[Qemu-devel] virtio-rng async rng_backend_request_entropy() vs migration

[Stefan Hajnoczi]

Dave Gilbert hit the following virtio migration error message today
and asked me if it was a known bug:
virtio-rng: VQ 0 size 0x8 < last_avail_idx 0x21 - used_idx 0x22

It looks like a legitimate new bug.  This error occurred with postcopy
live migration and no rng backend (just -device virtio-rng-pci).

The virtio-rng code uses rng_backend_request_entropy().  Is the async
callback safe with live migration?

It should not fire after vm_stop() on the source host.  Looking
briefly at the code suggests it may fire during/after migration
handover.  This could lead to inconsistent virtio state since the
vring (guest RAM) is modified by the source host and the postcopy
destination host may load those updated values.

Stefan

Re: [Qemu-devel] virtio-rng and fd passing

[Amit Shah]

On (Fri) 01 Mar 2013 [10:51:33], Paolo Bonzini wrote:
 Il 01/03/2013 01:36, Eric Blake ha scritto:
  For fd passing to work, we have to use qemu_open() instead of raw
  open().  Is there any way to enforce that all files being opened by qemu
  go through the appropriate qemu_open() wrapper?
  
  Meanwhile, we have a quandary on the libvirt side of things: qemu 1.4
  supports fd passing in general, but does not support it for rng.  I
  guess the same is true for -blockdev - we don't (yet) have a way to do
  fd passing for backing files.  Do we need some sort of QMP command that
  will let libvirt query for a particular device whether that device is
  known to support fd passing, so that libvirt can use fd passing for all
  supported devices, while falling back to older direct open()s, and to
  know which instance of qemu can safely have open() blocked at the
  SELinux or syscall blacklist level?
 
 Let's change open to qemu_open for 1.4.1, and declare rng only supported
 in 1.4.1...

There are a few bugs that prevent the rng-random backend from working
properly.  I suspect we should move to using giochannel for the fd.


https://bugzilla.redhat.com/show_bug.cgi?id=917884
(issuing 'cat /dev/random' in host hits an assert and kills guest)

https://bugzilla.redhat.com/show_bug.cgi?id=917886
(default /dev/random backend doesn't send data to guest)

https://bugzilla.redhat.com/show_bug.cgi?id=915381
(performance of backends sucks)

Amit

Re: [Qemu-devel] virtio-rng and fd passing

[Daniel P. Berrange]

On Fri, Mar 01, 2013 at 04:14:40PM -0700, Eric Blake wrote:
  I understand the reason that fdsets exist (because NFS is stupid and
  doesn't support labeling).  But we aren't doing dynamic labeling of
  /dev/random and I strongly suspect it's not on NFS anyway.
  
  So why are we trying to pass fds here?
 
 Consistency - how do you write a policy that allows open(/dev/random)
 while forbidding open(/nfs/...)?  It's much simpler to forbid open(),
 even if /dev/random doesn't have any labeling issues.

IIUC, it is actually pretty straightforward from a policy POV. Every
filesystem has a unique type, and SELinux can make rules scoped to that
filesystem type. That's how we have the 'virt_use_nfs' tunable already
which only affects NFS.

Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|

Re: [Qemu-devel] virtio-rng and fd passing

[Corey Bryant]

On 03/04/2013 05:29 AM, Daniel P. Berrange wrote:

On Fri, Mar 01, 2013 at 04:14:40PM -0700, Eric Blake wrote:

I understand the reason that fdsets exist (because NFS is stupid and
doesn't support labeling).  But we aren't doing dynamic labeling of
/dev/random and I strongly suspect it's not on NFS anyway.

So why are we trying to pass fds here?


Consistency - how do you write a policy that allows open(/dev/random)
while forbidding open(/nfs/...)?  It's much simpler to forbid open(),
even if /dev/random doesn't have any labeling issues.


IIUC, it is actually pretty straightforward from a policy POV. Every
filesystem has a unique type, and SELinux can make rules scoped to that
filesystem type. That's how we have the 'virt_use_nfs' tunable already
which only affects NFS.

Daniel



Yes it should be simple, at least for SELinux.  I think all we need to 
do is remove open permission from the qemu process (svirt_t) on NFS 
files (files labeled with nfs_t).


Here's what I see for base qemu permissions on NFS files on Fedora 18:
$ sesearch  -A -s svirt_t -t nfs_t | grep : file | grep open
   allow virt_domain nfs_t : file { ioctl read write create getattr 
setattr lock append unlink link rename open } ;


And I think 'setsebool -P virt_use_nfs 0' will remove the open 
permission, so this may already be covered.


I'm not sure how easy it is for other MAC implementations.  Last I 
checked AppArmor didn't have the granularity of preventing open and 
allowing read/write.


--
Regards,
Corey Bryant

Re: [Qemu-devel] virtio-rng and fd passing

[Corey Bryant]

On 03/01/2013 10:34 PM, Stefan Berger wrote:

On 03/01/2013 10:17 PM, Anthony Liguori wrote:

Stefan Berger stef...@linux.vnet.ibm.com writes:


On 03/01/2013 06:59 PM, Anthony Liguori wrote:

Eric Blake ebl...@redhat.com writes:


On 03/01/2013 04:05 PM, Anthony Liguori wrote:

Eric Blake ebl...@redhat.com writes:


On 03/01/2013 02:08 PM, Anthony Liguori wrote:


You can pass chardevs to the egd backend.  It's really not a
good idea
to pass a fd via rng-rangom.

Why not?  If you are running a single guest, why can't libvirt
pass that
one guest an fd instead of making qemu open() the file?

Why can't QEMU just open(/dev/random)?  What's the advantage of
libvirt
doing the open?

sVirt/syscall blacklisting

Libvirt WANTS to prohibit qemu from using open()/openat(), and instead
get ALL its fds from inheritence across exec() and/or SCM_RIGHTS.  In
this way, qemu can be made more secure out of the box, even on file
systems like NFS that lack SELinux labeling.

Opening up files as root and passing the descriptors to an unprivileged
process is more secure than doing open() as an unprivileged process.

The kernel is capable of doing this enforcement.  I don't think it's
reasonable to expect QEMU to never use open() at all.

For blacklisting of open() to succeed we would need to at least pass all
file descriptors into QEMU so that QEMU doesn't need to call open()
because of the devices it uses. If there are no open() calls left in
all/most predictable cases then blacklisting open() could be enabled for
those cases (hopefully all of them).  Isn't thos the technical aspect to
what it comes down to in the end that would let one blacklist open()?

Sandboxing isn't a panacea.  The benefit comes from removing unnecessary
interfaces from the attack surface.  It doesn't help if you blacklist
and interface but then invent an RPC that replicates it anyway.

Moving the open validation logic from the kernel to libvirt is *not*
reducing the attack surface.  It's simply moving it from one place (the
kernel) to another (libvirt).


It depends on what one defends against. If a jail-break succeeds and
open() is disabled, then that attack surfaces was effectively reduced.
It's hard to say whether opening files within libvirt could then allow
new exploits.

 Stefan




Agreed.  And this all assumes that libvirt is trusted.  The goal is to 
prevent a malicious qemu guest from opening something that does not 
belong to it.  So we either prevent all qemu open()s with seccomp (which 
may not be realistic at this point) or we prevent them on a case by case 
basis with MAC (e.g. prevent qemu from opening files labeled with 
SELinux type nfs_t) where sVirt does not already have us covered.


--
Regards,
Corey Bryant

Re: [Qemu-devel] virtio-rng and fd passing

[Eric Blake]

On 03/01/2013 08:13 PM, Anthony Liguori wrote:
 Eric Blake ebl...@redhat.com writes:
 
 On 03/01/2013 04:59 PM, Anthony Liguori wrote:
 I said this when seccomp was first introduced and I'll say it again.
 blacklisting open() is a bad idea.  DAC and MAC already exist and solve
 this problem.  We've got filesystem namespaces too.

 Let's explore that idea a bit further.  What happens if libvirt decides
 to create a new filesystem namespace for qemu, where libvirt unmounts
 all non-local filesystems, as well as any file system that does not
 support SELinux labeling.  Then all remaining filesystems, seen by qemu,
 will enforce SELinux semantics, and we can let qemu open() at will
 because the open will then be guarded by SELinux.  The only remaining
 access is to files to the unmounted file systems, where fd passing from
 libvirt bypasses the fact that qemu can't see the file system.  I could
 see that working, and it would still let us get rid of the selinux
 virt_use_nfs bool while still providing secure NFS out-of-the-box.  And
 your argument is that virtio-rng should be pointed to a character
 device, never an NFS file, and therefore not using qemu_open() is no
 real loss because open() will not be blacklisted, just NFS file systems.
  Okay, maybe that will work.
 
 A simpler version would be to chroot the QEMU process but sure.

chroot is escapable, but you are correct that there are indeed ways of
restricting open() on certain filesystems without blacklisting all
open() in general.

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] virtio-rng and fd passing

[Eric Blake]

[adding libvirt]

On 03/03/2013 02:05 PM, Anthony Liguori wrote:
 Paolo Bonzini pbonz...@redhat.com writes:
 
 Il 02/03/2013 04:13, Anthony Liguori ha scritto:
 There is no valid use-case of rng-random other than using /dev/random.
 In fact, it was probably a mistake to even allow a filename to be
 specified because it lets people do silly things (like /dev/urandom).

 If you want anything other than /dev/random, you should use rng-egd.

 /dev/hwrng makes sense too.
 
 Good point.  Perhaps we should issue a warning when anything is used
 other than /dev/random or /dev/hwrng to discourage people from doing the
 wrong thing.  I completely understand the confusion and I think we
 should try a bit harder to prevent people from getting it wrong.

Then libvirt should also make sure that the XML we allow for non-egd
virtio-rng is restricted to the two filenames that won't cause a qemu
warning, or even modify the XML to not expose a filename in the first
place.  We haven't released libvirt 1.0.3 yet, so we still have a few
hours in which such a change could be made before the XML becomes baked
by a release.

