On Friday, February 01, 2013 04:39:17 PM Bill Nottingham wrote:
> Given FIPS paranoia about RNG sources, does this have knock-on effects in
> the FIPS compliance of guests depending on how it's fed in the host?
There is no FIPS problem here. Its more of a common criteria issue. But here
is a litt
On Tue, 2013-02-05 at 11:11 -0500, Bill Nottingham wrote:
> Matthew Garrett (mj...@srcf.ucam.org) said:
> > This patchset means that there's a /dev/hwrng available in the guest, so
> > you still need to run something like rngd to mix that into the kernel's
> > entropy pool.
>
> Speaking of, wh
Matthew Garrett (mj...@srcf.ucam.org) said:
> This patchset means that there's a /dev/hwrng available in the guest, so
> you still need to run something like rngd to mix that into the kernel's
> entropy pool.
Speaking of, why is it a thing that we need a separate userspace daemon
to dump data f
amit's response:
On (Sun) 03 Feb 2013 [10:30:49], Cole Robinson wrote:
> On 02/01/2013 04:39 PM, Bill Nottingham wrote:
>> Jaroslav Reznik (jrez...@redhat.com) said:
>>> Feature owner(s): Cole Robinson , Amit Shah
>>>
>>>
>>> Provide a paravirtual random number generator to virtual machines, to
On 02/02/2013 02:49 PM, Björn Persson wrote:
> Paolo Bonzini wrote:
>> If you're talking about RDRAND, it doesn't hand out entropy. That's
>> RDSEED, which will only come with Haswell.
>>
>> RDRAND only hands out random numbers.
>
> Huh? "Random numbers" is pretty much synonymous to "entropy" in
On 02/01/2013 04:39 PM, Bill Nottingham wrote:
> Jaroslav Reznik (jrez...@redhat.com) said:
>> Feature owner(s): Cole Robinson , Amit Shah
>>
>>
>> Provide a paravirtual random number generator to virtual machines, to
>> prevent
>> entropy starvation in guests.
>>
>> == Detailed description
Il 02/02/2013 14:49, Björn Persson ha scritto:
> Paolo Bonzini wrote:
>> If you're talking about RDRAND, it doesn't hand out entropy. That's
>> RDSEED, which will only come with Haswell.
>>
>> RDRAND only hands out random numbers.
>
> Huh? "Random numbers" is pretty much synonymous to "entropy" i
Paolo Bonzini wrote:
> If you're talking about RDRAND, it doesn't hand out entropy. That's
> RDSEED, which will only come with Haswell.
>
> RDRAND only hands out random numbers.
Huh? "Random numbers" is pretty much synonymous to "entropy" in the
cryptographic language I'm used to.
Ah, according
Il 02/02/2013 00:40, Matthew Garrett ha scritto:
> This patchset means that there's a /dev/hwrng available in the guest, so
> you still need to run something like rngd to mix that into the kernel's
> entropy pool. You're right that the total amount of entropy is still
> limited to that available
On Fri, Feb 01, 2013 at 08:17:26PM -0500, Paul Wouters wrote:
> The guests can always run their own rngd type tool?
Yeah, this just makes host randomness available to the guest - it
doesn't directly feed it to /dev/random. The guest still gets to define
its own policy.
--
Matthew Garrett | mj
On Sat, Feb 2, 2013 at 2:19 AM, Paul Wouters wrote:
> On Fri, 1 Feb 2013, Matthew Garrett wrote:
>
>> other than providing other sources of entropy, and long-term this is
>> going to be fixed once everyone's moved to Ivy Bridge and has an
>> unprivileged instruction to hand out entropy.
>
> uhm I
On Fri, Feb 01, 2013 at 08:19:30PM -0500, Paul Wouters wrote:
> On Fri, 1 Feb 2013, Matthew Garrett wrote:
>
> >other than providing other sources of entropy, and long-term this is
> >going to be fixed once everyone's moved to Ivy Bridge and has an
> >unprivileged instruction to hand out entropy.
On Fri, 1 Feb 2013, Matthew Garrett wrote:
other than providing other sources of entropy, and long-term this is
going to be fixed once everyone's moved to Ivy Bridge and has an
unprivileged instruction to hand out entropy.
uhm I know intel really wants us to use it directly and trust them, but
On Fri, 1 Feb 2013, Bill Nottingham wrote:
VirtIO RNG (random number generator) is a paravirtualized device that is
exposed as a hardware RNG device to the guest. Virtio RNG just appears as a
regular hardware RNG to the guest, which the kernel reads from to fill its
entropy pool. This effectivel
On Fri, Feb 1, 2013 at 10:39 PM, Bill Nottingham wrote:
> Given FIPS paranoia about RNG sources, does this have knock-on effects in
> the FIPS compliance of guests depending on how it's fed in the host?
(Hoping for an answer from someone who has actually fully analyzed the
FIPS RNG situation and
On 1 February 2013 16:40, Matthew Garrett wrote:
> On Fri, Feb 01, 2013 at 04:39:17PM -0500, Bill Nottingham wrote:
>> Given FIPS paranoia about RNG sources, does this have knock-on effects in
>> the FIPS compliance of guests depending on how it's fed in the host?
>
> I'm not convinced that you c
On Fri, Feb 01, 2013 at 04:39:17PM -0500, Bill Nottingham wrote:
> What exactly feeds /dev/random in the guest in the cases where this doesn't
> exist, and how do we cope with this obviously making /dev/random exhaustion
> in the host much more likely? (Other than assume that a HW RNG is in the
>
Jaroslav Reznik (jrez...@redhat.com) said:
> Feature owner(s): Cole Robinson , Amit Shah
>
>
> Provide a paravirtual random number generator to virtual machines, to prevent
> entropy starvation in guests.
>
> == Detailed description ==
> The linux kernel collects entropy from various non-de
= Features/Virtio RNG =
https://fedoraproject.org/wiki/Features/Virtio_RNG
Feature owner(s): Cole Robinson , Amit Shah
Provide a paravirtual random number generator to virtual machines, to prevent
entropy starvation in guests.
== Detailed description ==
The linux kernel collects entropy fro
19 matches
Mail list logo