qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH 0/6] add paravirtualization hwrng support

From: H. Peter Anvin
Subject: Re: [Qemu-devel] [PATCH 0/6] add paravirtualization hwrng support
Date: Mon, 29 Oct 2012 21:43:51 -0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121016 Thunderbird/16.0.1 
On 10/29/2012 01:45 AM, Paolo Bonzini wrote:

Il 26/10/2012 22:29, H. Peter Anvin ha scritto:

This is surreal.  Output from /dev/hwrng turns into output for /dev/random... 
it us guaranteed worse; period, end of story.

Isn't that exactly what happens in bare-metal?  hwrng -> rngd -> random.  
Instead here
we'd have, host hwrng -> virtio-rng-pci -> guest hwrng -> guest rngd -> guest 
random.

The only difference is that you paravirtualize access to the host hwrng to a) 
distribute
entropy to multiple guests; b) support migration across hosts with different 
CPUs and
hardware.

First, hwrng is only one of the sources used by rngd.  It can also
(currently) use RDRAND or TPM; additional sources are likely to be added
in the future.

Second, the harvesting of environmental noise -- timings -- is not as
good in a VM as on plain hardware, so for the no-hwrng case it is better
for this to be done in the host than in the VM.


Neither of these make /dev/random with virtio-rng-pci worse than without
(as would be the case if you fed /dev/urandom).  And migration works.
This, and avoiding denial of service for the host's /dev/random, is all
I care about at this time.

There is always time to change defaults to something better.



Let me be more specific.
First of all, feeding /dev/urandom to the guest is dangerous -- you are feeding it PRNG contents but telling it that it is real entropy. This is a security hole.
Second of all, you're doing something pointless: you are still exhausting the entropy pool on the host at the same rate, and all you end up with is something that isn't what you want. You still have the same DoS on the host /dev/random that you're worried about.
Third, you're doing something inefficient: you're running a PRNG in the host which could be run more efficiently in guest space.
From an Intel perspective I guess I should be happy, as it functionally would mean that unless you have RDRAND in the host you're insecure, but I'd much rather see the Right Thing done. 

        -hpa

--
H. Peter Anvin, Intel Open Source Technology Center
I work for Intel.  I don't speak on their behalf.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]