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] virtio-rng and fd passing

[Anthony Liguori]

Eric Blake ebl...@redhat.com writes:

 [adding libvirt]

 On 03/03/2013 02:05 PM, Anthony Liguori wrote:
 Paolo Bonzini pbonz...@redhat.com writes:
 
 Il 02/03/2013 04:13, Anthony Liguori ha scritto:
 There is no valid use-case of rng-random other than using /dev/random.
 In fact, it was probably a mistake to even allow a filename to be
 specified because it lets people do silly things (like /dev/urandom).

 If you want anything other than /dev/random, you should use rng-egd.

 /dev/hwrng makes sense too.
 
 Good point.  Perhaps we should issue a warning when anything is used
 other than /dev/random or /dev/hwrng to discourage people from doing the
 wrong thing.  I completely understand the confusion and I think we
 should try a bit harder to prevent people from getting it wrong.

 Then libvirt should also make sure that the XML we allow for non-egd
 virtio-rng is restricted to the two filenames that won't cause a qemu
 warning, or even modify the XML to not expose a filename in the first
 place.  We haven't released libvirt 1.0.3 yet, so we still have a few
 hours in which such a change could be made before the XML becomes baked
 by a release.

We've already released QEMU accepting any file name so we can't remove
that functionality but I'm very much leaning toward producing such a
warning for 1.5.

It's such an easy mistake to make and it's extremely difficult to find
good information on what you should and shouldn't do.  I think that we
(QEMU and libvirt) should try hard to steer people in the right
direction.

Regards,

Anthony Liguori


 -- 
 Eric Blake   eblake redhat com+1-919-301-3266
 Libvirt virtualization library http://libvirt.org

Re: [Qemu-devel] virtio-rng and fd passing

[Eric Blake]

On 03/04/2013 03:24 PM, Anthony Liguori wrote:
 Then libvirt should also make sure that the XML we allow for non-egd
 virtio-rng is restricted to the two filenames that won't cause a qemu
 warning, or even modify the XML to not expose a filename in the first
 place.  We haven't released libvirt 1.0.3 yet, so we still have a few
 hours in which such a change could be made before the XML becomes baked
 by a release.
 
 We've already released QEMU accepting any file name so we can't remove
 that functionality but I'm very much leaning toward producing such a
 warning for 1.5.
 
 It's such an easy mistake to make and it's extremely difficult to find
 good information on what you should and shouldn't do.  I think that we
 (QEMU and libvirt) should try hard to steer people in the right
 direction.

It's too late for qemu 1.4, but libvirt 1.0.3 can still get it right.
Proposed libvirt patch coming up soon.

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] virtio-rng and fd passing

[H. Peter Anvin]

On 03/02/2013 04:23 AM, Paolo Bonzini wrote:
 Il 02/03/2013 04:13, Anthony Liguori ha scritto:
 There is no valid use-case of rng-random other than using /dev/random.
 In fact, it was probably a mistake to even allow a filename to be
 specified because it lets people do silly things (like /dev/urandom).

 If you want anything other than /dev/random, you should use rng-egd.
 
 /dev/hwrng makes sense too.

Only if the host isn't using it, which it almost certainly should if
there is something there.  On the other hand, yes, it is
cryptographically sound (since it presents itself as /dev/hwrng in the
guest!) and it does make sense for a very thin host.

-hpa


-- 
H. Peter Anvin, Intel Open Source Technology Center
I work for Intel.  I don't speak on their behalf.

Re: [Qemu-devel] virtio-rng and fd passing

[Anthony Liguori]

Paolo Bonzini pbonz...@redhat.com writes:

 Il 02/03/2013 04:13, Anthony Liguori ha scritto:
 There is no valid use-case of rng-random other than using /dev/random.
 In fact, it was probably a mistake to even allow a filename to be
 specified because it lets people do silly things (like /dev/urandom).
 
 If you want anything other than /dev/random, you should use rng-egd.

 /dev/hwrng makes sense too.

Good point.  Perhaps we should issue a warning when anything is used
other than /dev/random or /dev/hwrng to discourage people from doing the
wrong thing.  I completely understand the confusion and I think we
should try a bit harder to prevent people from getting it wrong.

Regards,

Anthony Liguori


 Paolo

Re: [Qemu-devel] virtio-rng and fd passing

[Anthony Liguori]

Stefan Berger stef...@linux.vnet.ibm.com writes:

 It depends on what one defends against. If a jail-break succeeds and 
 open() is disabled, then that attack surfaces was effectively reduced. 
 It's hard to say whether opening files within libvirt could then allow 
 new exploits.

Well, in the very least, libvirt is doing the open() as root whereas
QEMU does it as an unprivileged user.

Regards,

Anthony Liguori


  Stefan

Re: [Qemu-devel] virtio-rng and fd passing

[Amit Shah]

On (Fri) 01 Mar 2013 [10:51:33], Paolo Bonzini wrote:
 Il 01/03/2013 01:36, Eric Blake ha scritto:
  For fd passing to work, we have to use qemu_open() instead of raw
  open().  Is there any way to enforce that all files being opened by qemu
  go through the appropriate qemu_open() wrapper?
  
  Meanwhile, we have a quandary on the libvirt side of things: qemu 1.4
  supports fd passing in general, but does not support it for rng.  I
  guess the same is true for -blockdev - we don't (yet) have a way to do
  fd passing for backing files.  Do we need some sort of QMP command that
  will let libvirt query for a particular device whether that device is
  known to support fd passing, so that libvirt can use fd passing for all
  supported devices, while falling back to older direct open()s, and to
  know which instance of qemu can safely have open() blocked at the
  SELinux or syscall blacklist level?
 
 Let's change open to qemu_open for 1.4.1, and declare rng only supported
 in 1.4.1...

In addition, we can tweak checkpatch.pl to flag such usage as a warning.

Amit

Re: [Qemu-devel] virtio-rng and fd passing

[Paolo Bonzini]

Il 02/03/2013 04:13, Anthony Liguori ha scritto:
 There is no valid use-case of rng-random other than using /dev/random.
 In fact, it was probably a mistake to even allow a filename to be
 specified because it lets people do silly things (like /dev/urandom).
 
 If you want anything other than /dev/random, you should use rng-egd.

/dev/hwrng makes sense too.

Paolo

Re: [Qemu-devel] virtio-rng and fd passing

[Paolo Bonzini]

Il 01/03/2013 01:36, Eric Blake ha scritto:
 For fd passing to work, we have to use qemu_open() instead of raw
 open().  Is there any way to enforce that all files being opened by qemu
 go through the appropriate qemu_open() wrapper?
 
 Meanwhile, we have a quandary on the libvirt side of things: qemu 1.4
 supports fd passing in general, but does not support it for rng.  I
 guess the same is true for -blockdev - we don't (yet) have a way to do
 fd passing for backing files.  Do we need some sort of QMP command that
 will let libvirt query for a particular device whether that device is
 known to support fd passing, so that libvirt can use fd passing for all
 supported devices, while falling back to older direct open()s, and to
 know which instance of qemu can safely have open() blocked at the
 SELinux or syscall blacklist level?

Let's change open to qemu_open for 1.4.1, and declare rng only supported
in 1.4.1...

Paolo

Re: [Qemu-devel] virtio-rng and fd passing

[H. Peter Anvin]

On 02/28/2013 04:36 PM, Eric Blake wrote:
 Stefan Berger and I discovered on IRC that virtio-rng is unable to 
 support fd passing.  We attempted:
 
 qemu-system-x86_64 ... -add-fd
 set=4,fd=34,opaque=RDONLY:/dev/urandom

 -object rng-random,id=rng0,filename=/dev/fdset/4 -device 
 virtio-rng-pci,rng=rng0,bus=pci.0,addr=0x6
 

Unrelated, but you really, really, really don't want to pass
/dev/urandom there, use /dev/random.

-hpa

Re: [Qemu-devel] virtio-rng and fd passing

[Anthony Liguori]

Eric Blake ebl...@redhat.com writes:

 Stefan Berger and I discovered on IRC that virtio-rng is unable to
 support fd passing.  We attempted:

 qemu-system-x86_64 ... -add-fd set=4,fd=34,opaque=RDONLY:/dev/urandom
 -object rng-random,id=rng0,filename=/dev/fdset/4 -device
 virtio-rng-pci,rng=rng0,bus=pci.0,addr=0x6

Why are you using th rng-random backend instead of the rng-egd backend?

You can pass chardevs to the egd backend.  It's really not a good idea
to pass a fd via rng-rangom.

Regards,

Anthony Liguori


 qemu-system-x86_64: -device virtio-rng-pci,rng=rng0,bus=pci.0,addr=0x6:
 Could not open '/dev/fdset/4'

 Looks like this code is the culprit, in backends/rng-random.c:

 static void rng_random_opened(RngBackend *b, Error **errp)
 {
 RndRandom *s = RNG_RANDOM(b);

 if (s-filename == NULL) {
 error_set(errp, QERR_INVALID_PARAMETER_VALUE,
   filename, a valid filename);
 } else {
 s-fd = open(s-filename, O_RDONLY | O_NONBLOCK);

 For fd passing to work, we have to use qemu_open() instead of raw
 open().  Is there any way to enforce that all files being opened by qemu
 go through the appropriate qemu_open() wrapper?

 Meanwhile, we have a quandary on the libvirt side of things: qemu 1.4
 supports fd passing in general, but does not support it for rng.  I
 guess the same is true for -blockdev - we don't (yet) have a way to do
 fd passing for backing files.  Do we need some sort of QMP command that
 will let libvirt query for a particular device whether that device is
 known to support fd passing, so that libvirt can use fd passing for all
 supported devices, while falling back to older direct open()s, and to
 know which instance of qemu can safely have open() blocked at the
 SELinux or syscall blacklist level?

