[PATCH 0/2] rng-tools: add udev rule for virtio-rng

[PATCH 0/2] rng-tools: add udev rule for virtio-rng

[Amit Shah]

Hello,

I didn't find a mailing list for rng-tools, so CC'ing the kernel lists
and the last few committers.

The first patch in this series adds a udev rule to start rngd for
guests that have a virtio-rng device available.

The second patch attempts to add autoconf magic to install the udev
rule in the system dirs.  However, installing as non-root will
obviously fail.  Prefixes are also not honoured.  I don't know of a
better way, and we probably should leave this to distributions.
However, if someone has a better idea on how to expand this, please
suggest.


Amit Shah (2):
  rngd: add udev rule to source from hwrng if virtio-rng present
  Install udev rules in system-default directory

 90-virtio-rng.rules | 1 +
 Makefile.am         | 1 +
 configure.ac        | 8 ++++++++
 3 files changed, 10 insertions(+)
 create mode 100644 90-virtio-rng.rules

-- 
1.9.3

[PATCH 1/2] rngd: add udev rule to source from hwrng if virtio-rng present

[Amit Shah]

On KVM guests where the virtio-rng device is available, and set as the
current rng, this udev rule will start rngd which will feed in the
host-provided entropy to /dev/random.

Signed-off-by: Amit Shah <amit.shah@redhat.com>
---
 90-virtio-rng.rules | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 90-virtio-rng.rules

diff --git a/90-virtio-rng.rules b/90-virtio-rng.rules
new file mode 100644
index 0000000..07f2f9c
--- /dev/null
+++ b/90-virtio-rng.rules
@@ -0,0 +1 @@
+KERNEL=="hw_random", ATTR{rng_current}=="virtio*", RUN+="/sbin/rngd -r /dev/hwrng"
-- 
1.9.3

[PATCH 2/2] Install udev rules in system-default directory

[Amit Shah]

not-quite-Signed-off-by: Amit Shah <amit.shah@redhat.com>
---
 Makefile.am  | 1 +
 configure.ac | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/Makefile.am b/Makefile.am
index f8490a3..a2b8173 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -8,6 +8,7 @@ sbin_PROGRAMS	 = rngd
 bin_PROGRAMS	 = rngtest
 man_MANS	 = rngd.8 rngtest.1
 noinst_LIBRARIES = librngd.a
+udevrules_DATA	 = 90-virtio-rng.rules
 
 rngd_SOURCES	= rngd.h rngd.c	rngd_entsource.h rngd_entsource.c	\
 		  rngd_linux.h rngd_linux.c util.c 			\
diff --git a/configure.ac b/configure.ac
index 27a2dba..4187aca 100644
--- a/configure.ac
+++ b/configure.ac
@@ -32,6 +32,14 @@ AC_ARG_WITH([libgcrypt],
 	[with_libgcrypt=check]
 )
 
+PKG_PROG_PKG_CONFIG
+
+AC_ARG_WITH([udevrulesdir],
+	AS_HELP_STRING([--with-udevrulesdir=DIR], [Directory for udev rules]),
+	[],
+	[with_udevrulesdir=$($PKG_CONFIG --variable=udevdir udev)"/rules.d"])
+AC_SUBST([udevrulesdir], [$with_udevrulesdir])
+
 dnl Make sure anyone changing configure.ac/Makefile.am has a clue
 AM_MAINTAINER_MODE
 
-- 
1.9.3

Re: [PATCH 1/2] rngd: add udev rule to source from hwrng if virtio-rng present

[H. Peter Anvin]

On 08/07/2014 06:08 AM, Amit Shah wrote:
> On KVM guests where the virtio-rng device is available, and set as the
> current rng, this udev rule will start rngd which will feed in the
> host-provided entropy to /dev/random.
> 
> Signed-off-by: Amit Shah <amit.shah@redhat.com>
> ---
>  90-virtio-rng.rules | 1 +
>  1 file changed, 1 insertion(+)
>  create mode 100644 90-virtio-rng.rules
> 
> diff --git a/90-virtio-rng.rules b/90-virtio-rng.rules
> new file mode 100644
> index 0000000..07f2f9c
> --- /dev/null
> +++ b/90-virtio-rng.rules
> @@ -0,0 +1 @@
> +KERNEL=="hw_random", ATTR{rng_current}=="virtio*", RUN+="/sbin/rngd -r /dev/hwrng"
> 

I'm not sure this is really right.  rngd can receive input from a number
of sources, and I suspect it would be better to rngd to be started much
earlier and perhaps get sent a SIGHUP to reconfigure when a hw_random
device appears ... not just the virtio one.

