-
-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve entropy collection in VMs #673
Comments
Comment by joanna on 15 Nov 2012 23:25 UTC
Then, in the VM, there is a code that reads the transmitted bytes and sends them into the kernel's rng using the RNDADDENTROPY IOCTL on /dev/random:
http://www.issihosts.com/haveged/index.html Note 1: haveged is incredibly fast! Just seem to be a bit TOO fast for me... So, I think I would feel better with the option #1 I think... Note 2: Dom0 entropy seems pretty reasonable (thanks to mouse and keyboard!), so it's not unreasonable to share it among all the VMs. But perhaps we could allow to manually exclude some VMs from getting the entropy from Dom0 (e.g. those that are not very sensitive). E.g. I have almost 30 domains on my laptop, while there are maybe 4 only that are used for key generation and those are the only ones that need fresh entropy from Dom0. |
Comment by joanna on 21 Nov 2012 10:25 UTC https://groups.google.com/group/qubes-devel/browse_thread/thread/e7023cca06daa219 |
Modified by joanna on 8 Feb 2013 12:59 UTC |
Modified by joanna on 30 Aug 2013 17:21 UTC |
Modified by joanna on 20 Apr 2014 17:04 UTC |
Comment by joanna on 3 Jul 2014 12:07 UTC |
Comment by marmarek on 4 Jul 2014 02:45 UTC Also - do we want to cover by this fix also updates to template (which would mean hard dependency on haveged from qubes-core-vm)? Or installing it in new templates would be enough (so on R2 ISO)? |
Comment by joanna on 4 Jul 2014 09:37 UTC I agree to closing this ticket with haveged. |
Comment by marmarek on 4 Jul 2014 10:02 UTC |
From https://wiki.archlinux.org/index.php/Haveged#Virtual_Machines
It's not as simple as writing to /dev/random. From man random(4)
Looks like this could be implemented by reading from /dev/random and forwarding that entropy qrexec, ioctl(2), RNDADDENTROPY to VMs. |
Program attached there returns numbers between 10 and 100 (30-50 on my Best Regards, |
Entropy is needed before Please reopen. @andrewdavidwong |
Am Sonntag, 10. Oktober 2021, 03:00:48 CEST schrieb Cliff Maceyak:
Hi Cliff,
> In short: `/dev/random` gives random output directly from hardware.
> `/dev/urandom` gives random output from a crypto algorithm initialized
> and sometimes refreshed with output from `/dev/random`.
[This is wholly inaccurate and not how the Linux kernel CSPRNG
works.](https://www.2uo.de/myths-about-urandom/#structure)
Correct. Both are completely identical with the exception that /dev/random
blocks during boot until the kernel thinks it received 128 bits of entropy.
From that point on there is no difference any more.
Ciao
Stephan
|
Am Sonntag, 10. Oktober 2021, 03:02:55 CEST schrieb Cliff Maceyak:
Hi Cliff,
> This is right. This is why the jitterentropy-rngd (and after I notified
> Neil Hormann from rng-tools) inject data into the kernel after the elapse
> of some time irrespective whether the kernel asks for the data or not.
This doesn't make sense; you don't run out of entropy when you read from the
random pool.
There is no way that the kernel tells you that data has been pulled. Therefore
this strategy of injecting data once in a while is considered appropriate.
Besides, this operation once every 10 minutes is cheap and is not considered
to cause concerns.
Ciao
Stephan
|
If the pool has been initialized you don't need to "inject data"; there is no reason to do this. |
Thanks for the clarification (nice pictures!) - looks like I fell for the myth. Then let me retry my "in short" statement (feel free to correct me again):
Future (kernel 5.6+):
Ironically that makes me conclude to only use For 4.8 - 5.5 it's reasonable to use Btw reseeding may make sense for cloned VM snapshots etc. or if you don't want to 100% trust the initial seed. If you wouldn't need reseeding at all, the whole entropy collection structure would be pointless / only serve to obtain the initial seed. |
Stephan Müller's recent work on LRNG (code not yet(?)* accepted in the kernel tree ... replacing almost everything I thought I knew about randomness in Linux, heh) includes a good write up of his jitter-based entropy source. That write up can be found here: https://www.chronox.de/jent/doc/CPU-Jitter-NPTRNG.pdf . In particular it discusses why this jitter implementation is a valid source in virtual environments. I'd propose utilizing that as a credited entropy source for boot time entropy in VMs, esp. if the CPU HWRND (via RDRAND) is no longer credited by compilation flag (Qubes maintainer decisions) and/or many non-RDRAND systems are experiencing long boot times due to a lack of credited entropy. The credit rate for jitter can be assigned at boot time as per: https://www.chronox.de/lrng/doc/lrng.pdf . There are also power-up noise source tests which are configurable at kernel compile time, which might be useful for Whonix templates, for example. In addition to the new LRNG code availability on recent kernels, backports to many older kernels are available up through the current patchset (v42). B
|
It's not. Developers should be using |
It’s okay to use |
Oh, that's bad. I wish I could help you. Keeping my fingers crossed!
