From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Seeding the Linux RNG at first boot Date: Wed, 6 Dec 2017 13:27:11 -0500 Message-ID: <20171206182711.GB2612@jasmine.lan> References: <20171203003126.GA353@jasmine.lan> <20171204184558.GF30970@jasmine.lan> <87wp20ydlj.fsf@fastmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="oLBj+sq0vYjzfsbl" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:53282) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eMePe-0004fg-I7 for guix-devel@gnu.org; Wed, 06 Dec 2017 13:27:19 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eMePZ-0006pF-ID for guix-devel@gnu.org; Wed, 06 Dec 2017 13:27:18 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:55709) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eMePZ-0006oa-9o for guix-devel@gnu.org; Wed, 06 Dec 2017 13:27:13 -0500 Content-Disposition: inline In-Reply-To: <87wp20ydlj.fsf@fastmail.com> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --oLBj+sq0vYjzfsbl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Dec 06, 2017 at 12:11:36AM +0100, Marius Bakke wrote: > FWIW if you control the hypervisor, you can send something along the > lines of: >=20 > qemu -device virtio-rng-pci,bus=3Dpci.0,addr=3D0x1e,max-bytes=3D1024,peri= od=3D1000 >=20 > to feed the guest with entropy from the host through virtio, up to 1kB/s. Exactly, this is along the lines of what I'm thinking for `guix system vm`. On the guest side, we would extend urandom-seed-service to also draw on /dev/hwrng, which is where virtio-rng-pci makes the data from the host available. Currently there is the rngd-service-type, but that is doing something slightly different. Using /dev/hwrng to seed urandom could be done whenever it's enabled in the kernel. I have an idea for another improvement: to add an argument like "--entropy-seed=3D" to `guix system` that could place the value in '/var/lib/random-seed', where it would be used on first boot. Thoughts? --oLBj+sq0vYjzfsbl Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlooNn4ACgkQJkb6MLrK fwgCwhAArg3YDiJLNrSW15KA9i/9xgg8e5QEiQQm4C8iACw5p+HTsZDZfRT9XVsa r+HxrFFxLiQWdaWwCTm4YqwMCDyipxhhoVa59Yw+i0r4y0VYBOI14QxkedT+LiKk 1ZTJ9G2nH3RN79wK5/06BsGGUyeMVjjpNTWLn1gZRrcQx/A+UEzV0TJrr8OGgcya B5qqqr4gRXzOvHbdry1iX66NTrbU4aJL4NVC1kKwVrYl1+37ZhLj7V9DlQ9JY7JF 1iPWXzgpa94FLfT3TwB2O+Si7IuK3W/vYkafy9g3xu8myeNC9i6ZzjbwLeqWMtW6 8iC6jHsVZxlhct+eR/C9ihuXOpTH3z8m+1tl51yNnJG51gktV4gYcT/wmtv1NDdR 4ATDJ2rrwovFcSJpp9DXIP+ca0d6kGdddkOjB8vTPKM9eo1o/79CUCxMQyM4sq72 Xzk+Gu6T8yKYni3Ku77VjfoJ775DhnsA7xcxi3OeCF6MQeIgufR4+BZRUfqqSJy2 AQYLosgtUww01n93iLG3PlVRG7OGenzk8VYom/YArz4j6FJLHDeZ89FCJRePlfU5 20296kpZNTWg6+qgW5k/PUlGAiJ5JnpL6+iM9eHY7KoENPRvKl3S9BSCA69T0WNE doYpO+AbMdsiyonmg1wohCHlgejj2UwsEJgKIVZi5SqdwG0k0sA= =3mkD -----END PGP SIGNATURE----- --oLBj+sq0vYjzfsbl--