Currently rngd exits if there is no daemon.  There are a few ways to
deal with that: one is to run rngd on changes and leave a pid file
around; the rngd can try to signal the old rngd or launch itself;
another option would be to have a different rngd for each source.  To
some degree the above is obsolete when we get khwrngd widely deployed,
but that is a new-kernel-only kind of thing.

	-hpa

Re: [PATCH 1/2] rngd: add udev rule to source from hwrng if virtio-rng present

[Amit Shah]

On (Thu) 07 Aug 2014 [12:31:11], H. Peter Anvin wrote:
> On 08/07/2014 06:08 AM, Amit Shah wrote:
> > On KVM guests where the virtio-rng device is available, and set as the
> > current rng, this udev rule will start rngd which will feed in the
> > host-provided entropy to /dev/random.
> > 
> > Signed-off-by: Amit Shah <amit.shah@redhat.com>
> > ---
> >  90-virtio-rng.rules | 1 +
> >  1 file changed, 1 insertion(+)
> >  create mode 100644 90-virtio-rng.rules
> > 
> > diff --git a/90-virtio-rng.rules b/90-virtio-rng.rules
> > new file mode 100644
> > index 0000000..07f2f9c
> > --- /dev/null
> > +++ b/90-virtio-rng.rules
> > @@ -0,0 +1 @@
> > +KERNEL=="hw_random", ATTR{rng_current}=="virtio*", RUN+="/sbin/rngd -r /dev/hwrng"
> > 
> 
> I'm not sure this is really right.  rngd can receive input from a number
> of sources, and I suspect it would be better to rngd to be started much
> earlier and perhaps get sent a SIGHUP to reconfigure when a hw_random
> device appears ... not just the virtio one.

Right - yea.  Modern distros do start rngd by default (at least Fedora
and RHEL do), so this does make sense.

But as you note below, not all distros may start rngd...

> Currently rngd exits if there is no daemon.  There are a few ways to
> deal with that: one is to run rngd on changes and leave a pid file
> around; the rngd can try to signal the old rngd or launch itself;
> another option would be to have a different rngd for each source.

Currently the kernel can only have one rng_current, which is a pity.
So in the current case, rngd only needs one instance -- and it'll
always accept stuff from /dev/hwrng and it doesn't matter if the
rng_current is changed as long as there's some rng there.

>  To
> some degree the above is obsolete when we get khwrngd widely deployed,
> but that is a new-kernel-only kind of thing.

Right - I'm wondering if any such changes as propsed here are now
obsolted already by khwrngd?

Thanks,

		Amit

Re: [PATCH 1/2] rngd: add udev rule to source from hwrng if virtio-rng present

[H. Peter Anvin]

On 08/08/2014 02:07 AM, Amit Shah wrote:
>
> 
>>  To
>> some degree the above is obsolete when we get khwrngd widely deployed,
>> but that is a new-kernel-only kind of thing.
> 
> Right - I'm wondering if any such changes as propsed here are now
> obsolted already by khwrngd?
> 

In this case, yes, khwrngd would be a better solution for current kernels.

	-hpa

Re: [PATCH 1/2] rngd: add udev rule to source from hwrng if virtio-rng present

[Amit Shah]

On (Fri) 08 Aug 2014 [14:46:27], H. Peter Anvin wrote:
> On 08/08/2014 02:07 AM, Amit Shah wrote:
> >
> > 
> >>  To
> >> some degree the above is obsolete when we get khwrngd widely deployed,
> >> but that is a new-kernel-only kind of thing.
> > 
> > Right - I'm wondering if any such changes as propsed here are now
> > obsolted already by khwrngd?
> > 
> 
> In this case, yes, khwrngd would be a better solution for current kernels.

I think that's OK with me.

What's the suggested value for rng->quality, though, for virtio-rng
that I can use to ensure the kthread starts?

Should I use the 700 (70%) as proposed in the original patchset?  I'm
not exactly sure how that value will be used as well..


		Amit

Re: [PATCH 1/2] rngd: add udev rule to source from hwrng if virtio-rng present

[Torsten Duwe]

On Mon, Aug 11, 2014 at 12:45:27PM +0530, Amit Shah wrote:
> 
> What's the suggested value for rng->quality, though, for virtio-rng
> that I can use to ensure the kthread starts?
> 
> Should I use the 700 (70%) as proposed in the original patchset?  I'm
> not exactly sure how that value will be used as well..

