[Cryptography] request for consideration: VM guest entropy: specific constructive suggestions

John Denker jsd at av8n.com
Mon Feb 3 20:11:17 EST 2014

On 02/02/2014 11:22 PM, Bill Stewart wrote:
> I'm mainly worried about the "new virtual machine, cloned from a
> standard image" case, which needs to set up ssh keys, ssl keys, and
> seed /dev/random before it's ready to deal with the rest of the
> world in ways that would give it some more entropy to work with.

On 02/03/2014 05:23 PM, Theodore Ts'o wrote in part:

> ... it's actually better to tell programs to use
> /dev/[u]random, since that way you always get environmental noise
> mixed in.  

Better?  Better than what?  I'm pretty sure that nobody
suggested avoiding the /dev/u?random interface.  Instead, 
I rather explicitly pointed out that emulating the rdrand
instruction was the path of least resistance for getting
entropy *into* /dev/random.

  On the other side of the same coin, it is is not "better",
  it is not even good to tell people to obtain entropy 
  from /dev/u?random device in situations where there's
  no reliable way of getting entropy *into* the device.

> since that way you always get environmental noise
> mixed in.  

Always?  This whole thread is predicated on the observation
-- the correct observation -- that a VM guest often doesn't 
have any reliable sources of environmental noise ... at least 
not of the kind that /dev/u?random tries to mix in.

Please look at the Subject: line.  We're looking for specific,
constructive suggestions.  Assuming that the /host/ has some
entropy available, do you propose to transfer this into the 
guest system?

 1) Is somebody going to insert code into drivers/char/random.c
  to obtain entropy from the host somehow?  If the virtual
  rdrand instruction is not an acceptable way of transferring 
  entropy, please explain why the non-virtual native rdrand
  instruction is acceptable.

 2) Is somebody going to write an entropy-transfer daemon
  to move entropy from /dev/hwrng to /dev/random, and then
  make sure that all the distros incorporate this and enable
  it by default?

 3) Is somebody going to change the initscripts so that they
  read /dev/hwrng and use that to help initialize /dev/random,
  and make sure all the distros do this correctly?

 4) Something else?

Please be specific.

More information about the cryptography mailing list