[PVE-User] Debian buster inside PVE KVM

Fabian Grünbichler f.gruenbichler at proxmox.com
Mon Jul 8 12:16:46 CEST 2019


On Mon, Jul 08, 2019 at 10:43:54AM +0200, Chris Hofstaedtler | Deduktiva wrote:
> * Thomas Lamprecht <t.lamprecht at proxmox.com> [190708 09:13]:
> > Am 7/8/19 um 8:05 AM schrieb Fabian Grünbichler:
> > > On Mon, Jul 08, 2019 at 02:16:34AM +0200, Chris Hofstaedtler | Deduktiva wrote:
> [..]
> > >> Are there any recommendations at this time or plans for adding
> > >> virtio_rng?
> > > 
> > > filed [1] to keep track of adding proper support, as it sounds like a
> > > simple enough but worthwhile feature to me :)
> > > 
> > > 1: https://bugzilla.proxmox.com/show_bug.cgi?id=2264
> > 
> > The request for this is a bit older, and then some concerns about
> > possible depleting the hosts entropy pool were raised.
> > Maybe we want to ship havedged, or at least recommend it in docs if no
> > other "high" bandwitdh (relatively speaking) HW rng source is
> > available on the host...
> 
> Right, makes sense. OTOH on modern hosts with RDRAND and
> CONFIG_RANDOM_TRUST_CPU=y (as in 5.0.15-1-pve) this shouldn't be
> much of a problem (guessing here).

I can still deplete my host's entropy pool from a VM with virtio-rng
easily, even with RDRAND/RDSEED and CONFIG_RANDOM_TRUST_CPU. I think
even with a "proper" HWRNG you'd still want rate-limiting unless you
trust all your virtio-rng users to not request large amounts of
randomness at once. The small amounts needed for booting or the
occasional key generation are fine.



More information about the pve-user mailing list