Port-xen archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: nothing contributing entropy in Xen domUs? (causing python3.7 rebuild to get stuck in kernel in "entropy" during an "import" statement)



> Date: Tue, 30 Mar 2021 23:53:43 +0200
> From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
> 
> On Tue, Mar 30, 2021 at 02:40:18PM -0700, Greg A. Woods wrote:
> > [...]
> > 
> > Perhaps the answer is that nothing seems to be contributing anything to
> > the entropy pool.  No matter what device I exercise, none of the numbers
> > in the following changes:
> 
> yes, it's been this way since the rnd rototill. Virtual devices are
> not trusted.
> 
> The only way is to manually seed the pool.

This is false.  The virtual RNG drivers (viornd(4) [1], rump
hyperentropy [2], maybe others) all assume the VM host provides
samples with full entropy.  This has always been the case, and this
didn't change at all in the rototill last year.

There are no virtual RNG devices on the system in question, according
to the quoted `rndctl -l' output.  Perhaps the VM host needs to be
taught to expose a virtio-rng device to the guest?


[1] https://nxr.netbsd.org/xref/src/sys/dev/pci/viornd.c#245
[2] https://nxr.netbsd.org/xref/src/sys/rump/librump/rumpkern/hyperentropy.c#57


P.S.  Further discussion about Python, getrandom, and system
integration:
https://mail-index.netbsd.org/tech-userlevel/2021/01/11/msg012807.html


Home | Main Index | Thread Index | Old Index