[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] PV random device

  • To: Sarah Newman <srn@xxxxxxxxx>
  • From: Andy Smith <andy@xxxxxxxxxxxxxx>
  • Date: Tue, 6 Oct 2015 03:35:21 +0000
  • Cc: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Tue, 06 Oct 2015 03:35:53 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xen.org>
  • Openpgp: id=BF15490B; url=http://strugglers.net/~andy/pubkey.asc
Hi,

On Mon, Oct 05, 2015 at 06:33:49PM -0700, Sarah Newman wrote:
> We would like to use something like virtio-rng 
> http://wiki.qemu-project.org/Features-Done/VirtIORNG with PVM domUs and since 
> the wiki page on virtio
> http://wiki.xen.org/wiki/Virtio_On_Xen says the wiki page is out of date, 
> what is the current status?

I'm sorry, I do not know the answer to your question, but while the
subject of virtio-rng has been brought up I wanted to mention
something related.

As you're no doubt aware, domUs being starved of entropy can be a
problem when they are doing crypto-intensive things like HTTPS,
VPNs, PGP and so on. The blocking nature of /dev/random can cause
performance problems.

So, I've been keeping (PV) domUs topped up with entropy by giving
them access to hardware RNGs (initially Entropy Keys, but since the
company making them failed I've switched to OneRNGs).

However, a lot of smart people tell me I'm doing this wrong:

    http://www.2uo.de/myths-about-urandom/

Basically they tell me to just make everything use /dev/urandom
instead. The above article suggests that the only time /dev/random
is better than urandom is on Linux boot when it needs to seed the
PRNG.

That said, I'm still left with a lot of software that wants to use
/dev/random and can't be told to do otherwise. Symlinking random to
urandom seems like a rather excessive thing to suggest people do
(domU admins are my customers).

It may just be the path of least resistance for me to continue
telling my customers to point their stuff at my hardware RNGs even
if it is the wrong solution. And then hopefully switch to using
virtio-rng so my customers need not know about the hardware RNGs.

But doing the technically wrong thing hurts my sensibilities a bit.

Has anyone got any thoughts on that?

Cheers,
Andy

-- 
> The optimum programming team size is 1.
Has Jurassic Park taught us nothing?
 â pfilandr

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.