Rusty Russell wrote:
>> Uhm, no. It's not. Unless the host provides actual entropy
>> information, you have a security hole.
>
> Huh? We just can't assume it adds entropy. AFAICT rngd -H0 is what we want
> here.
We can, if it comes from /dev/random.
>>> If we use /dev/random in the host, we risk a DoS. But since /dev/random
>>> is 0666 on my system, perhaps noone actually cares?
>> There is no point in feeding the host /dev/urandom to the guest (except
>> for seeding, which can be handled through other means); it will do its
>> own mixing anyway.
>
> Seeding is good, but unlikely to be done properly for first boot of some
> standard virtualized container. In practice, feeding /dev/urandom from the
> host will make /dev/urandom harder to predict in the guest.
Only up to a point.
>> The reason to provide anything at all from the host
>> is to give it "golden" entropy bits.
>
> But you did not address the DoS question: can we ignore it? Or are we
> trading
> off a DoS in the host against a potential security weakness in the guest?
>
> If so, how do we resolve it?
I don't think you have a DoS situation at all. The worst thing is that
you don't have any entropy available at all, at which point /dev/urandom
is as insecure as it ever is.
-hpa
_______________________________________________
Virtualization mailing list
[email protected]
https://lists.linux-foundation.org/mailman/listinfo/virtualization
