[Cryptography] request for consideration: VM guest entropy: specific constructive suggestions
John Denker
jsd at av8n.com
Mon Feb 3 20:11:17 EST 2014
On 02/02/2014 11:22 PM, Bill Stewart wrote:
>
> I'm mainly worried about the "new virtual machine, cloned from a
> standard image" case, which needs to set up ssh keys, ssl keys, and
> seed /dev/random before it's ready to deal with the rest of the
> world in ways that would give it some more entropy to work with.
On 02/03/2014 05:23 PM, Theodore Ts'o wrote in part:
> ... it's actually better to tell programs to use
> /dev/[u]random, since that way you always get environmental noise
> mixed in.
Better? Better than what? I'm pretty sure that nobody
suggested avoiding the /dev/u?random interface. Instead,
I rather explicitly pointed out that emulating the rdrand
instruction was the path of least resistance for getting
entropy *into* /dev/random.
On the other side of the same coin, it is is not "better",
it is not even good to tell people to obtain entropy
from /dev/u?random device in situations where there's
no reliable way of getting entropy *into* the device.
> since that way you always get environmental noise
> mixed in.
Always? This whole thread is predicated on the observation
-- the correct observation -- that a VM guest often doesn't
have any reliable sources of environmental noise ... at least
not of the kind that /dev/u?random tries to mix in.
Please look at the Subject: line. We're looking for specific,
constructive suggestions. Assuming that the /host/ has some
entropy available, do you propose to transfer this into the
guest system?
1) Is somebody going to insert code into drivers/char/random.c
to obtain entropy from the host somehow? If the virtual
rdrand instruction is not an acceptable way of transferring
entropy, please explain why the non-virtual native rdrand
instruction is acceptable.
2) Is somebody going to write an entropy-transfer daemon
to move entropy from /dev/hwrng to /dev/random, and then
make sure that all the distros incorporate this and enable
it by default?
3) Is somebody going to change the initscripts so that they
read /dev/hwrng and use that to help initialize /dev/random,
and make sure all the distros do this correctly?
4) Something else?
Please be specific.
More information about the cryptography
mailing list