[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v4 1/3] VirtIO-RNG: Update default entropy sourc
From: |
Markus Armbruster |
Subject: |
Re: [Qemu-devel] [PATCH v4 1/3] VirtIO-RNG: Update default entropy source to `/dev/urandom` |
Date: |
Tue, 14 May 2019 16:43:08 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) |
Laurent Vivier <address@hidden> writes:
> From: Kashyap Chamarthy <address@hidden>
>
> When QEMU exposes a VirtIO-RNG device to the guest, that device needs a
> source of entropy, and that source needs to be "non-blocking", like
> `/dev/urandom`. However, currently QEMU defaults to the problematic
> `/dev/random`, which on linux is "blocking" (as in, it waits until
> sufficient entropy is available).
>
> Why prefer `/dev/urandom` over `/dev/random`?
> ---------------------------------------------
>
> The man pages of urandom(4) and random(4) state:
>
> "The /dev/random device is a legacy interface which dates back to a
> time where the cryptographic primitives used in the implementation
> of /dev/urandom were not widely trusted. It will return random
> bytes only within the estimated number of bits of fresh noise in the
> entropy pool, blocking if necessary. /dev/random is suitable for
> applications that need high quality randomness, and can afford
> indeterminate delays."
>
> Further, the "Usage" section of the said man pages state:
>
> "The /dev/random interface is considered a legacy interface, and
> /dev/urandom is preferred and sufficient in all use cases, with the
> exception of applications which require randomness during early boot
> time; for these applications, getrandom(2) must be used instead,
> because it will block until the entropy pool is initialized.
>
> "If a seed file is saved across reboots as recommended below (all
> major Linux distributions have done this since 2000 at least), the
> output is cryptographically secure against attackers without local
> root access as soon as it is reloaded in the boot sequence, and
> perfectly adequate for network encryption session keys. Since reads
> from /dev/random may block, users will usually want to open it in
> nonblocking mode (or perform a read with timeout), and provide some
> sort of user notification if the desired entropy is not immediately
> available."
>
> And refer to random(7) for a comparison of `/dev/random` and
> `/dev/urandom`.
>
> What about other OSes?
> ----------------------
>
> `/dev/urandom` exists and works on OS-X, FreeBSD, DragonFlyBSD, NetBSD
> and OpenBSD, which cover all the non-Linux platforms we explicitly
> support, aside from Windows.
>
> On Windows `/dev/random` doesn't work either so we don't regress.
> This is actually another argument in favour of using the newly
> proposed 'rng-builtin' backend by default, as that will work on
> Windows.
>
> - - -
>
> Given the above, change the entropy source for VirtIO-RNG device to
> `/dev/urandom`.
>
> Related discussion in these[1][2] past threads.
>
> [1] https://lists.nongnu.org/archive/html/qemu-devel/2018-06/msg08335.html
> -- "RNG: Any reason QEMU doesn't default to `/dev/urandom`?"
> [2] https://lists.nongnu.org/archive/html/qemu-devel/2018-09/msg02724.html
> -- "[RFC] Virtio RNG: Consider changing the default entropy source to
> /dev/urandom"
>
> Signed-off-by: Kashyap Chamarthy <address@hidden>
> Reviewed-by: Daniel P. Berrangé <address@hidden>
> Reviewed-by: Stefan Hajnoczi <address@hidden>
> Signed-off-by: Laurent Vivier <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>