From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43533) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ar5yS-0002Ez-Pk for qemu-devel@nongnu.org; Fri, 15 Apr 2016 11:48:01 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ar5yO-0005E8-PV for qemu-devel@nongnu.org; Fri, 15 Apr 2016 11:48:00 -0400 Received: from mx1.redhat.com ([209.132.183.28]:53675) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ar5yO-0005E4-He for qemu-devel@nongnu.org; Fri, 15 Apr 2016 11:47:56 -0400 References: <5710C55E.3030000@redhat.com> From: Eric Blake Message-ID: <57110D27.6080805@redhat.com> Date: Fri, 15 Apr 2016 09:47:51 -0600 MIME-Version: 1.0 In-Reply-To: <5710C55E.3030000@redhat.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="0txf4UqWGj5P76tl4lQ0GhmRNdEmL4klL" Subject: Re: [Qemu-devel] RFC: virtio-rng and /dev/urandom List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Cole Robinson , libvirt-list@redhat.com, qemu-devel Cc: "Richard W.M. Jones" , "Daniel P. Berrange" , Peter Krempa , Amit Shah , mik@miknet.net, jjaburek@redhat.com, hkario@redhat.com, sgrubb@redhat.com, hpa@zytor.com, Paolo Bonzini This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --0txf4UqWGj5P76tl4lQ0GhmRNdEmL4klL Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 04/15/2016 04:41 AM, Cole Robinson wrote: > Libvirt currently rejects using host /dev/urandom as an input source fo= r a > virtio-rng device. The only accepted sources are /dev/random and /dev/h= wrng. > This is the result of discussions on qemu-devel around when the feature= was > first added (2013). Examples: >=20 > http://lists.gnu.org/archive/html/qemu-devel/2012-09/msg02387.html > https://lists.gnu.org/archive/html/qemu-devel/2013-03/threads.html#0002= 3 >=20 > libvirt's rejection of /dev/urandom has generated some complaints from = users: >=20 > https://bugzilla.redhat.com/show_bug.cgi?id=3D1074464 > * cited: http://www.2uo.de/myths-about-urandom/ > http://www.redhat.com/archives/libvir-list/2016-March/msg01062.html > http://www.redhat.com/archives/libvir-list/2016-April/msg00186.html >=20 > I think it's worth having another discussion about this, at least with = a > recent argument in one place so we can put it to bed. I'm CCing a bunch= of > people. I think the questions are: >=20 > 1) is the original recommendation to never use virtio-rng+/dev/urandom = correct? That I'm not sure about - and the answer may be context-dependent (for example a FIPS user may care more than an ordinary user) >=20 > 2) regardless of #1, should we continue to reject that config in libvir= t? This one, I have a pretty strong opinion: libvirt should NOT enforce policy. If someone has a valid use case for doing it, we should permit them to do it, even if it lets someone else shoot themselves in the foot. So I think we should relax libvirt to allow users that source their virtio-rng from /dev/urandom. --=20 Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --0txf4UqWGj5P76tl4lQ0GhmRNdEmL4klL Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJXEQ0nAAoJEKeha0olJ0NqbugH/jspLhFJH3CiFxUBgwBKVH7q OBlnkSgaXQGppLuQX9Vk1MYTNr0CcZWL2TGqCxqP3chV0riS3FbuPgNgridcLAau txbAfgtuaU0BZWEjM2l2vIUO8VxAdPV6K3s4tAF8lCSdBWa/LqdZjQ45DHbskUnV kOccsaUyos96Jeem8tNSImxldQL4SWeEtegBXv0shpZkuC71NIslANuqhXi+C5QS eLbWIdrr7Q4Nn+3c/K3ahkL/eEqMFUlCQQDf30cbWlgCX9HX8I3dzjLQW7d9lQVo 4UXskoj7hZUsc0r18eAbzj53vWxQPLdDWHiNGiSEZqXk+ftBy421ybtghitkFpQ= =57sC -----END PGP SIGNATURE----- --0txf4UqWGj5P76tl4lQ0GhmRNdEmL4klL--