction.
    This looks like far and away the path of least resistance for introducing 
    effective randomness into guest systems.

   Tangential remark:  There are some hard feelings about the native RDRAND 
    instruction, due to lack of transparency as to its implementation.  One 
    could argue that the emulated version might actually be /better/ in terms
    of trust and transparency.

===========================================================

So, here's the action item:

Do we have consensus on this list that the foregoing suggestions are 
reasonable?  They obviously don't solve all the world's problems, but
can they be considered cost-effective steps in the right direction?

Can anybody think of any improvements that would reduce the barrier to
adoption?

  Actually, I can think of about a dozen improvements, but in the spirit
  of not making the perfect the enemy of the good, I hesitate to mention
  them.  It would be nice to get /something/ reasonable deployed, and
  then make incremental improvements.

The first step is to get consensus within the crypto/security community.
Then we can bring the qemu developers into the discussion.

Comments?  Questions?  Suggestions?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIVAwUBUvACXPO9SFghczXtAQJgvhAArAUxZ9yXb7ee5OClHDTjS1uH2LbrRPiF
deSywXenfpP+eYH4Qpitgkd6IaHoMvkH7fNoTGqcNB+t4oNGy6/BqOoGEuhI+vo5
Ar7lpwIykjVrRgaZv8Rfrbo+or0kbi0T8AFoqQKEOGETa5WzRfZq5kaPogj7pYP/
v90UgKTFLrHcSu5tP1pcGXH4sonSA08l9gJgQHlJhI0kEAKTCt3BByeMYR4J3W7m
Flw9nJNy2rOWbXaqHJ1Ai3vlYAc4bhTxNVWtRITaV9iBNaUzu0ffDuSv8ul3IcTJ
v7WXmmsUBhu5PcMMgvPzwyxIafeJd8FZZlj7tweI2Pj/MIiZOI88+VUc17dzQb+k
Y4wJJzVDx0PlQH7ZmEmd9c4vseSuYQ6u/XUbHYNhU9F+1sdQWT2KAhDGIY5NAwO7
at7zxKEFZ1F9OAMbvqe2fMJfRjWqejHm3ahGikeniH9j+ibr6//5iyBZ7s0jCfi6
pnxoubkch/Jf8dAaFITlgV4xjkyKjCkS71a1Tn9An90Wm3PC+IZbKdcj2tf7hC2o
OV1S70YnjxgZqHWapH2tKAgOUOu1rMM1+El3wPA3bkaSMOi3LYyNO8FfsBDKr1zI
mggruuqQuIV14XdoQ4Jw19esHt8nipFyRgB9YkEdNGT9LeDUltHqO+uRBaGmLWyL
S7VFL/jo7jQ=
=RVtr
-----END PGP SIGNATURE-----

More information about the cryptography mailing list