[pve-devel] [PATCH qemu-server] fix #5657: allow configuring RNG device as non-root user
Fabian Grünbichler
f.gruenbichler at proxmox.com
Thu Oct 24 13:16:44 CEST 2024
On September 3, 2024 3:58 pm, Filip Schauer wrote:
> On 02/09/2024 14:21, Fabian Grünbichler wrote:
>> IIRC this was intentional, since passing in the hardware RNG can starve
>> the host of entropy rather quickly. is this no longer the case, or
>> handled by some other check? if so, please include these details here.
>> if not, then I don't think we want to go with this patch - but maybe we
>> want to tighten some other code paths instead 😉
>
>
> Reading from /dev/urandom has never consumed entropy and reading from
> /dev/random no longer poses a concern since the kernel no longer uses a
> blocking entropy pool. [1] The only potential issue might be the
> starvation of the hardware RNG when /dev/hwrng is used. So we might not
> want to allow a non-root user to configure /dev/hwrng, but letting
> non-root users configure the other two options (/dev/urandom and
> /dev/random) seems reasonable.
yes, I was talking about the hardware RNG!
> It might make sense to only allow non-root users to configure
> /dev/urandom and /dev/random as RNG sources.
we could also define some sort of mapping-like thing for the hardware
RNG to allow semi-privileged users to pass it through, after a highly
privileged user set it up and gave them access? but we could wait until
somebody requests that ;)
>
> [1] https://lwn.net/Articles/808575/
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
More information about the pve-devel
mailing list