On 10/05/2015 10:18 PM, Andy Smith wrote: > But again as I say, that article I posted earlier contains a bunch > of smart crypto people saying that all of this is unnecessary. So > should we be enabling it?
Even if only urandom is considered necessary, how is the initial seed for urandom being generated and securely provided (if externally generated) to the guest? ubuntu has a client/server "entropy as a service" pollen https://github.com/dustinkirkland/pollen and pollinate https://github.com/dustinkirkland/pollinate which writes to /dev/urandom at boot. To my best knowledge a total of zero non-ubuntu derived distributions have adopted it, though I can't comment on why. MirageOS has come up with https://github.com/mirage/xentropyd and https://github.com/mirage/mirage-entropy which appears to be a layer on top of channels http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=docs/misc/channel.txt I don't know if this is the preferred implementation method. I also haven't found a front-end implementation other than in MirageOS. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
