From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.120])
 by mx.groups.io with SMTP id smtpd.web12.2995.1573127723517395994
 for <devel@edk2.groups.io>;
 Thu, 07 Nov 2019 03:55:23 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=i1RrMeXp;
 spf=pass (domain: redhat.com, ip: 207.211.31.120, mailfrom: berrange@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1573127722;
	h=from:from:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=vjUfooQ1zgPwNeyYzWGH1a+y3ijXA4LLBofNQ+WbySk=;
	b=i1RrMeXpUm/dY211vi7TqrMHIGhzLLu2Rx2g+0imf1E9G8qdB/T/AQn+2SrBsygornW8Z+
	iN9pzMvWSocFgSj8Wny+rtDE4zh0/rPv7HDZJljQ8uIagN5IdrKUnVMNXbw30wUJWiz8C/
	LtVb8wsJfOo9Ei6i8CvfeUsk2ZQbhJ8=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-5-_9oDHGmaM9S8Zez5XTEvyw-1; Thu, 07 Nov 2019 06:55:18 -0500
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B18891800D6B;
	Thu,  7 Nov 2019 11:55:17 +0000 (UTC)
Received: from redhat.com (unknown [10.42.16.105])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 8B4951001B35;
	Thu,  7 Nov 2019 11:55:13 +0000 (UTC)
Date: Thu, 7 Nov 2019 11:55:11 +0000
From: Daniel =?utf-8?B?UC4gQmVycmFuZ8Op?= <berrange@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	Laszlo Ersek <lersek@redhat.com>,
	Jian J Wang <jian.j.wang@intel.com>,
	edk2-devel-groups-io <devel@edk2.groups.io>,
	Bret Barkelew <Bret.Barkelew@microsoft.com>,
	qemu devel list <qemu-devel@nongnu.org>,
	Erik Bjorge <erik.c.bjorge@intel.com>,
	Sean Brogan <sean.brogan@microsoft.com>,
	Philippe =?utf-8?Q?Mathieu-Daud=C3=A9?= <philmd@redhat.com>
Subject: Re: privileged entropy sources in QEMU/KVM guests
Message-ID: <20191107115511.GE120292@redhat.com>
Reply-To: Daniel =?utf-8?B?UC4gQmVycmFuZ8Op?= <berrange@redhat.com>
References: <03e769cf-a5ad-99ce-cd28-690e0a72a310@redhat.com>
 <CAKv+Gu8gqfu_mOm2zK64dmj5CkVaPvix3gEMEFQScyk1CnOv6w@mail.gmail.com>
 <ef126cd5-7b64-1b8a-ca74-11bd06b5f4b1@redhat.com>
MIME-Version: 1.0
In-Reply-To: <ef126cd5-7b64-1b8a-ca74-11bd06b5f4b1@redhat.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-MC-Unique: _9oDHGmaM9S8Zez5XTEvyw-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Thu, Nov 07, 2019 at 12:37:11PM +0100, Paolo Bonzini wrote:
> On 07/11/19 11:25, Ard Biesheuvel wrote:
> >> This looks problematic on QEMU. Entropy is a valuable resource, and
> >> whatever resource SMM drivers depend on, should not be possible for e.=
g.
> >> a 3rd party UEFI driver (or even for the runtime OS) to exhaust.
> >> Therefore, it's not *only* the case that SMM drivers must not consume
> >> EFI_RNG_PROTOCOL (which exists at a less critical privilege level, i.e=
.
> >> outside of SMM/SMRAM), but also that SMM drivers must not depend on th=
e
> >> same piece of *hardware* that feeds EFI_RNG_PROTOCOL.
> >>
> > The typical model is to seed a DRBG [deterministic pseudorandom
> > sequence generator] using a sufficient amount of high quality entropy.
> > Once you have done that, it is rather hard to exhaust a DRBG - it is a
> > mathematical construction that is designed to last for a long time (<=
=3D
> > 2^48 invocations [not bytes] according to the NIST spec), after which
> > it does not degrade although it may have generated so much output that
> > its internal state may be inferred if you have captured enough of it
> > (which is a rather theoretical issue IMHO)
> >=20
> > The problem is that using the output of a DRBG as a seed is
> > non-trivial - the spec describes ways to do this, but wiring
> > virtio-rng to a DRBG in the host and using its output to seed a DRBG
> > in the guest is slighly problematic.
> >=20
> > So it seems to me that the correct way to model this is to make the
> > host's true entropy source a shared resource like any other.
> >=20
>=20
> Yes, I would make SMM use a cryptographic pseudo-random number generator=
=20
> and seed it from virtio-rng from DXE, way before the OS starts and can=20
> "attack" it.
>=20
> Once you've gotten a seed, you can create a CSPRNG with a stream cipher=
=20
> such as ChaCha20, which is literally 30 lines of code.

If all we need is a one-time seed then virtio-rng is possibly overkill as
that provides a continuous stream. Instead could QEMU read a few bytes
from the host's /dev/urandom and pass it to EDK via fw_cfg, which can
use it for the CSPRNG seed. EDK would have to erase the fw_cfg field
to prevent the seed value leaking to the guest OS, but other than that
its quite straightforward.

Regards,
Daniel
--=20
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange=
 :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com=
 :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange=
 :|