Port-xen archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: nothing contributing entropy in Xen domUs? or dom0!!!

At Wed, 31 Mar 2021 21:58:48 -0400, Thor Lancelot Simon <tls%panix.com@localhost> wrote:
Subject: Re: nothing contributing entropy in Xen domUs?  (causing python3.7 rebuild to get stuck in kernel in "entropy" during an "import" statement)
>
> On Wed, Mar 31, 2021 at 11:24:07AM +0200, Manuel Bouyer wrote:
> > On Tue, Mar 30, 2021 at 10:42:53PM +0000, Taylor R Campbell wrote:
> > >
> > > There are no virtual RNG devices on the system in question, according
> > > to the quoted `rndctl -l' output.  Perhaps the VM host needs to be
> > > taught to expose a virtio-rng device to the guest?
> >
> > There is no such thing in Xen.
>
> Is the CPU so old that it doesn't have RDRAND / RDSEED, or is Xen perhaps
> masking these CPU features from the guest?

So I don't quite know how to tell for sure (because "cpuid", for one,
doesn't seem to even seem to include strings within it to report either
of those features, and because figuring it out from the magic names
given in places like Wikipedia is too hard), but in theory my CPU is
very much new enough to have at least one of those features.

In this particular example server it's in a Dell R510 with a pair of
6-core E5645 CPUs that "cpuid" shows the following for (in the dom0):


# cpuid
 eax in    eax      ebx      ecx      edx
00000000 0000000b 756e6547 6c65746e 49656e69
00000001 000206c2 20200800 029ee3ff bfebfbff
00000002 55035a01 00f0b2ff 00000000 00ca0000
00000003 00000000 00000000 00000000 00000000
00000004 3c004121 01c0003f 0000003f 00000000
00000005 00000040 00000040 00000003 00001120
00000006 00000007 00000002 00000001 00000000
00000007 00000000 00000000 00000000 00000000
00000008 00000000 00000000 00000000 00000000
00000009 00000000 00000000 00000000 00000000
0000000a 07300403 00000004 00000000 00000603
0000000b 00000001 00000002 00000100 00000020
80000000 80000008 00000000 00000000 00000000
80000001 00000000 00000000 00000001 2c100800
80000002 65746e49 2952286c 6f655820 2952286e
80000003 55504320 20202020 20202020 45202020
80000004 35343635 20402020 30342e32 007a4847
80000005 00000000 00000000 00000000 00000000
80000006 00000000 00000000 01006040 00000000
80000007 00000000 00000000 00000000 00000100
80000008 00003028 00000000 00000000 00000000

Vendor ID: "GenuineIntel"; CPUID level 11

Intel-specific functions:
Version 000206c2:
Type 0 - Original OEM
Family 6 - Pentium Pro
Model 12 -
Stepping 2
Reserved 8

Extended brand string: "Intel(R) Xeon(R) CPU           E5645  @ 2.40GHz"
CLFLUSH instruction cache line size: 8
Initial APIC ID: 32
Hyper threading siblings: 32

Feature flags bfebfbff:
FPU    Floating Point Unit
VME    Virtual 8086 Mode Enhancements
DE     Debugging Extensions
PSE    Page Size Extensions
TSC    Time Stamp Counter
MSR    Model Specific Registers
PAE    Physical Address Extension
MCE    Machine Check Exception
CX8    COMPXCHG8B Instruction
APIC   On-chip Advanced Programmable Interrupt Controller present and enabled
SEP    Fast System Call
MTRR   Memory Type Range Registers
PGE    PTE Global Flag
MCA    Machine Check Architecture
CMOV   Conditional Move and Compare Instructions
FGPAT  Page Attribute Table
PSE-36 36-bit Page Size Extension
CLFSH  CFLUSH instruction
DS     Debug store
ACPI   Thermal Monitor and Clock Ctrl
MMX    MMX instruction set
FXSR   Fast FP/MMX Streaming SIMD Extensions save/restore
SSE    Streaming SIMD Extensions instruction set
SSE2   SSE2 extensions
SS     Self Snoop
HT     Hyper Threading
TM     Thermal monitor
31     reserved

