From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Seeding the Linux RNG at first boot Date: Thu, 07 Dec 2017 22:07:38 +0100 Message-ID: <87indickmd.fsf@gnu.org> References: <20171203003126.GA353@jasmine.lan> <20171204184558.GF30970@jasmine.lan> <87wp20ydlj.fsf@fastmail.com> <20171206182711.GB2612@jasmine.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:38139) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eN3OU-0001mL-TD for guix-devel@gnu.org; Thu, 07 Dec 2017 16:07:47 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eN3OR-0006Ya-MH for guix-devel@gnu.org; Thu, 07 Dec 2017 16:07:46 -0500 Received: from hera.aquilenet.fr ([141.255.128.1]:36339) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eN3OR-0006Xq-GG for guix-devel@gnu.org; Thu, 07 Dec 2017 16:07:43 -0500 In-Reply-To: <20171206182711.GB2612@jasmine.lan> (Leo Famulari's message of "Wed, 6 Dec 2017 13:27:11 -0500") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org Leo Famulari skribis: > On Wed, Dec 06, 2017 at 12:11:36AM +0100, Marius Bakke wrote: >> FWIW if you control the hypervisor, you can send something along the >> lines of: >>=20 >> qemu -device virtio-rng-pci,bus=3Dpci.0,addr=3D0x1e,max-bytes=3D1024,per= iod=3D1000 >>=20 >> to feed the guest with entropy from the host through virtio, up to 1kB/s. > > Exactly, this is along the lines of what I'm thinking for `guix system > vm`. > > On the guest side, we would extend urandom-seed-service to also draw on > /dev/hwrng, which is where virtio-rng-pci makes the data from the host > available. Maybe =E2=80=98virtualized-operating-system=E2=80=99 in (gnu system vm) cou= ld automatically customize =E2=80=98rngd-service-type=E2=80=99 (or add it)? > Currently there is the rngd-service-type, but that is doing something > slightly different. Using /dev/hwrng to seed urandom could be done > whenever it's enabled in the kernel. > > I have an idea for another improvement: to add an argument like > "--entropy-seed=3D" to `guix system` that could place the value in > '/var/lib/random-seed', where it would be used on first boot. We could do that, though I very much prefer the idea of a =E2=80=9Cbackdoor= =E2=80=9D =C3=A0 la virtio-rng-pci, because it allows to stick to bit-reproducible images (well, they=E2=80=99re not bit-reproducible yet I suppose, but let=E2=80=99= s not add to it.) WDYT? Ludo=E2=80=99.