 -- 
 Eric Blake   eblake redhat com+1-919-301-3266
 Libvirt virtualization library http://libvirt.org

Re: [Qemu-devel] virtio-rng and fd passing

[Stefan Berger]

On 03/01/2013 02:37 PM, H. Peter Anvin wrote:

On 02/28/2013 04:36 PM, Eric Blake wrote:

Stefan Berger and I discovered on IRC that virtio-rng is unable to
support fd passing.  We attempted:

qemu-system-x86_64 ... -add-fd
set=4,fd=34,opaque=RDONLY:/dev/urandom

 

-object rng-random,id=rng0,filename=/dev/fdset/4 -device
virtio-rng-pci,rng=rng0,bus=pci.0,addr=0x6


Unrelated, but you really, really, really don't want to pass
/dev/urandom there, use /dev/random.


From what I am reading about /dev/random is that it will start blocking 
once not enough entropy is available anymore. Sounds like this could be 
abused if multiple VMs were using this device and one drains the 
entropy.. An alternative may be to pick go through a crypto library that 
seeds itself with entropy and implements random number generators 
following NIST 800-90 for example. Freebl would offer at least one such 
implementation:


http://dxr.mozilla.org/mozilla-central/security/nss/lib/freebl/drbg.c.html 
-   search for 'NIST' there


Stefan

Re: [Qemu-devel] virtio-rng and fd passing

[H. Peter Anvin]

The guest kernel already provides the PRNG itself.  We have been over this...

Stefan Berger stef...@linux.vnet.ibm.com wrote:

On 03/01/2013 02:37 PM, H. Peter Anvin wrote:
 On 02/28/2013 04:36 PM, Eric Blake wrote:
 Stefan Berger and I discovered on IRC that virtio-rng is unable to
 support fd passing.  We attempted:

 qemu-system-x86_64 ... -add-fd
 set=4,fd=34,opaque=RDONLY:/dev/urandom
  
 -object rng-random,id=rng0,filename=/dev/fdset/4 -device
 virtio-rng-pci,rng=rng0,bus=pci.0,addr=0x6

 Unrelated, but you really, really, really don't want to pass
 /dev/urandom there, use /dev/random.

From what I am reading about /dev/random is that it will start blocking

once not enough entropy is available anymore. Sounds like this could be

abused if multiple VMs were using this device and one drains the 
entropy.. An alternative may be to pick go through a crypto library
that 
seeds itself with entropy and implements random number generators 
following NIST 800-90 for example. Freebl would offer at least one such

implementation:

http://dxr.mozilla.org/mozilla-central/security/nss/lib/freebl/drbg.c.html

-   search for 'NIST' there

 Stefan

-- 
Sent from my mobile phone. Please excuse brevity and lack of formatting.

Re: [Qemu-devel] virtio-rng and fd passing

[Stefan Berger]

On 03/01/2013 03:04 PM, Anthony Liguori wrote:

Eric Blake ebl...@redhat.com writes:


Stefan Berger and I discovered on IRC that virtio-rng is unable to
support fd passing.  We attempted:

qemu-system-x86_64 ... -add-fd set=4,fd=34,opaque=RDONLY:/dev/urandom
-object rng-random,id=rng0,filename=/dev/fdset/4 -device
virtio-rng-pci,rng=rng0,bus=pci.0,addr=0x6

Why are you using th rng-random backend instead of the rng-egd backend?


I followed the example on the libvirt website trying out the XML for the 
rng device while adpating the libvirt code to use fd passing and 
generating the -add-fd command line parameters.




You can pass chardevs to the egd backend.  It's really not a good idea
to pass a fd via rng-rangom.


Fine, then we won't use fd passing for this device, whatever the reason 
may be.


   Stefan

Re: [Qemu-devel] virtio-rng and fd passing

[Paolo Bonzini]

Il 01/03/2013 21:13, Stefan Berger ha scritto:
 On 03/01/2013 02:37 PM, H. Peter Anvin wrote:
 On 02/28/2013 04:36 PM, Eric Blake wrote:
 Stefan Berger and I discovered on IRC that virtio-rng is unable to
 support fd passing.  We attempted:

 qemu-system-x86_64 ... -add-fd
 set=4,fd=34,opaque=RDONLY:/dev/urandom
  
 -object rng-random,id=rng0,filename=/dev/fdset/4 -device
 virtio-rng-pci,rng=rng0,bus=pci.0,addr=0x6

 Unrelated, but you really, really, really don't want to pass
 /dev/urandom there, use /dev/random.
 
 From what I am reading about /dev/random is that it will start blocking
 once not enough entropy is available anymore.

Yes, and the purpose of virtio-rng is not to provide fancy random
numbers.  It's to provide actual entropy.

Paolo

Re: [Qemu-devel] virtio-rng and fd passing

[Anthony Liguori]

Stefan Berger stef...@linux.vnet.ibm.com writes:

 On 03/01/2013 03:04 PM, Anthony Liguori wrote:
 Eric Blake ebl...@redhat.com writes:

 Stefan Berger and I discovered on IRC that virtio-rng is unable to
 support fd passing.  We attempted:

 qemu-system-x86_64 ... -add-fd set=4,fd=34,opaque=RDONLY:/dev/urandom
 -object rng-random,id=rng0,filename=/dev/fdset/4 -device
 virtio-rng-pci,rng=rng0,bus=pci.0,addr=0x6
 Why are you using th rng-random backend instead of the rng-egd backend?

 I followed the example on the libvirt website trying out the XML for the 
 rng device while adpating the libvirt code to use fd passing and 
 generating the -add-fd command line parameters.


 You can pass chardevs to the egd backend.  It's really not a good idea
 to pass a fd via rng-rangom.

 Fine, then we won't use fd passing for this device, whatever the reason 
 may be.

So let's step back.  There are two backends currently supported:
rng-random and rng-egd.  I don't see any point in taking an fd for
rng-random.  I don't think labeling comes into play here.

But if libvirt wants to interact with virtio-rng in a more intelligent
way (implementing a policy to distribute entropy), then rng-egd is the
right way to do that.

Regards,

Anthony Liguori


 Stefan

Re: [Qemu-devel] virtio-rng and fd passing

[Eric Blake]

On 03/01/2013 02:08 PM, Anthony Liguori wrote:

 You can pass chardevs to the egd backend.  It's really not a good idea
 to pass a fd via rng-rangom.

Why not?  If you are running a single guest, why can't libvirt pass that
one guest an fd instead of making qemu open() the file?


 Fine, then we won't use fd passing for this device, whatever the reason 
 may be.
 
 So let's step back.  There are two backends currently supported:
 rng-random and rng-egd.  I don't see any point in taking an fd for
 rng-random.  I don't think labeling comes into play here.
 
 But if libvirt wants to interact with virtio-rng in a more intelligent
 way (implementing a policy to distribute entropy), then rng-egd is the
 right way to do that.

Yes, libvirt will probably use rng-egd when distributing randomness
among multiple guests.  But libvirt wants to target BOTH forms of rng,
in order to let the user choose which one is best for their needs.  If
rng-random is not useful to any end user, then why did qemu expose it in
the first place?  And if qemu thought it was worth exposing, then
libvirt thinks it is worth targetting, and by using qemu_open instead of
raw open, then fd passing is possible.  Policy (whether it makes sense
to pass an fd for a random generator, and whether /dev/random or
/dev/urandom or something else is best) may be important, but it is
orthogonal to the issue that I raised about consistency.

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] virtio-rng and fd passing

[Peter Krempa]

On 03/01/13 21:04, Anthony Liguori wrote:

Eric Blake ebl...@redhat.com writes:


Stefan Berger and I discovered on IRC that virtio-rng is unable to
support fd passing.  We attempted:

qemu-system-x86_64 ... -add-fd set=4,fd=34,opaque=RDONLY:/dev/urandom
-object rng-random,id=rng0,filename=/dev/fdset/4 -device
virtio-rng-pci,rng=rng0,bus=pci.0,addr=0x6


Why are you using th rng-random backend instead of the rng-egd backend?


There are two issues with using the egd backend for unprepared devices:

1) The backend spits out \x20\x40 commands(egd blocking entropy 
request for 0x40 bytes) so it really has to be used with some kind of 
EGD server implementation otherwise it might feed your /dev/random with 
predictable bytes if used directly.


2) performance of the egd backend is terrible as I've reported here
https://bugzilla.redhat.com/show_bug.cgi?id=915381 (yes I'm aware that I 
probably should have filed a upstream bug too, but I was hoping Amit 
would do it in the process)


On my machine I managed to do 0.2KiB/s with the egd backend both with 
using constant data as a high performance source, but also with a true 
random number generator (in the Raspberry pi SoC, sources 107KiB/s of 
entropy). The rng-random backend performs a bit better averaging 1.2MiB/s.


Peter

Re: [Qemu-devel] virtio-rng and fd passing

[Anthony Liguori]

Eric Blake ebl...@redhat.com writes:

 On 03/01/2013 02:08 PM, Anthony Liguori wrote:

 You can pass chardevs to the egd backend.  It's really not a good idea
 to pass a fd via rng-rangom.

 Why not?  If you are running a single guest, why can't libvirt pass that
 one guest an fd instead of making qemu open() the file?

Why can't QEMU just open(/dev/random)?  What's the advantage of libvirt
doing the open?

 Fine, then we won't use fd passing for this device, whatever the reason 
 may be.
 
 So let's step back.  There are two backends currently supported:
 rng-random and rng-egd.  I don't see any point in taking an fd for
 rng-random.  I don't think labeling comes into play here.
 
 But if libvirt wants to interact with virtio-rng in a more intelligent
 way (implementing a policy to distribute entropy), then rng-egd is the
 right way to do that.

 Yes, libvirt will probably use rng-egd when distributing randomness
 among multiple guests.  But libvirt wants to target BOTH forms of rng,
 in order to let the user choose which one is best for their needs.  If
 rng-random is not useful to any end user, then why did qemu expose it in
 the first place?  And if qemu thought it was worth exposing, then
 libvirt thinks it is worth targetting, and by using qemu_open instead of
 raw open, then fd passing is possible.  Policy (whether it makes sense
 to pass an fd for a random generator, and whether /dev/random or
 /dev/urandom or something else is best) may be important, but it is
 orthogonal to the issue that I raised about consistency.

It seems a bit silly to me for QEMU to never open a file and to reinvent
a namespace (via fdsets) to serve that purpose.

