[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: privileged entropy sources in QEMU/KVM guests
From: |
Paolo Bonzini |
Subject: |
Re: privileged entropy sources in QEMU/KVM guests |
Date: |
Thu, 7 Nov 2019 12:37:11 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 |
On 07/11/19 11:25, Ard Biesheuvel wrote:
>> This looks problematic on QEMU. Entropy is a valuable resource, and
>> whatever resource SMM drivers depend on, should not be possible for e.g.
>> a 3rd party UEFI driver (or even for the runtime OS) to exhaust.
>> Therefore, it's not *only* the case that SMM drivers must not consume
>> EFI_RNG_PROTOCOL (which exists at a less critical privilege level, i.e.
>> outside of SMM/SMRAM), but also that SMM drivers must not depend on the
>> same piece of *hardware* that feeds EFI_RNG_PROTOCOL.
>>
> The typical model is to seed a DRBG [deterministic pseudorandom
> sequence generator] using a sufficient amount of high quality entropy.
> Once you have done that, it is rather hard to exhaust a DRBG - it is a
> mathematical construction that is designed to last for a long time (<=
> 2^48 invocations [not bytes] according to the NIST spec), after which
> it does not degrade although it may have generated so much output that
> its internal state may be inferred if you have captured enough of it
> (which is a rather theoretical issue IMHO)
>
> The problem is that using the output of a DRBG as a seed is
> non-trivial - the spec describes ways to do this, but wiring
> virtio-rng to a DRBG in the host and using its output to seed a DRBG
> in the guest is slighly problematic.
>
> So it seems to me that the correct way to model this is to make the
> host's true entropy source a shared resource like any other.
>
Yes, I would make SMM use a cryptographic pseudo-random number generator
and seed it from virtio-rng from DXE, way before the OS starts and can
"attack" it.
Once you've gotten a seed, you can create a CSPRNG with a stream cipher
such as ChaCha20, which is literally 30 lines of code.
Paolo
#define ROTL(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
#define QR(a, b, c, d) ( \
a += b, d ^= a, d = ROTL(d,16), \
c += d, b ^= c, b = ROTL(b,12), \
a += b, d ^= a, d = ROTL(d, 8), \
c += d, b ^= c, b = ROTL(b, 7))
#define ROUNDS 20
// initial state:
// in[0] = 0x65787061
// in[1] = 0x6e642033
// in[2] = 0x322d6279
// in[3] = 0x7465206b
// in[4]..in[11] = key (seed)
// in[12]..in[13] = 0
// in[14]..in[15] = nonce, can probably use RDTSC?
static uint32_t in[16];
uint32_t chacha_rng(void)
{
int i;
static uint32_t x[16], p;
if (p < 16)
return in[p++] + x[p++];
if (++in[12] == 0)
++in[13];
for (i = 0; i < 16; ++i)
x[i] = in[i];
// 10 loops × 2 rounds/loop = 20 rounds
for (i = 0; i < ROUNDS; i += 2) {
// Odd round
QR(x[0], x[4], x[ 8], x[12]); // column 0
QR(x[1], x[5], x[ 9], x[13]); // column 1
QR(x[2], x[6], x[10], x[14]); // column 2
QR(x[3], x[7], x[11], x[15]); // column 3
// Even round
QR(x[0], x[5], x[10], x[15]); // diagonal 1 (main diagonal)
QR(x[1], x[6], x[11], x[12]); // diagonal 2
QR(x[2], x[7], x[ 8], x[13]); // diagonal 3
QR(x[3], x[4], x[ 9], x[14]); // diagonal 4
}
p = 1;
return in[0] + x[0];
}
- privileged entropy sources in QEMU/KVM guests, Laszlo Ersek, 2019/11/07
- Re: privileged entropy sources in QEMU/KVM guests, Dr. David Alan Gilbert, 2019/11/07
- Re: privileged entropy sources in QEMU/KVM guests, Ard Biesheuvel, 2019/11/07
- Re: privileged entropy sources in QEMU/KVM guests,
Paolo Bonzini <=
- Re: privileged entropy sources in QEMU/KVM guests, Laszlo Ersek, 2019/11/07
- Re: privileged entropy sources in QEMU/KVM guests, Paolo Bonzini, 2019/11/07
- Re: privileged entropy sources in QEMU/KVM guests, Laszlo Ersek, 2019/11/07
Re: privileged entropy sources in QEMU/KVM guests, Laszlo Ersek, 2019/11/07
Re: privileged entropy sources in QEMU/KVM guests, Daniel P . Berrangé, 2019/11/07