TLB and cache info:
5a: unknown TLB/cache descriptor
03: Data TLB: 4KB pages, 4-way set assoc, 64 entries
55: unknown TLB/cache descriptor
ff: unknown TLB/cache descriptor
b2: unknown TLB/cache descriptor
f0: unknown TLB/cache descriptor
ca: unknown TLB/cache descriptor
Processor serial: 0002-06C2-0000-0000-0000-0000


Xen does indeed hide features in the vcpu it presents to a PV domU:


$ cpuid
 eax in    eax      ebx      ecx      edx
00000000 0000000b 756e6547 6c65746e 49656e69
00000001 000206c2 22200800 02982203 1fc9cbf5
00000002 55035a01 00f0b2ff 00000000 00ca0000
00000003 00000000 00000000 00000000 00000000
00000004 3c004121 01c0003f 0000003f 00000000
00000005 00000040 00000040 00000003 00001120
00000006 00000007 00000002 00000001 00000000
00000007 00000000 00000000 00000000 00000000
00000008 00000000 00000000 00000000 00000000
00000009 00000000 00000000 00000000 00000000
0000000a 07300403 00000004 00000000 00000603
0000000b 00000001 00000002 00000100 00000022
80000000 80000008 00000000 00000000 00000000
80000001 00000000 00000000 00000001 20100800
80000002 65746e49 2952286c 6f655820 2952286e
80000003 55504320 20202020 20202020 45202020
80000004 35343635 20402020 30342e32 007a4847
80000005 00000000 00000000 00000000 00000000
80000006 00000000 00000000 01006040 00000000
80000007 00000000 00000000 00000000 00000100
80000008 00003028 00000000 00000000 00000000

Vendor ID: "GenuineIntel"; CPUID level 11

Intel-specific functions:
Version 000206c2:
Type 0 - Original OEM
Family 6 - Pentium Pro
Model 12 -
Stepping 2
Reserved 8

Extended brand string: "Intel(R) Xeon(R) CPU           E5645  @ 2.40GHz"
CLFLUSH instruction cache line size: 8
Initial APIC ID: 34
Hyper threading siblings: 32

Feature flags 1fc9cbf5:
FPU    Floating Point Unit
DE     Debugging Extensions
TSC    Time Stamp Counter
MSR    Model Specific Registers
PAE    Physical Address Extension
MCE    Machine Check Exception
CX8    COMPXCHG8B Instruction
APIC   On-chip Advanced Programmable Interrupt Controller present and enabled
SEP    Fast System Call
MCA    Machine Check Architecture
CMOV   Conditional Move and Compare Instructions
FGPAT  Page Attribute Table
CLFSH  CFLUSH instruction
ACPI   Thermal Monitor and Clock Ctrl
MMX    MMX instruction set
FXSR   Fast FP/MMX Streaming SIMD Extensions save/restore
SSE    Streaming SIMD Extensions instruction set
SSE2   SSE2 extensions
SS     Self Snoop
HT     Hyper Threading

TLB and cache info:
5a: unknown TLB/cache descriptor
03: Data TLB: 4KB pages, 4-way set assoc, 64 entries
55: unknown TLB/cache descriptor
ff: unknown TLB/cache descriptor
b2: unknown TLB/cache descriptor
f0: unknown TLB/cache descriptor
ca: unknown TLB/cache descriptor
Processor serial: 0002-06C2-0000-0000-0000-0000


I noted today though that entropy doesn't seem to be accumulating even
in the dom0 despite there being many useful sources configured to both
collect and "estimate" _and_ despite the fact there's a valid-looking
$random_file that was saved and reloaded by /etc/rc.d/random_seed (and
saved again every day by /etc/security):

