On Fri, May 10, 2019 at 02:03:33PM +0200, Markus Armbruster wrote: > Kashyap Chamarthy <[email protected]> writes: > > > When QEMU exposes a VirtIO-RNG device to the guest, that device needs a > > source of entropy, and that source needs to be "non-blocking", like > > `/dev/urandom`. However, currently QEMU defaults to the problematic > > `/dev/random`, which is "blocking" (as in, it waits until sufficient > > entropy is available). > > > > Why prefer `/dev/urandom` over `/dev/random`? > > --------------------------------------------- > > > > The man pages of urandom(4) and random(4) state: > > "The /dev/random device is a legacy interface which dates back to a > > time where the cryptographic primitives used in the implementation > > of /dev/urandom were not widely trusted. It will return random > > bytes only within the estimated number of bits of fresh noise in the > > entropy pool, blocking if necessary. /dev/random is suitable for > > applications that need high quality randomness, and can afford > > indeterminate delays." > > > > Further, the "Usage" section of the said man pages state: > > > > "The /dev/random interface is considered a legacy interface, and > > /dev/urandom is preferred and sufficient in all use cases, with the > > exception of applications which require randomness during early boot > > time; for these applications, getrandom(2) must be used instead, > > because it will block until the entropy pool is initialized. > > > > "If a seed file is saved across reboots as recommended below (all > > major Linux distributions have done this since 2000 at least), the > > output is cryptographically secure against attackers without local > > root access as soon as it is reloaded in the boot sequence, and > > perfectly adequate for network encryption session keys. Since reads > > from /dev/random may block, users will usually want to open it in > > nonblocking mode (or perform a read with timeout), and provide some > > sort of user notification if the desired entropy is not immediately > > available." > > > > And refer to random(7) for a comparison of `/dev/random` and > > `/dev/urandom`. > > This is Linux. What about other supported POSIX[*] hosts? If any such > host has /dev/random that works here, but not /dev/urandom, we regress.
It exists on OS-X, FreeBSD, DragonFlyBSD, NetBSD and OpenBSD, which covers all the non-Linux platforms we explicitly support, aside from Windows. On Windows /dev/random doesn't work either so we don't regress. This is actually another argument in favour of using the newly proposed rng-builtin by default, as that will work on Windows. > *If* there's an actual regression risk: a simple & stupid way to reduce > it risk could be falling back to /dev/random when opening /dev/urandom > fails. Perhaps only when it fails with ENOENT. Unless I missed something, I think we'll be ok without the fallback though I wouldn't object to having a fallback as you describe. > Possible implementation: instead of setting a default filename in > rng_random_init(), change rng_random_opened() to try /dev/urandom, then > /dev/random when filename is still null. > > Aside: "opened" sounds like a predicate. Goes back to commit > a9b7b2ad7b0. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
