From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.61]) by mx.groups.io with SMTP id smtpd.web09.4287.1573134862818492442 for ; Thu, 07 Nov 2019 05:54:23 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Qo00Z5Np; spf=pass (domain: redhat.com, ip: 205.139.110.61, mailfrom: berrange@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1573134861; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ZAPXLzu/WWGlIR7eYqolsYiUpc16e9PqSb22Q2rDzRc=; b=Qo00Z5Np/iiERxd1MOpTCCx4rG1PZD/i+zWmQ2TgIqhbplLMIcNUBsafVEvHGGi2298mgU xV6aYJ3rGs5W2Yn0wj2IkQhAPZhVj2Xi/aQv6Jo6h/CQDNVgTjsl42WifhUWL/DGB9aW18 XeyXpmjAMwom03PFSwAxrmzDlvE0vGw= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-304-VPWNaCA6My-XFr4xbFDCOQ-1; Thu, 07 Nov 2019 08:54:17 -0500 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 70F6C102; Thu, 7 Nov 2019 13:54:16 +0000 (UTC) Received: from redhat.com (unknown [10.42.16.105]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7D0F0608B2; Thu, 7 Nov 2019 13:54:07 +0000 (UTC) Date: Thu, 7 Nov 2019 13:54:05 +0000 From: Daniel =?utf-8?B?UC4gQmVycmFuZ8Op?= To: Laszlo Ersek Cc: Paolo Bonzini , qemu devel list , Ard Biesheuvel , Jian J Wang , edk2-devel-groups-io , Bret Barkelew , Erik Bjorge , Sean Brogan , Philippe =?utf-8?Q?Mathieu-Daud=C3=A9?= Subject: Re: privileged entropy sources in QEMU/KVM guests Message-ID: <20191107135405.GF120292@redhat.com> Reply-To: Daniel =?utf-8?B?UC4gQmVycmFuZ8Op?= References: <03e769cf-a5ad-99ce-cd28-690e0a72a310@redhat.com> <20191107115203.GD120292@redhat.com> <31917972-da28-8e0d-432d-1cb7607ff3e7@redhat.com> MIME-Version: 1.0 In-Reply-To: User-Agent: Mutt/1.12.1 (2019-06-15) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-MC-Unique: VPWNaCA6My-XFr4xbFDCOQ-1 X-Mimecast-Spam-Score: 0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thu, Nov 07, 2019 at 02:44:11PM +0100, Laszlo Ersek wrote: > On 11/07/19 13:47, Paolo Bonzini wrote: > > On 07/11/19 12:52, Daniel P. Berrang=C3=A9 wrote: > >> > >> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/com= mit/?id=3Dbb5530e4082446aac3a3d69780cd4dbfa4520013 > >> > >> Is it practical to provide a jitter entropy source for EDK2 > >> too ? > >=20 > > The hard part is not collecting jitter (though the firmware might be to= o > > deterministic for that), but rather turning it into a random number see= d > > (mixing data from various sources, crediting entropy, etc.). >=20 > If there is *any* entropy source that (a) we can trust to be random > enough and (b) depends only on the CPU, then we shouldn't struggle with > virtio-rng (or similar devices) at all. RDRAND would be a no-brainer, > but the "community literature" suggests it should not be trusted in itsel= f. >=20 > I've read the commit message linked above, and it appears too good to be > true. >=20 > The CPU Jitter RNG provides a source of good entropy by collecting > CPU executing time jitter. [...] The RNG does not have any > dependencies on any other service in the kernel. The RNG only needs > a high-resolution time stamp. [...] >=20 > http://www.chronox.de/jent.html >=20 > The CPU Jitter Random Number Generator provides a non-physical true > random number generator that works equally in kernel and user land. > The only prerequisite is the availability of a high-resolution timer > that is available in modern CPUs. >=20 > http://www.chronox.de/jent/doc/CPU-Jitter-NPTRNG.html >=20 > Today=E2=80=99s operating systems provide non-physical true random nu= mber > generators which are based on hardware events. With the advent of > virtualization and the ever growing need of more high-quality random > numbers, these random number generators reach their limits. > Additional sources of entropy must be opened up. This document > introduces an entropy source based on CPU execution time jitter. The > design and implementation of a non-physical true random number > generator, the CPU Jitter random number generator, its statistical > properties and the maintenance and behavior of entropy is discussed > in this document. >=20 > If this construct is legit, a core edk2 implementation (available to all > platforms, and on all edk2 arches) would be a huge win. >=20 > On the other hand, we're having this discussion because the premise of > TianoCore#1871 is that we shouldn't rely on just the CPU and a high > resolution timer... I simply cannot decide if this construct is > trustworthy. (With any solution that was based in the host's /dev/random > or /dev/urandom, the trustworthiness question would be side-stepped in > the firmware.) I can't claim to have knowledge of whether the above text is accurate or not, instead I just defer to the Linux maintainers recommendatiohns. They've considered it acceptable to merge it into Linux, and to me that says it should be acceptable to have in EDK2 too. As a second data point, jitter entropy has been the recommended solution in RHEL for VMs where there's no RDRAND or virtio-rng available. In RHEL-7 this was implemented in userspace in rng-tools rather than with the kernel module I link above, but the approach is the same in both cases IIUC. Regards, Daniel --=20 |: https://berrange.com -o- https://www.flickr.com/photos/dberrange= :| |: https://libvirt.org -o- https://fstop138.berrange.com= :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange= :|