Port-xen archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: nothing contributing entropy in Xen domUs? (causing python3.7 rebuild to get stuck in kernel in "entropy" during an "import" statement)



At Tue, 30 Mar 2021 23:53:43 +0200, Manuel Bouyer <bouyer%antioche.eu.org@localhost> wrote:
Subject: Re: nothing contributing entropy in Xen domUs?  (causing python3.7 rebuild to get stuck in kernel in "entropy" during an "import" statement)
>
> On Tue, Mar 30, 2021 at 02:40:18PM -0700, Greg A. Woods wrote:
> > [...]
> >
> > Perhaps the answer is that nothing seems to be contributing anything to
> > the entropy pool.  No matter what device I exercise, none of the numbers
> > in the following changes:
>
> yes, it's been this way since the rnd rototill. Virtual devices are
> not trusted.
>
> The only way is to manually seed the pool.

Ah, so that is definitely not what I expected!

Previously wasn't it up to the local admin what to trust?  I guess
throwing bits into /dev/random is one way to play that game, but....

I have to trust the dom0 implicitly and utterly anyway, so why not trust
the devices it presents?

This is especially true for xbd block devices.  All my blocks are belong
to dom0.

The network device is in effect no different than if it were real
hardware, so if I want to trust network traffic, then I should be able
to enable it, just as I could if it were real hardware.

The CPUs are also probably the least "virtual" things in Xen, so why not
trust them?  (Though I'm not sure I understand what entropy they can
offer in the first place.)

Finally, if the system isn't actually collecting entropy from a device,
then why the heck does it allow me to think it is (i.e. by allowing me
to enable it and show it as enabled and collecting via "rndctl -l")?

--
					Greg A. Woods <gwoods%acm.org@localhost>

Kelowna, BC     +1 250 762-7675           RoboHack <woods%robohack.ca@localhost>
Planix, Inc. <woods%planix.com@localhost>     Avoncote Farms <woods%avoncote.ca@localhost>

Attachment: pgpFe_wb32ASA.pgp
Description: OpenPGP Digital Signature



Home | Main Index | Thread Index | Old Index