[Cryptography] request for consideration: VM guest entropy: specific constructive suggestions
Yaron Sheffer
yaronf.ietf at gmail.com
Mon Feb 3 22:22:35 EST 2014
To inject a bit of pessimism into the discussion:
Amazon Web Services is currently the largest public cloud. At the moment
they don't provide a way for instances (guests) to read randomness from
the host. Despite the fact that AWS is based on Xen, and Xen does have
such support.
I also checked one of my instances on Amazon (cat /proc/cpuinfo), and it
does not support RdRand. Of course they could be virtualizing the CPUID
command, too.
Our production instances use a proprietary way to seed /dev/random on
startup. Basically they "call home" to get some bits. A more generic
alternative could use DHCP:
http://tools.ietf.org/html/draft-sheffer-dhc-initial-random-00.
Thanks,
Yaron
More information about the cryptography
mailing list