From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.groups.io with SMTP id smtpd.web09.3536.1573131019432651940 for ; Thu, 07 Nov 2019 04:50:19 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: pbonzini@redhat.com) Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id CAA8C821D9 for ; Thu, 7 Nov 2019 12:50:18 +0000 (UTC) Received: by mail-wr1-f70.google.com with SMTP id e7so917776wro.22 for ; Thu, 07 Nov 2019 04:50:18 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:message-id :date:user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=kVgfPlYydicQ5SKetqQYPSzgekgXDmG/sapQRF3FzNg=; b=CQuhk8nNvHgP7ILsRkjpJfMa1xtwFmKL33NkMd86NvL0rCsVKKP5W27jAmZh9vb/ke gr7rfifhbONTzC1mPo//l9Mk+yMGMc/rjp1z3R+RYGrZgC7IdsErI8R3PvJBBk90+uFd +LnPPR7Y8j72RQh2yugI+47XWj7t9dZll01PDC7QmBp/ONHuxcrRjmeAf5Kso2ACHiHX 5/g46G40DlMDvd5AsWTzPG6XrSNBOjm46VLeXOuo3ZriukOv1VD+seRDK9MH3OdTr/W1 m94DetZL2GmaePNB0BX+ml0JNNbcXCTF3lVhtHfLIr33kVuVVy8JWIH7Xi4bGPkX7uA8 XT8Q== X-Gm-Message-State: APjAAAUPbOWrqKbP6FoScpC23dHY5Q6WybvVwLuJWCM4TfpYP3UBoSZ/ ZotHYj6Rdf+036hTpyOQBvVMSWMEwvWxxbWme9/g3Qg3OTL+mpdtGP3GZXF9wy3tGbbV+OKZPwK pdMOT7P2lpgP4LQ== X-Received: by 2002:a1c:7304:: with SMTP id d4mr2728947wmb.66.1573131017411; Thu, 07 Nov 2019 04:50:17 -0800 (PST) X-Google-Smtp-Source: APXvYqxhyWwB78qp5lsWDmQDiLnW0yIY6Px1QzD806E1/7D3kYUHxlbzABegfw+R/q7QxQ6MQtW9og== X-Received: by 2002:a1c:7304:: with SMTP id d4mr2728914wmb.66.1573131017117; Thu, 07 Nov 2019 04:50:17 -0800 (PST) Received: from [10.201.49.199] (nat-pool-mxp-u.redhat.com. [149.6.153.187]) by smtp.gmail.com with ESMTPSA id w4sm1890935wmk.29.2019.11.07.04.50.13 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 07 Nov 2019 04:50:16 -0800 (PST) Subject: Re: privileged entropy sources in QEMU/KVM guests To: =?UTF-8?Q?Daniel_P=2e_Berrang=c3=a9?= Cc: Ard Biesheuvel , Laszlo Ersek , Jian J Wang , edk2-devel-groups-io , Bret Barkelew , qemu devel list , Erik Bjorge , Sean Brogan , =?UTF-8?Q?Philippe_Mathieu-Daud=c3=a9?= References: <03e769cf-a5ad-99ce-cd28-690e0a72a310@redhat.com> <20191107115511.GE120292@redhat.com> From: "Paolo Bonzini" Openpgp: preference=signencrypt Message-ID: <19fc6a42-e773-f8b8-db4a-c8ed853da30c@redhat.com> Date: Thu, 7 Nov 2019 13:50:13 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: <20191107115511.GE120292@redhat.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 07/11/19 12:55, Daniel P. Berrang=C3=A9 wrote: >> Yes, I would make SMM use a cryptographic pseudo-random number generat= or=20 >> and seed it from virtio-rng from DXE, way before the OS starts and can= =20 >> "attack" it. >> >> Once you've gotten a seed, you can create a CSPRNG with a stream ciphe= r=20 >> such as ChaCha20, which is literally 30 lines of code. > If all we need is a one-time seed then virtio-rng is possibly overkill = as > that provides a continuous stream. Instead could QEMU read a few bytes > from the host's /dev/urandom and pass it to EDK via fw_cfg, which can > use it for the CSPRNG seed. EDK would have to erase the fw_cfg field > to prevent the seed value leaking to the guest OS, but other than that > its quite straightforward. That would need anyway a change to the emulated hardware. If the guest is able to use virtio-rng after the firmware exits (which is the case is all the firmware needs is a one-time seed), then using virtio-rng is the simplest alternative as it needs no change at all outside the firmware. Paolo