Re: [libvirt] RFC: virtio-rng and /dev/urandom
On Fri, Apr 15, 2016 at 06:41:34AM -0400, Cole Robinson wrote:
Libvirt currently rejects using host /dev/urandom as an input source
for a
virtio-rng device. The only accepted sources are /dev/random and /dev/hwrng.
This is the result of discussions on qemu-devel around when the feature was
first added (2013). Examples:
http://lists.gnu.org/archive/html/qemu-devel/2012-09/msg02387.html
https://lists.gnu.org/archive/html/qemu-devel/2013-03/threads.html#00023
libvirt's rejection of /dev/urandom has generated some complaints from users:
https://bugzilla.redhat.com/show_bug.cgi?id=1074464
* cited: http://www.2uo.de/myths-about-urandom/
http://www.redhat.com/archives/libvir-list/2016-March/msg01062.html
http://www.redhat.com/archives/libvir-list/2016-April/msg00186.html
I think it's worth having another discussion about this, at least with a
recent argument in one place so we can put it to bed. I'm CCing a bunch of
people. I think the questions are:
1) is the original recommendation to never use virtio-rng+/dev/urandom correct?
2) regardless of #1, should we continue to reject that config in libvirt?
There was a lot of internal-to-Red Hat discussion on this which I
can't reproduce here unfortunately. However the crux of it was that
it's quite safe to read enormous amounts from /dev/urandom, even
without adding any entropy at all, and use those numbers for
cryptographic purposes.
Steve: can we disclose the research that was done into this? If so
can you summarise the results for us?
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v