From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:40475)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1SUisY-00020M-HX
	for qemu-devel@nongnu.org; Wed, 16 May 2012 14:23:19 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1SUisW-0005gC-E4
	for qemu-devel@nongnu.org; Wed, 16 May 2012 14:23:18 -0400
Received: from mail-pb0-f45.google.com ([209.85.160.45]:40527)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1SUisW-0005ff-7S
	for qemu-devel@nongnu.org; Wed, 16 May 2012 14:23:16 -0400
Received: by pbbro12 with SMTP id ro12so1855045pbb.4
	for <qemu-devel@nongnu.org>; Wed, 16 May 2012 11:23:14 -0700 (PDT)
Message-ID: <4FB3F08F.2070303@codemonkey.ws>
Date: Wed, 16 May 2012 13:23:11 -0500
From: Anthony Liguori <anthony@codemonkey.ws>
MIME-Version: 1.0
References: <aa4c6913ca2bc37e049f04f498c6414a4ec544bd.1337167727.git.amit.shah@redhat.com>
	<4FB3AA86.3080507@codemonkey.ws>
	<20120516172143.GA16342@amit.redhat.com>
In-Reply-To: <20120516172143.GA16342@amit.redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH 1/1] virtio-rng: device to send host
 entropy to guest
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Amit Shah <amit.shah@redhat.com>
Cc: qemu list <qemu-devel@nongnu.org>

On 05/16/2012 12:21 PM, Amit Shah wrote:
> On (Wed) 16 May 2012 [08:24:22], Anthony Liguori wrote:
>> On 05/16/2012 06:30 AM, Amit Shah wrote:
>>> The Linux kernel already has a virtio-rng driver, this is the device
>>> implementation.
>>>
>>> When Linux needs more entropy, it puts a buffer in the vq.  We then put
>>> entropy into that buffer, and push it back to the guest.
>>>
>>> Feeding randomness from host's /dev/urandom into the guest is
>>> sufficient, so this is a simple implementation that opens /dev/urandom
>>> and reads from it whenever required.
>>>
>>> Invocation is simple:
>>>
>>>    qemu ... -device virtio-rng-pci
>>>
>>> In the guest, we see
>>>
>>>    $ cat /sys/devices/virtual/misc/hw_random/rng_available
>>>    virtio
>>>
>>>    $ cat /sys/devices/virtual/misc/hw_random/rng_current
>>>    virtio
>>>
>>> There are ways to extend the device to be more generic and collect
>>> entropy from other sources, but this is simple enough and works for now.
>>>
>>> Signed-off-by: Amit Shah<amit.shah@redhat.com>
>>
>> It's not this simple unfortunately.
>>
>> If you did this with libvirt, one guest could exhaust the available
>> entropy for the remaining guests.  This could be used as a mechanism
>> for one guest to attack another (reducing the available entropy for
>> key generation).
>>
>> You need to rate limit the amount of entropy that a guest can obtain
>> to allow management tools to mitigate this attack.
>
> Hm, rate-limiting is a good point.  However, we're using /dev/urandom
> here, which is nonblocking, and will keep on providing data as long as
> we keep reading.

But you're still exhausting the entropy pool (which is a global resource). 
That's the problem.

Regards,

Anthony Liguori

>
> 		Amit