Re: nothing contributing entropy in Xen domUs? or dom0!!!
On Wed, 31 Mar 2021, Greg A. Woods wrote: Yes I did change that as well (as /var isn't part of the root partition). I see. How did you change it? Because in 9.99 some things have changed: rndseed=/var/db/entropy-file on a line of its own no longer works. You have to attach it to a menu= line: menu=Boot normally:rndseed /var/db/entropy-file;boot The same with some other directives like `gop='. /etc/rc.d/random_seed will do this (again) later anyway. Yes. I know how to seed it -- but that's not the problem -- the hardware should be providing plenty of entropy. As riastradh@ mentioned, in 9.99 only true HWRNGs like RDSEED/RDRAND will be used. Other, estimated, sources are no longer "counted". mrg@ says your CPU doesn't have the necessary instructions, so that means no RNs for you (on 9.99) ;). cpuctl identify 0 should tell you if your CPU has RDSEED/RDRAND. -RVP
Re: nothing contributing entropy in Xen domUs? or dom0!!!
On Wed, 31 Mar 2021, Greg A. Woods wrote: collect and "estimate" _and_ despite the fact there's a valid-looking $random_file that was saved and reloaded by /etc/rc.d/random_seed (and saved again every day by /etc/security): # ls -l /etc/entropy-file -rw--- 1 root wheel 536 Mar 31 04:15 /etc/entropy-file # rndctl -l Source Bits Type Flags /dev/random 0 ??? estimate, collect, v seed 0 ??? estimate, collect, v Does this /etc/entropy-file match what's there in your /boot.cfg? On my laptop $random_file is left at the default which is: /var/db/entropy-file The kernel loads this file as directed by /boot.cfg: $ cat /boot.cfg menu=Boot normally:rndseed /var/db/entropy-file;boot menu=Boot single user:rndseed /var/db/entropy-file;boot -s menu=Drop to boot prompt:prompt default=1 timeout=5 clear=1 $ fgrep seed /var/run/dmesg.boot entropy: entering seed from bootloader with 256 bits of entropy $ You can see this as `seed': $ sudo rndctl -l | egrep 'Source|/random|seed' Source Bits Type Flags /dev/random 0 ??? estimate, collect, v seed256 ??? estimate, collect, v $ And after running a script to feed true RNs into /dev/random, that, too, is seeded: $ rndseed.sh $ sudo rndctl -l | egrep 'Source|/random|seed' Source Bits Type Flags /dev/random1024 ??? estimate, collect, v seed256 ??? estimate, collect, v $ $ cat ~/bin/rndseed.sh #!/bin/sh set -eu sudo -v curl -G -s -S -d nbytes=128 -d fmt=bin \ -d apikey=HB16tJ1vyL8SG3BGaN0bFXG6znB \ https://www.fourmilab.ch/cgi-bin/Hotbits.api | sudo dd of=/dev/random msgfmt=quiet if [ $(expr $(uname -r) : '\([0-9.][0-9.]*\)') != 9.1 ] thensudo sysctl -w kern.entropy.consolidate=1 fi $ Hope that helps. -RVP PS. Generate an API key here: https://fourmilab.ch/hotbits/
Re: nothing contributing entropy in Xen domUs? or dom0!!!
On Thu, Apr 01, 2021 at 04:13:59AM +, RVP wrote: > > [...] > > Does this /etc/entropy-file match what's there in your /boot.cfg? irrelevant for Xen, as Xen uses the multiboot protocol. -- Manuel Bouyer NetBSD: 26 ans d'experience feront toujours la difference --
re: nothing contributing entropy in Xen domUs? or dom0!!!
> In this particular example server it's in a Dell R510 with a pair of > 6-core E5645 CPUs that "cpuid" shows the following for (in the dom0): this is a westmere-ep CPU, which does not support rdseed or rdrand. rdrand appeared in ivybridge (2 generations later, with sandybridge in the middle.)
Re: nothing contributing entropy in Xen domUs? or dom0!!!
At Thu, 1 Apr 2021 04:13:59 + (UTC), RVP wrote:
Subject: Re: nothing contributing entropy in Xen domUs? or dom0!!!
>
> Does this /etc/entropy-file match what's there in your /boot.cfg?
>
> On my laptop $random_file is left at the default which is:
> /var/db/entropy-file
Yes I did change that as well (as /var isn't part of the root partition).
However that's not the problem for the dom0.
"rndseed" isn't currently used (at least not by me or any documentation
I'm aware of) when loading (multibooting) a Xen kernel and a NetBSD dom0
kernel.
/etc/rc.d/random_seed will do this (again) later anyway.
However since as I showed the hardware doesn't seem to be providing
entropy that can be "counted" ("estimated"), there's nothing to save,
and so nothing to load on the next boot either.
I know how to seed it -- but that's not the problem -- the hardware
should be providing plenty of entropy.