I understand the reason that fdsets exist (because NFS is stupid and
doesn't support labeling).  But we aren't doing dynamic labeling of
/dev/random and I strongly suspect it's not on NFS anyway.

So why are we trying to pass fds here?

Regards,

Anthony Liguori


 -- 
 Eric Blake   eblake redhat com+1-919-301-3266
 Libvirt virtualization library http://libvirt.org

Re: [Qemu-devel] virtio-rng and fd passing

[Anthony Liguori]

Peter Krempa pkre...@redhat.com writes:

 On 03/01/13 21:04, Anthony Liguori wrote:
 Eric Blake ebl...@redhat.com writes:

 Stefan Berger and I discovered on IRC that virtio-rng is unable to
 support fd passing.  We attempted:

 qemu-system-x86_64 ... -add-fd set=4,fd=34,opaque=RDONLY:/dev/urandom
 -object rng-random,id=rng0,filename=/dev/fdset/4 -device
 virtio-rng-pci,rng=rng0,bus=pci.0,addr=0x6

 Why are you using th rng-random backend instead of the rng-egd backend?

 There are two issues with using the egd backend for unprepared devices:

 1) The backend spits out \x20\x40 commands(egd blocking entropy 
 request for 0x40 bytes) so it really has to be used with some kind of 
 EGD server implementation otherwise it might feed your /dev/random with 
 predictable bytes if used directly.

Yes.  That's the point.


 2) performance of the egd backend is terrible as I've reported here
 https://bugzilla.redhat.com/show_bug.cgi?id=915381 (yes I'm aware that I 
 probably should have filed a upstream bug too, but I was hoping Amit 
 would do it in the process)

 On my machine I managed to do 0.2KiB/s with the egd backend both with 
 using constant data as a high performance source, but also with a true 
 random number generator (in the Raspberry pi SoC, sources 107KiB/s of 
 entropy). The rng-random backend performs a bit better averaging
 1.2MiB/s.

That's a bug that I wasn't aware of until you wrote this.  I'll look
into it next week.

Regards,

Anthony Liguori


 Peter

Re: [Qemu-devel] virtio-rng and fd passing

[Eric Blake]

On 03/01/2013 04:05 PM, Anthony Liguori wrote:
 Eric Blake ebl...@redhat.com writes:
 
 On 03/01/2013 02:08 PM, Anthony Liguori wrote:

 You can pass chardevs to the egd backend.  It's really not a good idea
 to pass a fd via rng-rangom.

 Why not?  If you are running a single guest, why can't libvirt pass that
 one guest an fd instead of making qemu open() the file?
 
 Why can't QEMU just open(/dev/random)?  What's the advantage of libvirt
 doing the open?

sVirt/syscall blacklisting

Libvirt WANTS to prohibit qemu from using open()/openat(), and instead
get ALL its fds from inheritence across exec() and/or SCM_RIGHTS.  In
this way, qemu can be made more secure out of the box, even on file
systems like NFS that lack SELinux labeling.  Right now, if you store
your image files on NFS, then you have to explicitly grant SELinux the
virt_use_nfs boolean, which says that qemu can open() _any_ file on NFS,
even if it is not a file belonging to the guest's disk image.  But if we
can prohibit qemu from calling open(), while still accessing everything
it needs with fd passing, then virt_use_nfs is no longer necessary - and
even if the qemu process is compromised by a rogue guest, the
compromised process cannot access any file to which it does not already
have an fd.

But given the way open() blacklisting works, allowing qemu to
open(/dev/random) while forbidding open(/nfs/...) is much harder
than forbidding all open().  In other words, an all-or-nothing switch is
possible only if qemu consistently uses qemu_open() instead of raw open().

 I understand the reason that fdsets exist (because NFS is stupid and
 doesn't support labeling).  But we aren't doing dynamic labeling of
 /dev/random and I strongly suspect it's not on NFS anyway.
 
 So why are we trying to pass fds here?

Consistency - how do you write a policy that allows open(/dev/random)
while forbidding open(/nfs/...)?  It's much simpler to forbid open(),
even if /dev/random doesn't have any labeling issues.

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] virtio-rng and fd passing

[Anthony Liguori]

Eric Blake ebl...@redhat.com writes:

 On 03/01/2013 04:05 PM, Anthony Liguori wrote:
 Eric Blake ebl...@redhat.com writes:
 
 On 03/01/2013 02:08 PM, Anthony Liguori wrote:

 You can pass chardevs to the egd backend.  It's really not a good idea
 to pass a fd via rng-rangom.

 Why not?  If you are running a single guest, why can't libvirt pass that
 one guest an fd instead of making qemu open() the file?
 
 Why can't QEMU just open(/dev/random)?  What's the advantage of libvirt
 doing the open?

 sVirt/syscall blacklisting

 Libvirt WANTS to prohibit qemu from using open()/openat(), and instead
 get ALL its fds from inheritence across exec() and/or SCM_RIGHTS.  In
 this way, qemu can be made more secure out of the box, even on file
 systems like NFS that lack SELinux labeling.

Opening up files as root and passing the descriptors to an unprivileged
process is more secure than doing open() as an unprivileged process.

The kernel is capable of doing this enforcement.  I don't think it's
reasonable to expect QEMU to never use open() at all.

 Right now, if you store
 your image files on NFS, then you have to explicitly grant SELinux the
 virt_use_nfs boolean, which says that qemu can open() _any_ file on NFS,
 even if it is not a file belonging to the guest's disk image.  But if we
 can prohibit qemu from calling open(), while still accessing everything
 it needs with fd passing, then virt_use_nfs is no longer necessary - and
 even if the qemu process is compromised by a rogue guest, the
 compromised process cannot access any file to which it does not already
 have an fd.

Yes, I understand why this is needed for NFS.  But NFS is a corner case
of the kernel not being able to do it's job.  It doesn't mean we should
circumvent the checking the kernel does and reinvent it all again in
userspace.

 But given the way open() blacklisting works, allowing qemu to
 open(/dev/random) while forbidding open(/nfs/...) is much harder
 than forbidding all open().  In other words, an all-or-nothing switch is
 possible only if qemu consistently uses qemu_open() instead of raw open().

I said this when seccomp was first introduced and I'll say it again.
blacklisting open() is a bad idea.  DAC and MAC already exist and solve
this problem.  We've got filesystem namespaces too.

 I understand the reason that fdsets exist (because NFS is stupid and
 doesn't support labeling).  But we aren't doing dynamic labeling of
 /dev/random and I strongly suspect it's not on NFS anyway.
 
 So why are we trying to pass fds here?

 Consistency - how do you write a policy that allows open(/dev/random)
 while forbidding open(/nfs/...)?  It's much simpler to forbid open(),
 even if /dev/random doesn't have any labeling issues.

I think you're trying to solve the wrong problem (forbidding open()).

Regards,

Anthony Liguori


 -- 
 Eric Blake   eblake redhat com+1-919-301-3266
 Libvirt virtualization library http://libvirt.org

Re: [Qemu-devel] virtio-rng and fd passing

[Eric Blake]

On 03/01/2013 04:59 PM, Anthony Liguori wrote:
 I said this when seccomp was first introduced and I'll say it again.
 blacklisting open() is a bad idea.  DAC and MAC already exist and solve
 this problem.  We've got filesystem namespaces too.

Let's explore that idea a bit further.  What happens if libvirt decides
to create a new filesystem namespace for qemu, where libvirt unmounts
all non-local filesystems, as well as any file system that does not
support SELinux labeling.  Then all remaining filesystems, seen by qemu,
will enforce SELinux semantics, and we can let qemu open() at will
because the open will then be guarded by SELinux.  The only remaining
access is to files to the unmounted file systems, where fd passing from
libvirt bypasses the fact that qemu can't see the file system.  I could
see that working, and it would still let us get rid of the selinux
virt_use_nfs bool while still providing secure NFS out-of-the-box.  And
your argument is that virtio-rng should be pointed to a character
device, never an NFS file, and therefore not using qemu_open() is no
real loss because open() will not be blacklisted, just NFS file systems.
 Okay, maybe that will work.

Still, I think I can come up with a scenario where fd passing makes
sense.  Consider the case of forensic analysis, where a guest image is
cloned, and then slight modifications are done on forks of the guest, to
play out some what-if scenarios.  Let's suppose that I _want_ to have an
accurate replay of all inputs to the guest - that means that I capture a
fixed chunk of a true random source once, but then on each variation of
a guest, I want to replay the _same_ stream of data.  Yes, that is not
random from the host's perspective - but in forensic analysis, you want
to eliminate as many variables as possible.  And from the guest's
perspective, as long as the data was _originally_ captured from a true
random source, replaying the data once per guest won't violate the
random expectations within the guest.  Now that means that I want to
feed virtio-rng with a regular file, not a character device.  Now, where
do I store that file?  Why not store it alongside my disk images - in
NFS?  That will only work if qemu can access the random data file; in
other words, if fd passing is enforced, then accessing a replay stream
of previously captured random content from NFS storage requires the use
of qemu_open().

Maybe you are right that we don't need to blacklist ALL open(), but the
moment we blacklist NFS open() (such as by the alternative of unmounting
NFS in the qemu process), then consistency argues that it should still
be possible to do fd passing.  Should libvirt do fd passing for EVERY
file?  By your argument, no - only for files living in file systems that
were blacklisted.  But the point remains - who are you to say that I
have no valid business opening a guest but feeding that guest's random
hardware from a file that I store on host's NFS?

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] virtio-rng and fd passing

[Stefan Berger]

On 03/01/2013 06:59 PM, Anthony Liguori wrote:

Eric Blake ebl...@redhat.com writes:


On 03/01/2013 04:05 PM, Anthony Liguori wrote:

Eric Blake ebl...@redhat.com writes:


On 03/01/2013 02:08 PM, Anthony Liguori wrote:


You can pass chardevs to the egd backend.  It's really not a good idea
to pass a fd via rng-rangom.

Why not?  If you are running a single guest, why can't libvirt pass that
one guest an fd instead of making qemu open() the file?