I have access to some not-so-common systems like ARM 64 bit and IBM Power LE. For x86_64, I have access to large (multi-socket, max CPU count) systems. If you happen to need help with testing on any of these, please let me know. Viele Grüße! |
Am Sonntag, 10. Oktober 2021, 22:16:23 CEST schrieb jirka-h:
Hi jirka,
> But upstream does not seem to listen - dead silence for years now. The
> person allegedly "responsible" for it just seems to ignore what I am
> doing. Yet ignoring it does not make things better.
Oh, that's bad. I wish I could help you. Keeping my fingers crossed!
> I am looking for obscure systems: very small scale CPUs for IoTs, SPARC or
> other rare systems. I have coverage for Intel x86 (old and contemporary),
> AMD, ARM 32/64 bit, POWER LE/BE, IBM Z, RISC-V, MIPS.
I have access to some not-so-common systems like ARM 64 bit and IBM Power
LE. For x86_64, I have access to large (multi-socket, max CPU count)
systems. If you happen to need help with testing on any of these, please
let me know.
Thanks a lot. I had access to ARM64 and POWER LE. But I do not have access to
a multi-socket system.
If you would give it a try, that would be great. We can take that offline -
but simply:
1. apply the patch series v42
- enable all options for LRNG
- enable the DRBG (CONFIG_LRNG_DRBG and the KCAPI DRNG
(CONFIG_LRNG_KCAPI) as modules
2. reboot
3. execute the stress test as root: test/swap_stress.sh - there should be no
issue, no BUG/WARN/panic - it is a loop with 5000 iterations
4. Obtain the raw entropy data:
cd test
./getrawentropy -s 1000000 > /dev/shm/lrng_raw_noise.data
5. Send the file to me
If you happen to be fancy and you happen to have another spare cycle, execute
the automated tests. You need the steps outlined in tests/automation/README.md
Thanks a lot!
Stephan
|
Hi Stephen, I have successfully built a kernel with your patch and stored it as rpm. The tests on the single-socket server have passed. I will run the tests on a multi-socket server when there are some spare HW cycles later this week and send it to you via email. Cheers, |
Am Dienstag, 12. Oktober 2021, 10:24:49 CEST schrieb jirka-h:
Hi jirka,
Hi Stephen,
I have successfully built a kernel with your patch and stored it as rpm. The
tests on the single-socket server have passed.
That is great!
I will run the tests on a
multi-socket server when there are some spare HW cycles later this week and
send it to you via email.
Thank you very much.
Cheers,
Jirka
Ciao
Stephan
|
Hi Stephan, what is the expected runtime for
It's running on an old 4 socket (4x_Xeon-E5-4610_v2) server for 6 hours now, and so far, only 200 KiB of data has been collected. It's around 10Bytes per second. I want to make sure if this is expected. I plan to run on more servers, but I want to make sure everything is all right. Thanks! Jirka
|
Am Donnerstag, dem 14.10.2021 um 03:39 -0700 schrieb jirka-h:
Hi Stephan,
what is the expected runtime for
```
./getrawentropy -s 1000000 > /dev/shm/4x_Xeon-E5-4610_v2_lrng_raw_noise.data
```
It's running on an old 4 socket (4x_Xeon-E5-4610_v2) server for 6 hours now,
and so far, only 200 KiB of data has been collected. It's around 10Bytes per
second.
I want to make sure if this is expected. I plan to run on more servers, but
I want to make sure everything is all right.
That is the amount of events trickling in.
If you send, say, a ping flood to it or do another way of causing interrupts
like
dd if=$DISK of=file count=10000 oflag=direct
then you get your results in a few minutes.
Thanks a lot
Stephan
…
Thanks!