--
Greg A. Woods
Kelowna, BC +1 250 762-7675 RoboHack
Planix, Inc. Avoncote Farms
pgpfPcjeu55q3.pgp
Description: OpenPGP Digital Signature
Re: nothing contributing entropy in Xen domUs? or dom0!!!
At Wed, 31 Mar 2021 21:58:48 -0400, Thor Lancelot Simon wrote: Subject: Re: nothing contributing entropy in Xen domUs? (causing python3.7 rebuild to get stuck in kernel in "entropy" during an "import" statement) > > On Wed, Mar 31, 2021 at 11:24:07AM +0200, Manuel Bouyer wrote: > > On Tue, Mar 30, 2021 at 10:42:53PM +, Taylor R Campbell wrote: > > > > > > There are no virtual RNG devices on the system in question, according > > > to the quoted `rndctl -l' output. Perhaps the VM host needs to be > > > taught to expose a virtio-rng device to the guest? > > > > There is no such thing in Xen. > > Is the CPU so old that it doesn't have RDRAND / RDSEED, or is Xen perhaps > masking these CPU features from the guest? So I don't quite know how to tell for sure (because "cpuid", for one, doesn't seem to even seem to include strings within it to report either of those features, and because figuring it out from the magic names given in places like Wikipedia is too hard), but in theory my CPU is very much new enough to have at least one of those features. In this particular example server it's in a Dell R510 with a pair of 6-core E5645 CPUs that "cpuid" shows the following for (in the dom0): # cpuid eax ineax ebx ecx edx 000b 756e6547 6c65746e 49656e69 0001 000206c2 20200800 029ee3ff bfebfbff 0002 55035a01 00f0b2ff 00ca 0003 0004 3c004121 01c0003f 003f 0005 0040 0040 0003 1120 0006 0007 0002 0001 0007 0008 0009 000a 07300403 0004 0603 000b 0001 0002 0100 0020 8000 8008 8001 0001 2c100800 8002 65746e49 2952286c 6f655820 2952286e 8003 55504320 20202020 20202020 45202020 8004 35343635 20402020 30342e32 007a4847 8005 8006 01006040 8007 0100 8008 3028 Vendor ID: "GenuineIntel"; CPUID level 11 Intel-specific functions: Version 000206c2: Type 0 - Original OEM Family 6 - Pentium Pro Model 12 - Stepping 2 Reserved 8 Extended brand string: "Intel(R) Xeon(R) CPU E5645 @ 2.40GHz" CLFLUSH instruction cache line size: 8 Initial APIC ID: 32 Hyper threading siblings: 32 Feature flags bfebfbff: FPUFloating Point Unit VMEVirtual 8086 Mode Enhancements DE Debugging Extensions PSEPage Size Extensions TSCTime Stamp Counter MSRModel Specific Registers PAEPhysical Address Extension MCEMachine Check Exception CX8COMPXCHG8B Instruction APIC On-chip Advanced Programmable Interrupt Controller present and enabled SEPFast System Call MTRR Memory Type Range Registers PGEPTE Global Flag MCAMachine Check Architecture CMOV Conditional Move and Compare Instructions FGPAT Page Attribute Table PSE-36 36-bit Page Size Extension CLFSH CFLUSH instruction DS Debug store ACPI Thermal Monitor and Clock Ctrl MMXMMX instruction set FXSR Fast FP/MMX Streaming SIMD Extensions save/restore SSEStreaming SIMD Extensions instruction set SSE2 SSE2 extensions SS Self Snoop HT Hyper Threading TM Thermal monitor 31 reserved TLB and cache info: 5a: unknown TLB/cache descriptor 03: Data TLB: 4KB pages, 4-way set assoc, 64 entries 55: unknown TLB/cache descriptor ff: unknown TLB/cache descriptor b2: unknown TLB/cache descriptor f0: unknown TLB/cache descriptor ca: unknown TLB/cache descriptor Processor serial: 0002-06C2---- Xen does indeed hide features in the vcpu it presents to a PV domU: $ cpuid eax ineax ebx ecx edx 000b 756e6547 6c65746e 49656e69 0001 000206c2 22200800 02982203 1fc9cbf5 0002 55035a01 00f0b2ff 00ca 0003 0004 3c004121 01c0003f 003f 0005 0040 0040 0003 1120 0006 0007 0002 0001 0007 0008 0009 000a 07300403 0004 0603 000b 0001 0002 0100 0022 8000 8008 8001 0001 20100800 8002 65746e49 2952286c 6f655820 2952286e 8003 55504320 20202020 20202020 45202020 8004 35343635 20402020 30342e32 007a4847 8005 8006 01006040 8007 0100 8008 3028 Vendor ID: "GenuineIntel"; CPUID level 11 Intel-specific functions: Version 000206c2: Type 0 - Original OEM Family 6 - Pentium Pro Model 12 - Stepping 2