Why can't QEMU just open(/dev/random)?  What's the advantage of libvirt
doing the open?

sVirt/syscall blacklisting

Libvirt WANTS to prohibit qemu from using open()/openat(), and instead
get ALL its fds from inheritence across exec() and/or SCM_RIGHTS.  In
this way, qemu can be made more secure out of the box, even on file
systems like NFS that lack SELinux labeling.

Opening up files as root and passing the descriptors to an unprivileged
process is more secure than doing open() as an unprivileged process.

The kernel is capable of doing this enforcement.  I don't think it's
reasonable to expect QEMU to never use open() at all.


For blacklisting of open() to succeed we would need to at least pass all 
file descriptors into QEMU so that QEMU doesn't need to call open() 
because of the devices it uses. If there are no open() calls left in 
all/most predictable cases then blacklisting open() could be enabled for 
those cases (hopefully all of them).  Isn't thos the technical aspect to 
what it comes down to in the end that would let one blacklist open()?


  Stefan

Re: [Qemu-devel] virtio-rng and fd passing

[Anthony Liguori]

Eric Blake ebl...@redhat.com writes:

 On 03/01/2013 04:59 PM, Anthony Liguori wrote:
 I said this when seccomp was first introduced and I'll say it again.
 blacklisting open() is a bad idea.  DAC and MAC already exist and solve
 this problem.  We've got filesystem namespaces too.

 Let's explore that idea a bit further.  What happens if libvirt decides
 to create a new filesystem namespace for qemu, where libvirt unmounts
 all non-local filesystems, as well as any file system that does not
 support SELinux labeling.  Then all remaining filesystems, seen by qemu,
 will enforce SELinux semantics, and we can let qemu open() at will
 because the open will then be guarded by SELinux.  The only remaining
 access is to files to the unmounted file systems, where fd passing from
 libvirt bypasses the fact that qemu can't see the file system.  I could
 see that working, and it would still let us get rid of the selinux
 virt_use_nfs bool while still providing secure NFS out-of-the-box.  And
 your argument is that virtio-rng should be pointed to a character
 device, never an NFS file, and therefore not using qemu_open() is no
 real loss because open() will not be blacklisted, just NFS file systems.
  Okay, maybe that will work.

A simpler version would be to chroot the QEMU process but sure.

 Still, I think I can come up with a scenario where fd passing makes
 sense.  Consider the case of forensic analysis, where a guest image is
 cloned, and then slight modifications are done on forks of the guest, to
 play out some what-if scenarios.  Let's suppose that I _want_ to have an
 accurate replay of all inputs to the guest - that means that I capture a
 fixed chunk of a true random source once, but then on each variation of
 a guest, I want to replay the _same_ stream of data.  Yes, that is not
 random from the host's perspective - but in forensic analysis, you want
 to eliminate as many variables as possible.  And from the guest's
 perspective, as long as the data was _originally_ captured from a true
 random source, replaying the data once per guest won't violate the
 random expectations within the guest.  Now that means that I want to
 feed virtio-rng with a regular file, not a character device.  Now, where
 do I store that file?  Why not store it alongside my disk images - in
 NFS?  That will only work if qemu can access the random data file; in
 other words, if fd passing is enforced, then accessing a replay stream
 of previously captured random content from NFS storage requires the use
 of qemu_open().

This doesn't work.  /dev/random can return partial reads whereas you
will likely return full reads.  The guest also whitens input from a
hardware rng and that involves using additional sources of entropy.
Basically, you would need 100% deterministic execution for this to work.

There is no valid use-case of rng-random other than using /dev/random.
In fact, it was probably a mistake to even allow a filename to be
specified because it lets people do silly things (like /dev/urandom).

If you want anything other than /dev/random, you should use rng-egd.

Regards,

Anthony Liguori


 Maybe you are right that we don't need to blacklist ALL open(), but the
 moment we blacklist NFS open() (such as by the alternative of unmounting
 NFS in the qemu process), then consistency argues that it should still
 be possible to do fd passing.  Should libvirt do fd passing for EVERY
 file?  By your argument, no - only for files living in file systems that
 were blacklisted.  But the point remains - who are you to say that I
 have no valid business opening a guest but feeding that guest's random
 hardware from a file that I store on host's NFS?

 -- 
 Eric Blake   eblake redhat com+1-919-301-3266
 Libvirt virtualization library http://libvirt.org

Re: [Qemu-devel] virtio-rng and fd passing

[Anthony Liguori]

Stefan Berger stef...@linux.vnet.ibm.com writes:

 On 03/01/2013 06:59 PM, Anthony Liguori wrote:
 Eric Blake ebl...@redhat.com writes:

 On 03/01/2013 04:05 PM, Anthony Liguori wrote:
 Eric Blake ebl...@redhat.com writes:

 On 03/01/2013 02:08 PM, Anthony Liguori wrote:

 You can pass chardevs to the egd backend.  It's really not a good idea
 to pass a fd via rng-rangom.
 Why not?  If you are running a single guest, why can't libvirt pass that
 one guest an fd instead of making qemu open() the file?
 Why can't QEMU just open(/dev/random)?  What's the advantage of libvirt
 doing the open?
 sVirt/syscall blacklisting

 Libvirt WANTS to prohibit qemu from using open()/openat(), and instead
 get ALL its fds from inheritence across exec() and/or SCM_RIGHTS.  In
 this way, qemu can be made more secure out of the box, even on file
 systems like NFS that lack SELinux labeling.
 Opening up files as root and passing the descriptors to an unprivileged
 process is more secure than doing open() as an unprivileged process.

 The kernel is capable of doing this enforcement.  I don't think it's
 reasonable to expect QEMU to never use open() at all.

 For blacklisting of open() to succeed we would need to at least pass all 
 file descriptors into QEMU so that QEMU doesn't need to call open() 
 because of the devices it uses. If there are no open() calls left in 
 all/most predictable cases then blacklisting open() could be enabled for 
 those cases (hopefully all of them).  Isn't thos the technical aspect to 
 what it comes down to in the end that would let one blacklist open()?

Sandboxing isn't a panacea.  The benefit comes from removing unnecessary
interfaces from the attack surface.  It doesn't help if you blacklist
and interface but then invent an RPC that replicates it anyway.

Moving the open validation logic from the kernel to libvirt is *not*
reducing the attack surface.  It's simply moving it from one place (the
kernel) to another (libvirt).

I'd rather the kernel be the one validating open() calls than libvirt.

Regards,

Anthony Liguori


Stefan

Re: [Qemu-devel] virtio-rng and fd passing

[Stefan Berger]

On 03/01/2013 10:17 PM, Anthony Liguori wrote:

Stefan Berger stef...@linux.vnet.ibm.com writes:


On 03/01/2013 06:59 PM, Anthony Liguori wrote:

Eric Blake ebl...@redhat.com writes:


On 03/01/2013 04:05 PM, Anthony Liguori wrote:

Eric Blake ebl...@redhat.com writes:


On 03/01/2013 02:08 PM, Anthony Liguori wrote:


You can pass chardevs to the egd backend.  It's really not a good idea
to pass a fd via rng-rangom.

Why not?  If you are running a single guest, why can't libvirt pass that
one guest an fd instead of making qemu open() the file?

Why can't QEMU just open(/dev/random)?  What's the advantage of libvirt
doing the open?

sVirt/syscall blacklisting

Libvirt WANTS to prohibit qemu from using open()/openat(), and instead
get ALL its fds from inheritence across exec() and/or SCM_RIGHTS.  In
this way, qemu can be made more secure out of the box, even on file
systems like NFS that lack SELinux labeling.

Opening up files as root and passing the descriptors to an unprivileged
process is more secure than doing open() as an unprivileged process.

The kernel is capable of doing this enforcement.  I don't think it's
reasonable to expect QEMU to never use open() at all.

For blacklisting of open() to succeed we would need to at least pass all
file descriptors into QEMU so that QEMU doesn't need to call open()
because of the devices it uses. If there are no open() calls left in
all/most predictable cases then blacklisting open() could be enabled for
those cases (hopefully all of them).  Isn't thos the technical aspect to
what it comes down to in the end that would let one blacklist open()?

Sandboxing isn't a panacea.  The benefit comes from removing unnecessary
interfaces from the attack surface.  It doesn't help if you blacklist
and interface but then invent an RPC that replicates it anyway.

Moving the open validation logic from the kernel to libvirt is *not*
reducing the attack surface.  It's simply moving it from one place (the
kernel) to another (libvirt).


It depends on what one defends against. If a jail-break succeeds and 
open() is disabled, then that attack surfaces was effectively reduced. 
It's hard to say whether opening files within libvirt could then allow 
new exploits.


Stefan

[Qemu-devel] virtio-rng and fd passing

[Eric Blake]

Stefan Berger and I discovered on IRC that virtio-rng is unable to
support fd passing.  We attempted:

qemu-system-x86_64 ... -add-fd set=4,fd=34,opaque=RDONLY:/dev/urandom
-object rng-random,id=rng0,filename=/dev/fdset/4 -device
virtio-rng-pci,rng=rng0,bus=pci.0,addr=0x6

qemu-system-x86_64: -device virtio-rng-pci,rng=rng0,bus=pci.0,addr=0x6:
Could not open '/dev/fdset/4'

Looks like this code is the culprit, in backends/rng-random.c:

static void rng_random_opened(RngBackend *b, Error **errp)
{
RndRandom *s = RNG_RANDOM(b);

if (s-filename == NULL) {
error_set(errp, QERR_INVALID_PARAMETER_VALUE,
  filename, a valid filename);
} else {
s-fd = open(s-filename, O_RDONLY | O_NONBLOCK);

For fd passing to work, we have to use qemu_open() instead of raw
open().  Is there any way to enforce that all files being opened by qemu
go through the appropriate qemu_open() wrapper?

Meanwhile, we have a quandary on the libvirt side of things: qemu 1.4
supports fd passing in general, but does not support it for rng.  I
guess the same is true for -blockdev - we don't (yet) have a way to do
fd passing for backing files.  Do we need some sort of QMP command that
will let libvirt query for a particular device whether that device is
known to support fd passing, so that libvirt can use fd passing for all
supported devices, while falling back to older direct open()s, and to
know which instance of qemu can safely have open() blocked at the
SELinux or syscall blacklist level?

