[pve-devel] [PATCH qemu-server] fix #5657: allow configuring RNG device as non-root user
Filip Schauer
f.schauer at proxmox.com
Tue Sep 3 15:58:27 CEST 2024
On 02/09/2024 14:21, Fabian Grünbichler wrote:
> IIRC this was intentional, since passing in the hardware RNG can starve
> the host of entropy rather quickly. is this no longer the case, or
> handled by some other check? if so, please include these details here.
> if not, then I don't think we want to go with this patch - but maybe we
> want to tighten some other code paths instead 😉
Reading from /dev/urandom has never consumed entropy and reading from
/dev/random no longer poses a concern since the kernel no longer uses a
blocking entropy pool. [1] The only potential issue might be the
starvation of the hardware RNG when /dev/hwrng is used. So we might not
want to allow a non-root user to configure /dev/hwrng, but letting
non-root users configure the other two options (/dev/urandom and
/dev/random) seems reasonable.
It might make sense to only allow non-root users to configure
/dev/urandom and /dev/random as RNG sources.
[1] https://lwn.net/Articles/808575/
More information about the pve-devel
mailing list