There is no such thing as a suggested value, every number is wrong
to some degree.  The quality is an estimation of how random your
source really is; it's a property of your hardware. If the device is
virtual you're in trouble ;-)

Either you have a way to query the underlying real hardware, or
you do your whitening and entropy estimation in the backend driver --
then you can claim 100%.

	Torsten

Re: [PATCH 1/2] rngd: add udev rule to source from hwrng if virtio-rng present

[H. Peter Anvin]

On 08/11/2014 06:30 AM, Torsten Duwe wrote:
> On Mon, Aug 11, 2014 at 12:45:27PM +0530, Amit Shah wrote:
>>
>> What's the suggested value for rng->quality, though, for virtio-rng
>> that I can use to ensure the kthread starts?
>>
>> Should I use the 700 (70%) as proposed in the original patchset?  I'm
>> not exactly sure how that value will be used as well..
> 
> There is no such thing as a suggested value, every number is wrong
> to some degree.  The quality is an estimation of how random your
> source really is; it's a property of your hardware. If the device is
> virtual you're in trouble ;-)
> 
> Either you have a way to query the underlying real hardware, or
> you do your whitening and entropy estimation in the backend driver --
> then you can claim 100%.
> 

virtio-rng I feel we could rank at 100%; it is supposed to feed
/dev/random-quality randomness from the VMM.  If the VMM is hostile you
have already lost anyway.

	-hpa

Re: [PATCH 2/2] Install udev rules in system-default directory

[Paolo Bonzini]

Il 07/08/2014 15:09, Amit Shah ha scritto:
> +udevrules_DATA	 = 90-virtio-rng.rules

If rng-tools is packaged with "make dist" you need this to be

dist_udevrules_DATA	 = 90-virtio-rng.rules

or alternatively

EXTRA_DIST = 90-virtio-rng.rules
udevrules_DATA	 = 90-virtio-rng.rules

> +AC_ARG_WITH([udevrulesdir],
> +	AS_HELP_STRING([--with-udevrulesdir=DIR], [Directory for udev rules]),
> +	[],
> +	[with_udevrulesdir=$($PKG_CONFIG --variable=udevdir udev)"/rules.d"])
> +AC_SUBST([udevrulesdir], [$with_udevrulesdir])

You can use AM_CONDITIONAL to skip the installation if
$with_udevrulesdir is "no" (aka --without-udevrulesdir).  Then you'd have

EXTRA_DIST = 90-virtio-rng.rules
if INSTALL_UDEV_RULES
udevrules_DATA	 = 90-virtio-rng.rules
endif

I don't know offhand if this works:

if INSTALL_UDEV_RULES
dist_udevrules_DATA	 = 90-virtio-rng.rules
endif

but I think so; you can check with "./configure --without-udevrulesdir
&& make && make dist".

Thanks,

Paolo

Re: [PATCH 2/2] Install udev rules in system-default directory

[Amit Shah]

On (Tue) 19 Aug 2014 [19:20:20], Paolo Bonzini wrote:
> Il 07/08/2014 15:09, Amit Shah ha scritto:
> > +udevrules_DATA	 = 90-virtio-rng.rules
> 
> If rng-tools is packaged with "make dist" you need this to be
> 
> dist_udevrules_DATA	 = 90-virtio-rng.rules
> 
> or alternatively
> 
> EXTRA_DIST = 90-virtio-rng.rules
> udevrules_DATA	 = 90-virtio-rng.rules
> 
> > +AC_ARG_WITH([udevrulesdir],
> > +	AS_HELP_STRING([--with-udevrulesdir=DIR], [Directory for udev rules]),
> > +	[],
> > +	[with_udevrulesdir=$($PKG_CONFIG --variable=udevdir udev)"/rules.d"])
> > +AC_SUBST([udevrulesdir], [$with_udevrulesdir])
> 
> You can use AM_CONDITIONAL to skip the installation if
> $with_udevrulesdir is "no" (aka --without-udevrulesdir).  Then you'd have
> 
> EXTRA_DIST = 90-virtio-rng.rules
> if INSTALL_UDEV_RULES
> udevrules_DATA	 = 90-virtio-rng.rules
> endif
> 
> I don't know offhand if this works:
> 
> if INSTALL_UDEV_RULES
> dist_udevrules_DATA	 = 90-virtio-rng.rules
> endif
> 
> but I think so; you can check with "./configure --without-udevrulesdir
> && make && make dist".

Thanks!  Will give this a shot for curiosity's sake.  The
khwrngd-based patch has already been merged upstream, so this is now
obsolete.


		Amit