Re: [libvirt] [PATCH] Add hw random number generator (/dev/hwrng) to default qemu cgroup ACL
On 11/18/2013 06:28 AM, Pradipta Kr. Banerjee wrote: Creating a qemu VM with /dev/hwrng as backed RNG device throws the following error - Could not open '/dev/hwrng': Operation not permitted This patch fixes the issue Signed-off-by: Pradipta Kr. Banerjee bpra...@in.ibm.com --- src/qemu/qemu_cgroup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) This is probably not the right fix. This says that we are making the random device to all possible guests, and that a compromised guest can then open() the device and starve it of entropy to the detriment of other guests. I think the _real_ fix is to quit exposing /dev/random by default (/dev/urandom may be okay), and to instead teach the code for RNG devices to add an ACL change for either random device (/dev/random or /dev/hwrng) only for the guests that actually use RNG backed by a hardware device. That way, guests not using an RNG device cannot starve entropy from guests that depend on it. diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index ace7e35..d9ebb30 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -39,7 +39,7 @@ static const char *const defaultDeviceACL[] = { /dev/null, /dev/full, /dev/zero, -/dev/random, /dev/urandom, +/dev/random, /dev/urandom, /dev/hwrng, /dev/ptmx, /dev/kvm, /dev/kqemu, /dev/rtc, /dev/hpet, /dev/vfio/vfio, NULL, -- Eric Blake eblake redhat com+1-919-301-3266 Libvirt virtualization library http://libvirt.org signature.asc Description: OpenPGP digital signature -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] Add hw random number generator (/dev/hwrng) to default qemu cgroup ACL
On Mon, Nov 18, 2013 at 06:58:06PM +0530, Pradipta Kr. Banerjee wrote: Creating a qemu VM with /dev/hwrng as backed RNG device throws the following error - Could not open '/dev/hwrng': Operation not permitted This patch fixes the issue Signed-off-by: Pradipta Kr. Banerjee bpra...@in.ibm.com --- src/qemu/qemu_cgroup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index ace7e35..d9ebb30 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -39,7 +39,7 @@ static const char *const defaultDeviceACL[] = { /dev/null, /dev/full, /dev/zero, -/dev/random, /dev/urandom, +/dev/random, /dev/urandom, /dev/hwrng, /dev/ptmx, /dev/kvm, /dev/kqemu, /dev/rtc, /dev/hpet, /dev/vfio/vfio, NULL, NACK, for any device listed in the XML, we should add it in the per-VM cgroups setup code. The existing /dev/random /dev/urandom devices are there because they are used for basic crypto libraries unrelated to the XML config. The /dev/hwrng device does not fall into this scenario. Daniel -- |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] Add hw random number generator (/dev/hwrng) to default qemu cgroup ACL
On 11/18/2013 08:20 AM, Daniel P. Berrange wrote: static const char *const defaultDeviceACL[] = { /dev/null, /dev/full, /dev/zero, -/dev/random, /dev/urandom, +/dev/random, /dev/urandom, /dev/hwrng, /dev/ptmx, /dev/kvm, /dev/kqemu, /dev/rtc, /dev/hpet, /dev/vfio/vfio, NULL, NACK, for any device listed in the XML, we should add it in the per-VM cgroups setup code. The existing /dev/random /dev/urandom devices are there because they are used for basic crypto libraries unrelated to the XML config. /dev/urandom, probably. /dev/random - really? Isn't that a DoS potential for one guest to starve entropy from other guests, in spite of sVirt? The /dev/hwrng device does not fall into this scenario. Agreed. -- Eric Blake eblake redhat com+1-919-301-3266 Libvirt virtualization library http://libvirt.org signature.asc Description: OpenPGP digital signature -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] Add hw random number generator (/dev/hwrng) to default qemu cgroup ACL
On Mon, Nov 18, 2013 at 09:05:21AM -0700, Eric Blake wrote: On 11/18/2013 08:20 AM, Daniel P. Berrange wrote: static const char *const defaultDeviceACL[] = { /dev/null, /dev/full, /dev/zero, -/dev/random, /dev/urandom, +/dev/random, /dev/urandom, /dev/hwrng, /dev/ptmx, /dev/kvm, /dev/kqemu, /dev/rtc, /dev/hpet, /dev/vfio/vfio, NULL, NACK, for any device listed in the XML, we should add it in the per-VM cgroups setup code. The existing /dev/random /dev/urandom devices are there because they are used for basic crypto libraries unrelated to the XML config. /dev/urandom, probably. /dev/random - really? Isn't that a DoS potential for one guest to starve entropy from other guests, in spite of sVirt? It is a tradeoff between providing the crypto libraries a weaker entropy source vs DOS potential via entropy starvation. Given that /dev/random is world writable on Linux in general, I think it is acceptable to allow QEMU access by default. Paranoid admins can always set the cgroups device ACL in /etc/libvirt/.qemu.conf if they want to restrict it. Daniel -- |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] Add hw random number generator (/dev/hwrng) to default qemu cgroup ACL
On 11/18/2013 09:35 PM, Eric Blake wrote: On 11/18/2013 08:20 AM, Daniel P. Berrange wrote: static const char *const defaultDeviceACL[] = { /dev/null, /dev/full, /dev/zero, -/dev/random, /dev/urandom, +/dev/random, /dev/urandom, /dev/hwrng, /dev/ptmx, /dev/kvm, /dev/kqemu, /dev/rtc, /dev/hpet, /dev/vfio/vfio, NULL, NACK, for any device listed in the XML, we should add it in the per-VM cgroups setup code. The existing /dev/random /dev/urandom devices are there because they are used for basic crypto libraries unrelated to the XML config. /dev/urandom, probably. /dev/random - really? Isn't that a DoS potential for one guest to starve entropy from other guests, in spite of sVirt? I think you are right .. The /dev/hwrng device does not fall into this scenario. Agreed. -- Regards, Pradipta -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] Add hw random number generator (/dev/hwrng) to default qemu cgroup ACL
On 11/18/2013 08:45 PM, Eric Blake wrote: On 11/18/2013 06:28 AM, Pradipta Kr. Banerjee wrote: Creating a qemu VM with /dev/hwrng as backed RNG device throws the following error - Could not open '/dev/hwrng': Operation not permitted This patch fixes the issue Signed-off-by: Pradipta Kr. Banerjee bpra...@in.ibm.com --- src/qemu/qemu_cgroup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) This is probably not the right fix. This says that we are making the random device to all possible guests, and that a compromised guest can then open() the device and starve it of entropy to the detriment of other guests. I think the _real_ fix is to quit exposing /dev/random by default (/dev/urandom may be okay), and to instead teach the code for RNG devices to add an ACL change for either random device (/dev/random or /dev/hwrng) only for the guests that actually use RNG backed by a hardware device. That way, guests not using an RNG device cannot starve entropy from guests that depend on it. Right..Thanks for the suggestion Eric. diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index ace7e35..d9ebb30 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -39,7 +39,7 @@ static const char *const defaultDeviceACL[] = { /dev/null, /dev/full, /dev/zero, -/dev/random, /dev/urandom, +/dev/random, /dev/urandom, /dev/hwrng, /dev/ptmx, /dev/kvm, /dev/kqemu, /dev/rtc, /dev/hpet, /dev/vfio/vfio, NULL, -- Regards, Pradipta -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list