# /etc/rc.d/random_seed rcvar
# random_seed
random_seed=YES
# ls -l /etc/entropy-file
-rw-------  1 root  wheel  536 Mar 31 04:15 /etc/entropy-file
# rndctl -l
Source                 Bits Type      Flags
ipmi0-Temp                0 env  estimate, collect, v, t, dv, dt
ipmi0-Temp1               0 env  estimate, collect, v, t, dv, dt
ipmi0-Temp2               0 env  estimate, collect, v, t, dv, dt
ipmi0-Temp3               0 env  estimate, collect, v, t, dv, dt
ipmi0-Ambient-T           0 env  estimate, collect, v, t, dv, dt
ipmi0-Planar-Te           0 env  estimate, collect, v, t, dv, dt
ipmi0-FAN-MOD-1           0 env  estimate, collect, v, t, dv, dt
ipmi0-FAN-MOD-1           0 env  estimate, collect, v, t, dv, dt
ipmi0-FAN-MOD-2           0 env  estimate, collect, v, t, dv, dt
ipmi0-FAN-MOD-2           0 env  estimate, collect, v, t, dv, dt
ipmi0-FAN-MOD-3           0 env  estimate, collect, v, t, dv, dt
ipmi0-FAN-MOD-3           0 env  estimate, collect, v, t, dv, dt
ipmi0-FAN-MOD-4           0 env  estimate, collect, v, t, dv, dt
ipmi0-Status              0 ???  estimate, collect, t, dt
ipmi0-Voltage             0 power estimate, collect, v, t, dv, dt
ipmi0-Voltage1            0 power estimate, collect, v, t, dv, dt
ipmi0-Status1             0 ???  estimate, collect, t, dt
ipmi0-Intrusion           0 ???  estimate, collect, t, dt
ipmi0-Temp4               0 env  estimate, collect, v, t, dv, dt
ipmi0-Temp5               0 env  estimate, collect, v, t, dv, dt
ipmi0-Temp6               0 env  estimate, collect, v, t, dv, dt
ipmi0-FAN-MOD-4           0 env  estimate, collect, v, t, dv, dt
ipmi0-FAN-MOD-5           0 env  estimate, collect, v, t, dv, dt
ipmi0-FAN-MOD-5           0 env  estimate, collect, v, t, dv, dt
ipmi0-Ambient-T           0 env  estimate, collect, v, t, dv, dt
ipmi0-Ambient-T           0 env  estimate, collect, v, t, dv, dt
ums0                      0 tty  estimate, collect, v, t, dt
ukbd0                     0 tty  estimate, collect, v, t, dt
/dev/random               0 ???  estimate, collect, v
sd2                       0 disk estimate, collect, v, t, dt
sd1                       0 disk estimate, collect, v, t, dt
sd0                       0 disk estimate, collect, v, t, dt
cpu0                      0 vm   estimate, collect, v, t, dv
hardclock                 0 skew estimate, collect, t
pckbd0                    0 tty  estimate, collect, v, t, dt
system-power              0 power estimate, collect, v, t, dt
autoconf                  0 ???  estimate, collect, t
seed                      0 ???  estimate, collect, v
# sysctl kern.entropy
kern.entropy.collection = 1
kern.entropy.depletion = 0
kern.entropy.consolidate = -23552
kern.entropy.gather = -23552
kern.entropy.needed = 256
kern.entropy.pending = 0
kern.entropy.epoch = 19

--
					Greg A. Woods <gwoods%acm.org@localhost>

Kelowna, BC     +1 250 762-7675           RoboHack <woods%robohack.ca@localhost>
Planix, Inc. <woods%planix.com@localhost>     Avoncote Farms <woods%avoncote.ca@localhost>

Attachment: pgpmNrn4jilrB.pgp
Description: OpenPGP Digital Signature

Home | Main Index | Thread Index | Old Index