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] virtio-rng

[Ian Molton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jamie Lokier wrote:
 Ian Molton wrote:

 With VMs, in some circumstances it might be preferable to trust the
 host when it says it's providing already-tested entropy.  After all
 the host has total control over the guest anyway, and the host entropy
 has already been run through the same checks.

I dont know. The guests might not necessarily trust the host. I can
certainly see some benefit of not running the checks twice, however, and
this applies to some other hw rng drivers too - One in particular I know
will shut down if it detects that its entropy source(s) have gone bad.

 So I think virtio-rng could benefit form being a special case, if the
 host says I assert this is entropy, you might inject it directly,
 and thus work even with guests that aren't running the rngd daemon for
 one reason or another.  (E.g. embedded system guests.)

I wonder if a 'rngd-lite' might not be an easier solution. I cant
imagine theres going to be much performance hit.

That said, even on my full-fat x86-64 box here, rngd weighs in at just
32KB and only needs libc...

 I still intend to submit my virtio-rng driver, if thats what you mean,
 since it presents the data via the same routes as all the other hw rng
 sources. I feel this approach has value.
 
 Suddenly I'm intrigued by this intend to submit as I see a
 virtio-rng driver already in the 2.6 tree... What have I misunderstood?

host side driver for qemu... I guess the proper term is qdev ?

- -Ian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLAmphAAoJEFIjE1w7L6YHm5cP/0jotxofq3OUTaPtqUHGTw8K
PJ8sfkcNvJ/4GSEbCYCXcRsSqnG32R+w6LF8lOInWsi3BJsNUqRBgInGnDzC8/kV
1vkhRQELUBgNlLes+pG6GoaQZSVnQ8Z6HbNYSxyyZ+DqESR2+f0Gm8j+QdyTpXxS
ARVoDGOM+IduZL//NMy4+hBPUGymosGKepVmaT/9cVPubGumq/f+mf21AdwCPEvk
JIlRV1asqbBU7jyut5uVULpXwqygc6+kkZl6IzIPdv9BbcI9KersikL9srXZHJa9
JtyTjXdE9lsogkJkWD5Y9yL0o9oBuQdAKD8WeN+v//imzhbcuQ5kASiGMSkRo4eD
yi8oP8PIN+vhI6MhLKML7B6n4Li+xDegNxgH1qSeB3IxovTUwuVoyK7C3GIw9Kt8
h/B6FQ0gE7yNtqsFMz4m2+vWdN9ZkNPX3o5bv5DDbPiKfVUZYu0wuwCcvtD3Wbq5
SMf1rxHCgRx3B526bJGWpgeataztp1B1B2+ml2Mdbgb2r35QOaTw/ENpt4n68o/z
ITzOAOLlPHkUDLlurkQ8jMX7rT9W/NlL/y60jImjgv5zxqggEkmMlQqSnUKwIXRE
CAZAq9+6eQ/vf6r/rY8GlVVfKr5L8tRovNSbX35vbKkjpvf+aWDr66ON+bDh2Mn+
Z5LmO4HSRe/2M7e4D8HV
=9LtM
-END PGP SIGNATURE-

Re: [Qemu-devel] virtio-rng

[Amit Shah]

On (Mon) Nov 16 2009 [17:58:22], Ian Molton wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Gerd Hoffmann wrote:
 
  Maybe ...
  
 -chardev socket,id=egd,host=egd.domain.tld,port=whatever
 -device virtio-rng,chardev=egd
 
 I've had a go at modifying virtio-console.c to use these semantics,
 attached below. I'd appreciate it if you could let me know if this is
 'the right way'.

I'm doing that as part of revamping of the virtio-console driver. You
can see the latest patch I sent out here:

http://patchwork.ozlabs.org/patch/36901/

Amit

Re: [Qemu-devel] virtio-rng

[Ian Molton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Amit Shah wrote:
 (Any reason to take this off-list?)

None other than hitting reply rather than reply-all. CCing list once
more :-)

 Either way, you still need to specify the properties - they've just
 moved into the console driver in your patch by the look of it.
 
 Yeah; there are two ways of setting properties -- from the command line
 or from code.
 
 What you're doing is something like
 
 -virtiorng,a=foo,b=bar

Ah, I see why we're at cross purposes here - I thought we'd moved to
discussing virtio-console. I've already moved to qdev based init for
virtio-rng - 'fixing' virtio-console was where I learnt about the 'new
way' (qdev).

 I'd prefer to do the same for virtio-rng,

Here I refer to you having (and I didnt apply the patch so I may have
misread) dropped the virtio-pci proxy from virtio-console. Once I've got
a tree I can apply your patch to I'll take another look :-)

 You should work on the qemu.git tree (use -enable-kvm for testing :).
 KVM will get the changes automatically when your changes get merged in
 qemu and the kvm maintainers next merge the qemu git repo.

I'll do that then ;-)

 Yes, I saw that. Would it not be better to generate the device / chardev
 pair dynamically though, rather than preserve the icky old array?
 
 I don't understand what you mean by 'dynamically'.

Rather than have that array virtcon_hds at all, create the pairs of host
side data and qdev properties during parsing the commandline - no need
to store them up and iterate through the later, or to set an arbitrary
limit on how many can be specified in that way.

Might be an idea for qemu to warn people that this syntax will be
deprecated, too...
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLAoSmAAoJEFIjE1w7L6YHcq4P/jlzcNvWHqqkRQkdQWsy6JUh
Kh3LDh23nuK9u+aoFgXP8gpej8jT6+cAdzQ+opk/JnPQXDW4nSWcdN5HKPAmTKMP
+N78mx7w0WAOFPXd33ZRvP9mqIir6wPmwibC1aUyk6Q6+KH9Io+IDvH6qfrkIung
mYHL3WSDObkcHa6+F1ADxYA9TWr9eib6lOu8EG4LgSeJRq48+2b++kvhd8mFcMdg
yu1ed7V0U43rMhbIrAtlQsp3BWlF3KdrciFtlXyLJ9iBeSp8H0IUn+XWt1nqvNdP
T47J6Weiv7wap2RqSj7Pf5xFs45zyw2ismsfmR9iMraanISF+laZSoBynT/Et7eg
d8BoEE/PGsYeFcRm1cpETPkO7fRQxXmd8To6IqomWmT0r41KcEW9Bcs7/MIZcPpo
LtH3jZqbsd5vLEIf769rs3g38gmkNpq3sfDMJ+a5xRW9qdVOmeWfD4bPpqwIPYrq
MRF/YSZch+aLsKx7Ql+CxM+r/xY7HscIS/4hfIC8OzKnEOxO+jGiV4Mf9RMfOBZw
DdXv9YKeu3gemhguKo4NEoTonmvcv6PvhVplu5T4+wJCMjI0T2QkaJmNQFqQSfQj
FB+Qri0ad8GY5H6eirvXq/6qBHtuMP+9fJn0A/ErvlXTBKYJg+VeBQSraSylOy4c
ii9UNqk7klAw4lN7hnuP
=af4Q
-END PGP SIGNATURE-

Re: [Qemu-devel] virtio-rng

[Amit Shah]

On (Tue) Nov 17 2009 [11:10:32], Ian Molton wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Amit Shah wrote:
  (Any reason to take this off-list?)
 
 None other than hitting reply rather than reply-all. CCing list once
 more :-)
 
  Either way, you still need to specify the properties - they've just
  moved into the console driver in your patch by the look of it.
  
  Yeah; there are two ways of setting properties -- from the command line
  or from code.
  
  What you're doing is something like
  
  -virtiorng,a=foo,b=bar
 
 Ah, I see why we're at cross purposes here - I thought we'd moved to
 discussing virtio-console. I've already moved to qdev based init for
 virtio-rng - 'fixing' virtio-console was where I learnt about the 'new
 way' (qdev).

I actually meant to talk about virtio-console but had the virtio-rng
example ready in mind. I thought you did the same thing for console too?
Sorry I've not really looked at the patch in detail so you can disregard
that comment.

  I'd prefer to do the same for virtio-rng,
 
 Here I refer to you having (and I didnt apply the patch so I may have
 misread) dropped the virtio-pci proxy from virtio-console. Once I've got
 a tree I can apply your patch to I'll take another look :-)

It slightly works differently now: virtio is supposed to be
pci-agnostic. So what now happens is:

virtio-console hooks on to the virtio-serial-bus via -device virtconsole
virtio-serial-bus hooks on to the virtio-pci-proxy via -device
virtio-serial-pci

  Yes, I saw that. Would it not be better to generate the device / chardev
  pair dynamically though, rather than preserve the icky old array?
  
  I don't understand what you mean by 'dynamically'.
 
 Rather than have that array virtcon_hds at all, create the pairs of host
 side data and qdev properties during parsing the commandline - no need
 to store them up and iterate through the later, or to set an arbitrary
 limit on how many can be specified in that way.

qdev won't understand the old-style commandline syntax; so once
-virtioconsole is encounters, all parsing of the arguments for that
param are to be done by the code that handles -virtioconsole. The array
is maintained because multiple virtio-consoles could be spawned, upto a
max. of MAX_VIRTIO_CONSOLES. But, as it stands, MAX_VIRTIO_CONSOLES is 1
and so the array can be dropped, but a local var. would still be needed
to fetch the chardev and then init it properly using qemu_opt.

 Might be an idea for qemu to warn people that this syntax will be
 deprecated, too...

Yes, that should be done (maybe for 1-2 releases).

Amit

Re: [Qemu-devel] virtio-rng

[Gerd Hoffmann]

  Hi,


in qdev_init_chardev() the return value is picked based upon the name of
the device. For now, I've added a third 'if clause' to match for my
driver and pass through the CharDriverState * fron vl.c for my rng
driver, however I'd like to solve this properly.


Ignore qdev_init_chardev() ...


I think a simple name-pointer type matching system would work fine,
however I'd like to know if anyone else has sorted this yet, or if I
should be doing things differently altogether.


Use a chardev property (look at serial.c, isa-serial device).