Jirka
```
$ cat /proc/lrng_type
DRNG name: ChaCha20 DRNG
Hash for reading entropy pool: SHA-256
Hash for operating aux entropy pool: SHA-256
LRNG security strength in bits: 256
per-CPU interrupt collection size: 1024
number of DRNG instances: 4
Standards compliance:
High-resolution timer: true
LRNG minimally seeded: true
LRNG fully seeded: true
Continuous compression: true
```
|
On Wed, Oct 6, 2021 Demi Marie Obenour wrote:
2. Increase the amount of random seed provided to VMs from dom0 via QubesDB.
Assuming you mean a single static value and not somehow a different
one provided dynamically on every read: Not great. QubesDB values are
readable by non-root userspace. Having the same kernel entropy seed
exposed to subsequent (potentially lesser-trusted) code seems a bad
idea. If not otherwise combined with sufficient additional other
entropy, then there is a risk that prng state could be deduced from a
subsequent read of the qubesdb random seed.
A mechanism which uses a channel whose content does not stick around
after the fact (and certainly not also made available to less-trusted
code) seems a better fit for the kernel entropy-seeding use case.
|
FWIW the initial seed is removed from QubesDB after reading it (and
wiped from the process memory too). It happens rather early in the boot
process. But I agree there could be a better way. I consider researching
how bootloader can provide random see to the kernel (there is such
option in theory) and maybe use that.
…--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
|
This has helped, especially on systems with NVMe storage. I have processed the results with intel-E5-4627-v2-4s/4x_Xeon_E5-4627_v2_lrng_raw_noise.data.ent:Entropy = 3.122261 bits per byte. I will send you a link to download the full results via email. Thanks |
Am Samstag, 16. Oktober 2021, 14:17:50 CEST schrieb jirka-h:
Hi jirka,
> That is the amount of events trickling in. If you send, say, a ping flood
> to it or do another way of causing interrupts like dd if=$DISK of=file
> count=10000 oflag=direct then you get your results in a few minutes.
> Thanks a lot Stephan
This has helped, especially on systems with NVMe storage.
I have processed the results with `ent` utility (git clone
https://github.com/ProhtMeyhet/ent-random-entropy-test.git), see results
below. Entropy estimation is 3.122 bits per byte regardless of the test
system used. Is this expected?
This is fully expected, because the data you obtained is ASCII numbers and not
binary data.
The ASCII numbers are simply an export of the kernel time stamps obtained per
interrupt.
A user space tool at [1] is used to conver it into a binary string. This
string could be processed with ent, but better with the SP800-90B tool set as
the data is non-IID.
The tool set at [2] exactly does that.
With the application of these tools, the data you obtained looks very good: it
returns about 7 bits of entropy per time stamp - the LRNG heuristic applies 1
bit of entropy - see [2] section "Interpretation of Results"
[1] https://github.com/smuellerDD/lrng/blob/master/test/sp80090b/validation-runtime/extractlsb.c#L198
[2] https://github.com/smuellerDD/lrng/tree/master/test/sp80090b/validation-runtime
Thanks a lot for your support.
Ciao
Stephan
|
Hallo Stephan, thanks for checking the results!
Oh, my bad! I was assuming the data are binary without actually checking the values. I have now rerun the analysis based on the above instructions and the results are indeed excellent!
Thanks a lot! |
IIRC this one can be closed with 4.1 as the VM kernel now does the job itself? |
Closing as done. If anyone believes this issue is not yet done, please leave a comment, and we'll be happy to reopen it. Thank you. |
created just now to ask Stephan Mueller: |
Reported by joanna on 15 Nov 2012 19:03 UTC
While this is only my feeling, I suspect that the entropy collection daemon in our VMs needs some improvements.. This is because of the limited interaction with the physical world of each VM (e.g. mouse events go via vchan instead of via kernel module in a VM).
This can be easily noticed when one tries to generate a new GPG key in a VM -- the gpg would complain about inadequate entropy that is available and will hang until more is produced. One can produce more entropy via various disk activities (e.g. grep through the filesystem), however this:
It would probably be desirable to create some entropy producing device that would run in each of the VMs, and to feed this device from Dom0 or other domains exposed to physical hardware (netvm, usbvm?). One should be careful, however, not to distribute the same "entropy bits" to more than one domain, as this would likely compromise domain isolation.
Migrated-From: https://wiki.qubes-os.org/ticket/673
The text was updated successfully, but these errors were encountered: