From: Andy Smith <andy@strugglers.net>
To: Sarah Newman <srn@prgmr.com>
Cc: xen-devel <xen-devel@lists.xenproject.org>
Subject: Re: PV random device
Date: Tue, 6 Oct 2015 03:35:21 +0000 [thread overview]
Message-ID: <20151006033521.GF4243@bitfolk.com> (raw)
In-Reply-To: <561324FD.8010909@prgmr.com>
Hi,
On Mon, Oct 05, 2015 at 06:33:49PM -0700, Sarah Newman wrote:
> We would like to use something like virtio-rng http://wiki.qemu-project.org/Features-Done/VirtIORNG with PVM domUs and since the wiki page on virtio
> http://wiki.xen.org/wiki/Virtio_On_Xen says the wiki page is out of date, what is the current status?
I'm sorry, I do not know the answer to your question, but while the
subject of virtio-rng has been brought up I wanted to mention
something related.
As you're no doubt aware, domUs being starved of entropy can be a
problem when they are doing crypto-intensive things like HTTPS,
VPNs, PGP and so on. The blocking nature of /dev/random can cause
performance problems.
So, I've been keeping (PV) domUs topped up with entropy by giving
them access to hardware RNGs (initially Entropy Keys, but since the
company making them failed I've switched to OneRNGs).
However, a lot of smart people tell me I'm doing this wrong:
http://www.2uo.de/myths-about-urandom/
Basically they tell me to just make everything use /dev/urandom
instead. The above article suggests that the only time /dev/random
is better than urandom is on Linux boot when it needs to seed the
PRNG.
That said, I'm still left with a lot of software that wants to use
/dev/random and can't be told to do otherwise. Symlinking random to
urandom seems like a rather excessive thing to suggest people do
(domU admins are my customers).
It may just be the path of least resistance for me to continue
telling my customers to point their stuff at my hardware RNGs even
if it is the wrong solution. And then hopefully switch to using
virtio-rng so my customers need not know about the hardware RNGs.
But doing the technically wrong thing hurts my sensibilities a bit.
Has anyone got any thoughts on that?
Cheers,
Andy
--
> The optimum programming team size is 1.
Has Jurassic Park taught us nothing?
— pfilandr
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2015-10-06 3:35 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-06 1:33 PV random device Sarah Newman
2015-10-06 3:35 ` Andy Smith [this message]
2015-10-06 4:12 ` Sarah Newman
2015-10-06 4:29 ` Andy Smith
2015-10-06 4:34 ` Sarah Newman
2015-10-06 4:50 ` Steven Haigh
2015-10-06 5:18 ` Andy Smith
2015-10-06 7:40 ` Sarah Newman
2015-10-06 9:15 ` Ian Campbell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151006033521.GF4243@bitfolk.com \
--to=andy@strugglers.net \
--cc=srn@prgmr.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.