Then you'll configure it on the qemu command line like this:

  -chardev $backend,id=some-name-here,more-chardev-parameters
  -device virtio-rng,chardev=some-name-here

HTH,
  Gerd

Re: [Qemu-devel] virtio-rng

[Ian Molton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Gerd Hoffmann wrote:
   Hi,

Hi!

Thanks for your reply - I should have posted to say I'd partially solved
this. I have a question though,

 Use a chardev property (look at serial.c, isa-serial device).
 
 Then you'll configure it on the qemu command line like this:
 
   -chardev $backend,id=some-name-here,more-chardev-parameters
   -device virtio-rng,chardev=some-name-here

I've done something similar (below)

My commandline looks like:

- -virtiorng dev=/dev/foo,rate=1234

I added some properties to my driver which are obviously then filled in
from the options code, and I do my init like this:

VirtIODevice *virtio_rng_init(DeviceState *dev, RNGConf *rngdev)
{
VirtIORng *s;
s = (VirtIORng *)virtio_common_init(virtio-rng,
VIRTIO_ID_RNG,
0, sizeof(VirtIORng));

if (!s)
return NULL;

s-vdev.get_features = virtio_rng_get_features;

s-vq = virtio_add_queue(s-vdev, 128, virtio_rng_handle);
s-chr = qemu_chr_open(vrngdev, rngdev-device, NULL);

...

return s-vdev;
}

Is this 'not the right way' ? I think the commandline looks much simpler
this way.

OTOH, I can see that this might help with my next problem, which is that
I want to write EGD support for virtio-rng, so I'm guessing my
commandline would (in your scheme) need to be something like:


-tcpsocketthing $addr.of.egd.server,id=some-name-here,
 more-egd-client-options
-device virtio-rng,tcpsocketthing=some-name-here,rate=$limit

I guess the idea here is to seperate the host related config from the
guest OS setup ?

This doesnt, however, get around my problem that the -device option
doesnt know how to parse OPT_SIZE types, though. (I'd like to be able to
specify 'rate' in B/s or KB/s (or even kbits/sec, more appropriately))

- -Ian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLAUWCAAoJEFIjE1w7L6YHi7YP/1JXi1T1T3/GUG8o+ZTXJbV5
KUCkwZct7bAqMaZyxsbkbqo947tNjL006kupvUwRsfS/Hrp2uf9K/+o0tTGr87Kl
ec7sWAU67q1ydhFQQYcAnUeBEe2qO9qIXC2d32QOPOTBftwmmCYMSRob+VG0jOvy
eBN9ZdnUM+vGWmFfAxH8U1Wcx4sxEni+QZ36cFSCwAVfimxqkj9h2sI4yYVmIwWI
3VN6BERQgBGMp81fRY+QiVFGSXEPfLi/ppI8Ta6MOO3dB91XzsqDcMNIHIJwmxFz
S2uSMl9py3P5jGb2hhHHO56Fvl8paBOEvVm1SsOMXID9MpnrSHJZmlnKAe+P0nY2
EX+pvvqJZwA2OS15fjzypmho0WZtvS/HdrvEp9SQcM6dgfyVapR6H/GLrqV1iEZ5
uarKBbFKuWVCl8rWc4dZm6sMDfIuzjUgeMZyEhUx3dHVpzzd1B0zIZOVFyI7Fde1
+ox+lvm4EXBV/hji4GCc3E1pJSlmQtokSSTuaVrAXrwJRJcZpX3cjsQad5S5OOrI
zXYgs2H/ITINxnVjxkPTHty1txcZrs2Wvjbs8LvkE7LsZuquy+maVN2VS7ahwy3q
qCAkfm8Yp1QVmPM1sAlhuMPCrtQKl4VAt825PbpjEd4DNHZb1hnK8s7dc3NpVKcv
NK+vr3fUldUlsU+6Om0r
=yNv7
-END PGP SIGNATURE-

Re: [Qemu-devel] virtio-rng

[Gerd Hoffmann]

On 11/16/09 13:28, Ian Molton wrote:


I've done something similar (below)

My commandline looks like:

- -virtiorng dev=/dev/foo,rate=1234

I added some properties to my driver which are obviously then filled in
from the options code, and I do my init like this:


There is no need for a new -virtiorng switch.  qdev allows to set any 
property when creating devices via -device on the command line.



VirtIODevice *virtio_rng_init(DeviceState *dev, RNGConf *rngdev)
{
 VirtIORng *s;
 s = (VirtIORng *)virtio_common_init(virtio-rng,
 VIRTIO_ID_RNG,
 0, sizeof(VirtIORng));

 if (!s)
 return NULL;

 s-vdev.get_features = virtio_rng_get_features;

 s-vq = virtio_add_queue(s-vdev, 128, virtio_rng_handle);
 s-chr = qemu_chr_open(vrngdev, rngdev-device, NULL);

 ...

 returns-vdev;
}

Is this 'not the right way' ? I think the commandline looks much simpler
this way.


The point is to separate host and guest state.  -chardev ist host state, 
the device is guest state, and they are linked using the chardev name.



OTOH, I can see that this might help with my next problem, which is that
I want to write EGD support for virtio-rng, so I'm guessing my
commandline would (in your scheme) need to be something like:


 -tcpsocketthing $addr.of.egd.server,id=some-name-here,
  more-egd-client-options
 -device virtio-rng,tcpsocketthing=some-name-here,rate=$limit


Maybe ...

   -chardev socket,id=egd,host=egd.domain.tld,port=whatever
   -device virtio-rng,chardev=egd

... ?


This doesnt, however, get around my problem that the -device option
doesnt know how to parse OPT_SIZE types, though. (I'd like to be able to
specify 'rate' in B/s or KB/s (or even kbits/sec, more appropriately))


Yes, there is no qdev property type (yet) which can parse those 
postfixes.  Which is no reason to not add one though ;)


cheers,
  Gerd

Re: [Qemu-devel] virtio-rng

[Ian Molton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Gerd Hoffmann wrote:

 Maybe ...
 
-chardev socket,id=egd,host=egd.domain.tld,port=whatever
-device virtio-rng,chardev=egd

I've had a go at modifying virtio-console.c to use these semantics,
attached below. I'd appreciate it if you could let me know if this is
'the right way'.

 This doesnt, however, get around my problem that the -device option
 doesnt know how to parse OPT_SIZE types, though. (I'd like to be able to
 specify 'rate' in B/s or KB/s (or even kbits/sec, more appropriately))
 
 Yes, there is no qdev property type (yet) which can parse those
 postfixes.  Which is no reason to not add one though ;)

I'll look into it ;-)

Heres my patch to virtio-console. The device is now specified like this:

- -chardev file,path=/path/to/testfile,id=test
- -device virtio-console-pci,chardev=test

(for example)

TTFN!

- -Ian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLAZK2AAoJEFIjE1w7L6YHS0UP/0v/0a42Mon+SsUfowv7EpKw
0clLC/JCTcNFzSD1PqFdYV5E2kqCeMHHRS2DsCjjGFxgC5uOD7tuBLp66dk2vxvh
0QnIXkVD9FRBfRS5E2VtjterYmp2Fu+EBE3ugtAiKZhtQWVtmiQfRVqrqClpz8hd
4l/RXxTNkjJE5yRm9J7tBZ9lZqJ5tKTxqQtQV2+pPghOX7zAu4tsv3kLk9LY6SZr
dfUfv1iXiNwiZh3Z7pKEiezzJKtoPS5y30wIszPziv2Ef/V153hxED35nT6y1+1i
16wknBJgFUG7Hp0GrprUp6N5pRTX2f7X07IXhPdMyX79J9RtS8Vg7+5aX6nsK5m0
8B0WvXZqn6i+DHGrcXNPw0IpkP/MDCTVSn15O9TsiyKLnkKfjHlQHzhDkVb9yMub
bkd4uE8e9i+vqIY57kqsvcfGytcw4g3bHzT2SasKKyBjGVcwahQT4zDI9PjX7CUg
vxqktTy3y4de/ijrzuIy5e/oCK6b9AAKI0dJJJfH6NsP1ljMldEeJlkLKRheWBy9
2AqdkmQhD3eD5fo5idmp9oxx0okfg/p3v5IdLTUadgIYSL70J61fb0TL6hBNo8TS
uuCoZdgeKXD470tUXWvrWPxIACvG8ZAMYhz3CGXrFGb8WJjt1Rb0DXvHbr2Z8Wdn
2PwPSOliAY0iPfzo79Ke
=TM+C
-END PGP SIGNATURE-
From 40a7a43484176194490a7980741a6d4764c10fb1 Mon Sep 17 00:00:00 2001
From: Ian Molton ian.mol...@collabora.co.uk
Date: Mon, 16 Nov 2009 17:49:18 +
Subject: [PATCH] virtio-console: Remove ugly device reg. hack

	This patch removes the unsightly hack in qdev_init_chardev() that
was used in order to pass the host device to virtio-console.

	It does not remove the limit of only one console which is imposed by
the use of the virtio-pci proxy in virtio-pci.c, however if this were fixed,
it would be possible to register numerous consoles without further modification
of the virtio-console qdev.

