On Mon, Apr 16, 2018 at 04:15:44PM +0000, Thomas Garnier wrote: > On Mon, Apr 16, 2018 at 8:54 AM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > > On Sat, Apr 14, 2018 at 3:44 PM, Theodore Y. Ts'o <tytso@xxxxxxx> wrote: > > > +linux-mm@xxxxxxxxx > > > kvm@xxxxxxxxxxxxxxx, security@xxxxxxxxxx moved to bcc > > > > > > On Sat, Apr 14, 2018 at 10:59:21PM +0300, Alexey Dobriyan wrote: > > >> SLAB allocators got CONFIG_SLAB_FREELIST_RANDOM option which randomizes > > >> allocation pattern inside a slab: > > >> > > >> int cache_random_seq_create(struct kmem_cache *cachep, unsigned > int count, gfp_t gfp) > > >> { > > >> ... > > >> /* Get best entropy at this stage of boot */ > > >> prandom_seed_state(&state, get_random_long()); > > >> > > >> Then I printed actual random sequences for each kmem cache. > > >> Turned out they were all the same for most of the caches and > > >> they didn't vary across guest reboots. > > > > > > The problem is at the super-early state of the boot path, kernel code > > > can't allocate memory. This is something most device drivers kinda > > > assume they can do. :-) > > > > > > So it means we haven't yet initialized the virtio-rng driver, and it's > > > before interrupts have been enabled, so we can't harvest any entropy > > > from interrupt timing. So that's why trying to use virtio-rng didn't > > > help. > > > > > >> The only way to get randomness for SLAB is to enable RDRAND inside > guest. > > >> > > >> Is it KVM bug? > > > > > > No, it's not a KVM bug. The fundamental issue is in how the > > > CONFIG_SLAB_FREELIST_RANDOM is currently implemented. > > Entropy at early boot in VM has always been a problem for this feature or > others. Did you look at the impact on other boot security features fetching > random values? Does your VM had RDRAND support (we use get_random_long() > which will fetch from RDRAND to provide as much entropy as possible at this > point)? The problem is that "qemu-system-x86_64" by default doesn't use RDRAND nor does it use entropy from the host to bootstrap. You need "-cpu host" or equivalent. Given that DMI strings are acting as a seed and fixed creation order of core kernel caches those SLAB randomization sequences may be globally the same (I didn't check) or draw from a small set. And of course there will be users which don't use RDRAND because it is NSA backdoor.