Re: [Qemu-devel] [PATCH v2] VirtIO-RNG: Update default entropy source to `/dev/urandom`

["Daniel P. Berrangé" <berrange@redhat.com>]

On Fri, May 10, 2019 at 02:03:33PM +0200, Markus Armbruster wrote:
> Kashyap Chamarthy <kchamart@redhat.com> writes:
> 
> > When QEMU exposes a VirtIO-RNG device to the guest, that device needs a
> > source of entropy, and that source needs to be "non-blocking", like
> > `/dev/urandom`.  However, currently QEMU defaults to the problematic
> > `/dev/random`, which is "blocking" (as in, it waits until sufficient
> > entropy is available).
> >
> > Why prefer `/dev/urandom` over `/dev/random`?
> > ---------------------------------------------
> >
> > The man pages of urandom(4) and random(4) state:
> >     "The /dev/random device is a legacy interface which dates back to a
> >     time where the cryptographic primitives used in the implementation
> >     of /dev/urandom were not widely trusted.  It will return random
> >     bytes only within the estimated number of bits of fresh noise in the
> >     entropy pool, blocking if necessary.  /dev/random is suitable for
> >     applications that need high quality randomness, and can afford
> >     indeterminate delays."
> >
> > Further, the "Usage" section of the said man pages state:
> >
> >     "The /dev/random interface is considered a legacy interface, and
> >     /dev/urandom is preferred and sufficient in all use cases, with the
> >     exception of applications which require randomness during early boot
> >     time; for these applications, getrandom(2) must be used instead,
> >     because it will block until the entropy pool is initialized.
> >
> >     "If a seed file is saved across reboots as recommended below (all
> >     major Linux distributions have done this since 2000 at least), the
> >     output is cryptographically secure against attackers without local
> >     root access as soon as it is reloaded in the boot sequence, and
> >     perfectly adequate for network encryption session keys.  Since reads
> >     from /dev/random may block, users will usually want to open it in
> >     nonblocking mode (or perform a read with timeout), and provide some
> >     sort of user notification if the desired entropy is not immediately
> >     available."
> >
> > And refer to random(7) for a comparison of `/dev/random` and
> > `/dev/urandom`.
> 
> This is Linux.  What about other supported POSIX[*] hosts?  If any such
> host has /dev/random that works here, but not /dev/urandom, we regress.

It exists on OS-X, FreeBSD, DragonFlyBSD, NetBSD and OpenBSD, which covers
all the non-Linux platforms we explicitly support, aside from Windows.

On Windows /dev/random doesn't work either so we don't regress. This is
actually another argument in favour of using the newly proposed rng-builtin
by default, as that will work on Windows.

> *If* there's an actual regression risk: a simple & stupid way to reduce
> it risk could be falling back to /dev/random when opening /dev/urandom
> fails.  Perhaps only when it fails with ENOENT.

Unless I missed something, I think we'll be ok without the fallback
though I wouldn't object to having a fallback as you describe.

> Possible implementation: instead of setting a default filename in
> rng_random_init(), change rng_random_opened() to try /dev/urandom, then
> /dev/random when filename is still null.
> 
> Aside: "opened" sounds like a predicate.  Goes back to commit
> a9b7b2ad7b0.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|