Signed-off-by: Ian Molton ian.mol...@collabora.co.uk
---
 hw/pc.c |9 -
 hw/ppc440_bamboo.c  |7 ---
 hw/qdev.c   |9 ++---
 hw/virtio-console.c |8 
 sysemu.h|6 --
 vl.c|   37 -
 6 files changed, 6 insertions(+), 70 deletions(-)

diff --git a/hw/pc.c b/hw/pc.c
index fb73a54..1d0c870 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -1368,15 +1368,6 @@ static void pc_init1(ram_addr_t ram_size,
 	extboot_init(info-bdrv, 1);
 }
 
-/* Add virtio console devices */
-if (pci_enabled) {
-for(i = 0; i  MAX_VIRTIO_CONSOLES; i++) {
-if (virtcon_hds[i]) {
-pci_create_simple(pci_bus, -1, virtio-console-pci);
-}
-}
-}
-
 #ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 if (kvm_enabled()) {
 add_assigned_devices(pci_bus, assigned_devices, assigned_devices_index);
diff --git a/hw/ppc440_bamboo.c b/hw/ppc440_bamboo.c
index 25417e3..c94c961 100644
--- a/hw/ppc440_bamboo.c
+++ b/hw/ppc440_bamboo.c
@@ -109,13 +109,6 @@ static void bamboo_init(ram_addr_t ram_size,
 env = ppc440ep_init(ram_size, pcibus, pci_irq_nrs, 1, cpu_model);
 
 if (pcibus) {
-/* Add virtio console devices */
-for(i = 0; i  MAX_VIRTIO_CONSOLES; i++) {
-if (virtcon_hds[i]) {
-pci_create_simple(pcibus, -1, virtio-console-pci);
-}
-}
-
 /* Register network interfaces. */
 for (i = 0; i  nb_nics; i++) {
 /* There are no PCI NICs on the Bamboo board, but there are
diff --git a/hw/qdev.c b/hw/qdev.c
index 373ddfc..237da57 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -321,13 +321,8 @@ void qdev_machine_creation_done(void)
 CharDriverState *qdev_init_chardev(DeviceState *dev)
 {
 static int next_serial;
-static int next_virtconsole;
-/* FIXME: This is a nasty hack that needs to go away.  */
-if (strncmp(dev-info-name, virtio, 6) == 0) {
-return virtcon_hds[next_virtconsole++];
-} else {
-return serial_hds[next_serial++];
-}
+
+return serial_hds[next_serial++];
 }
 
 BusState *qdev_get_parent_bus(DeviceState *dev)
diff --git a/hw/virtio-console.c b/hw/virtio-console.c
index bc3681f..8fe8a5d 100644
--- a/hw/virtio-console.c
+++ b/hw/virtio-console.c
@@ -21,7 +21,7 @@ typedef struct VirtIOConsole
 {
 VirtIODevice vdev;
 VirtQueue *ivq, *ovq;
-CharDriverState *chr;
+CharDriverState chr;
 } VirtIOConsole;
 
 static VirtIOConsole *to_virtio_console(VirtIODevice *vdev)
@@ -39,7 +39,7 

Re: [Qemu-devel] virtio-rng

[Jamie Lokier]

Ian Molton wrote:
 Heres my patch to virtio-console. The device is now specified like this:
 
 - -chardev file,path=/path/to/testfile,id=test
 - -device virtio-console-pci,chardev=test

It'd be nice if some options on the qemu command line (or config file)
resulted in the guest kernel getting entropy (assuming a kernel with
the appropriate support), without having to run a special
entropy-injection daemon in the guest.

virtio-console can be used for that, but it'd be necessary to have a
way to tell the guest kernel to treat that particular device as an
entropy source.  Even just a standard name.

-- Jamie

Re: [Qemu-devel] virtio-rng

[Ian Molton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jamie Lokier wrote:
 Ian Molton wrote:
 Heres my patch to virtio-console. The device is now specified like this:

 - -chardev file,path=/path/to/testfile,id=test
 - -device virtio-console-pci,chardev=test

Note, I think the patch above is broken and slipped by me because I
forgot to make clean - I'll doublecheck tomorrow.

 It'd be nice if some options on the qemu command line (or config file)
 resulted in the guest kernel getting entropy (assuming a kernel with
 the appropriate support), without having to run a special
 entropy-injection daemon in the guest.

How, though - AFAIK linux has no drivers specifically intended to feed
entropy into the kernels pool - all the hwrng drivers use a userspace
tool to do so.

I still intend to submit my virtio-rng driver, if thats what you mean,
since it presents the data via the same routes as all the other hw rng
sources. I feel this approach has value.

- -Ian

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLAd1fAAoJEFIjE1w7L6YHqk4QAKSUMZ9VUJss4YWecDPS52DF
Jc7sbDEDuk6bRziRqY8nYMovOzalXgbcfSR3ElhZ4lAEGAGwDP1Qa9IbLh1vf083
UgLZa6FRSWbf5A72+Jl3vLzFnzraWp7Y3m6/qX4mv+NHyBRrBGJ5RwJ7DCTeW8I0
9YScryKZiwPdH2CW+ZUj1+mdbbX/n28mJzUHByRkUgLmKHEXgjNdSRBgtM8/YTia
yEO2arQC0Oq+t+r/cjy0B5HTg2Qq+mqFIr9gTIIN8xuVmEuX2mNoT5BSJwGoOWYS
+tjTusCXQ/SF1FgGBmNaFddtUTLge1op1gKtGEwsX8QqYmLCo9TBhDzfVZB+U+jM
m5ACEHYFCAuYQWOMsajcO78wy6q5yKFE1MJrP69EGR9wtGHNeXVsRQ0EGTqH+rs2
m66+Y0sqzvRvaYqUHSvZMNUf1FWEapkwDLYfJ87twdL1OIqOA5knBMrmZO+rF6bK
RKXGeNK/sTnvL0OEXkzeeaw8Em7ykeyVJi9rO9J8XIKH6cE/XC1ab7uNyFrSIGS6
ELvhbrzJ/c5vp/mZQOaMYrj+1+2QAv+0DpF4DDpQOuiuXFR4O6vh+Tz/qjoFxgzF
Dkh4ggPmbbRWjYS0XNa0p6zvlLC+cKXKnkrOnsxcbre9CQsl4fgMtoAIqApNdlmB
HNoo62fsogVUHaJyJVu7
=eD2D
-END PGP SIGNATURE-

Re: [Qemu-devel] virtio-rng

[Jamie Lokier]

Ian Molton wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Jamie Lokier wrote:
  Ian Molton wrote:
  Heres my patch to virtio-console. The device is now specified like this:
 
  - -chardev file,path=/path/to/testfile,id=test
  - -device virtio-console-pci,chardev=test
 
 Note, I think the patch above is broken and slipped by me because I
 forgot to make clean - I'll doublecheck tomorrow.
 
  It'd be nice if some options on the qemu command line (or config file)
  resulted in the guest kernel getting entropy (assuming a kernel with
  the appropriate support), without having to run a special
  entropy-injection daemon in the guest.
 
 How, though - AFAIK linux has no drivers specifically intended to feed
 entropy into the kernels pool - all the hwrng drivers use a userspace
 tool to do so.

You're right, with the reason being hardware randomness should be
tested before being passed back to the kernel as trusted entropy, as
it might not be functioning properly or might not have the quality it
claims to have.

With VMs, in some circumstances it might be preferable to trust the
host when it says it's providing already-tested entropy.  After all
the host has total control over the guest anyway, and the host entropy
has already been run through the same checks.

So I think virtio-rng could benefit form being a special case, if the
host says I assert this is entropy, you might inject it directly,
and thus work even with guests that aren't running the rngd daemon for
one reason or another.  (E.g. embedded system guests.)

 I still intend to submit my virtio-rng driver, if thats what you mean,
 since it presents the data via the same routes as all the other hw rng
 sources. I feel this approach has value.

Suddenly I'm intrigued by this intend to submit as I see a
virtio-rng driver already in the 2.6 tree... What have I misunderstood?

Thanks,
-- Jamie

[Qemu-devel] virtio-rng

[Ian Molton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi folks,

I'm writing a virtio-rng host-side driver for qemu-kvm, and I've got
something up and running that works, and will pass data gathered from a
char device on the host through to the virtio-rng driver on a guest copy
of linux.

Ultimately it'll get its entropy from egd as well, but for now I'd like
to solve the issue in hw/qdev.c.

in qdev_init_chardev() the return value is picked based upon the name of
the device. For now, I've added a third 'if clause' to match for my
driver and pass through the CharDriverState * fron vl.c for my rng
driver, however I'd like to solve this properly.

I think a simple name-pointer type matching system would work fine,
however I'd like to know if anyone else has sorted this yet, or if I
should be doing things differently altogether.

also, what does '_hds' stand for? eg. 'virtcon_hds'[]

Thanks,

- -Ian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJK+y1LAAoJEFIjE1w7L6YHlI4P/i4QPbsIASmCLtI9RiEtF7LF
NguXv+HCNme8MK6bQpHKLYIJ1q/DSImeeJPjqe/PF1unOBP0d4GmsC+qnLGj4CZn
LCRiqf+ZgVPI/fX8TQ8TOzN9o31EOnWmxOKuj+zDDhbRxG/mY2OzOQCLEBkQ26GL
Pru981FBVJiEPP2JnWnR6Hn+IZaazcyo+ychk0UhQYasmv8XTC75DiiProhyXFJk
TXa8UN+lWd1U1a0mmmg1gxttQrYZiC5i4+k609HY8v3poZ0kjmlH0hIUHt+3FHE8
pA1WL/B26EhNem3ZazGGJ8sNdGg60VTjEBSHyGveCdUtiQU2TWWESBOesQoALkoE
8mONeytgsv7GZ9sh0a1RTInvSsA2TyV/hzQphOtTl6SNEETlGEsFNJpLk+6GeO89
g5A3vdgsOL18ymWxDTf/Ts14mK4+QMa9x4T2Cpttip1LuOwDoV/PCKfpg1q9TT+d
C04TFR7qgl6eAsErHhHlFYmWNcMHn00t9jOEBUTMjIi5xKwsCr+ktWxF0yxLQdlu
co7gLZd4ck4N8GMltPjIXGMnqWLsemf4b7Gpg8wtIjmK5f7l58qVZW0Qsdx9ujJc
MLxQwKvk5OdE+uGMBUDynAGW926Fu/QhdrAhWSbzDFrIjysTY6fzXgNaQa+8HoL9
5fB9UiotqwfYy95HnZV9
=ABHJ
-END PGP SIGNATURE-

Re: [Qemu-devel] virtio-rng

[Paul Brook]

 I'm writing a virtio-rng host-side driver for qemu-kvm, and I've got
 something up and running that works, and will pass data gathered from a
 char device on the host through to the virtio-rng driver on a guest copy
 of linux.

Why do you need a special device? Isn't a regular serial data stream (i.e. 
multiport virtio-console) sufficient? You can then connect that to your source 
of random data (e.g. /dev/random) without requiring any changes to qemu.

Paul