> On Wed, Mar 31, 2021 at 12:12:31AM +0000, Taylor R Campbell wrote: >> This is false. If the VM host provided a viornd(4) device then NetBSD >> would automatically collect, and count, entropy from the host, with no >> manual intervention. > > I would love to see instructions how to do this - I have not seen a working > virond(4) in any of my Xen domU (but that is a very limited sample).
While this isn't with Xen, and isn't on -current, but this is what I do for my emulated arm64 system, where the emulator runs on NetBSD/amd64 8.0: #!/bin/sh SMP=4 MEM=8g qemu-system-aarch64 -M virt -cpu cortex-a57 -smp $SMP -m $MEM \ -drive if=none,file=disk.img,id=hd0 -device virtio-blk-device,drive=hd0 \ -netdev type=user,id=net0,hostfwd=tcp::2222-:22,ipv6=off \ -nographic \ -device virtio-net-device,netdev=net0,mac=00:11:66:33:44:55 \ -device virtio-rng-device \ -kernel netbsd.img -append root=ld4a and the booted system is NetBSD/aarch64 9.0 with the unmodified GENERIC64 kernel: arm64# rndctl -l Source Bits Type Flags cpu3 7824 vm estimate, collect, v, t, dv cpu2 8983 vm estimate, collect, v, t, dv cpu1 8351 vm estimate, collect, v, t, dv cpu0 12436 vm estimate, collect, v, t, dv ld4 8440476 disk estimate, collect, v, t, dt viornd0 4096 rng estimate, collect, v system-power 0 power estimate, collect, v, t, dt autoconf 72 ??? estimate, collect, t, dt printf 0 ??? collect callout 116 skew estimate, collect, v, dv arm64# arm64# dmesg | grep rnd [ 1.000010] viornd0 at virtio29: Features: 0x10000000<INDIRECT_DESC> arm64# arm64# dmesg | grep virtio29 [ 1.000010] virtio29 at simplebus0 [ 1.000010] viornd0 at virtio29: Features: 0x10000000<INDIRECT_DESC> [ 1.000010] virtio29: allocated 32768 byte for virtqueue 0 for Entropy request, size 1024 [ 1.000010] virtio29: interrupting on GIC irq 77 arm64# When I get to booting a past-rng-rework kernel, I'm fairly certain that only the input from viornd0 will remain as a source with "estimate" in the flags field. Of course, any saved and restored entropy will also count towards the estimate. That said, it doesn't look like the amd64 XEN3_DOMU kernel has either of virtio* or viornd* configured, they're only in the GENERIC and ALL kernel configs. Also, I don't know what has to happen on the XEN "host side" to provide those devices; virtio* is apparently supposed to be made visible via the pci bus (looking at amd64's GENERIC), but by the looks of it, XEN only does "pci passthrough" to physical devices (looking at the comments near the commented-out "pci" config statements in XEN3_DOMU), so no "emulated" PCI bus where the host can provide the host-side of the randomness virtual device? Regards, - HÃ¥vard
