Re: port-xen/40739: no entropy device sourcese on 5.0_RC2 XEN3PAE_DOMU

[Christoph Badura <bad%bsd.de@localhost>]

The following reply was made to PR port-xen/40739; it has been noted by GNATS.

From: Christoph Badura <bad%bsd.de@localhost>
To: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Cc: gnats-bugs%netbsd.org@localhost
Subject: Re: port-xen/40739: no entropy device sourcese on 5.0_RC2 XEN3PAE_DOMU
Date: Tue, 3 Mar 2009 23:12:21 +0100

 On Tue, Mar 03, 2009 at 11:02:01AM +0100, Manuel Bouyer wrote:
 > On Mon, Mar 02, 2009 at 11:32:52PM +0100, Christoph Badura wrote:
 > OK, so why is entropy collection disabled by default for all network
 > interfaces ? Your demonstration would apply to network interfaces as well.
 
 I don't know as I wasn't involved in that discussion.  If you go and grovel
 the mailing list archives, maybe you can find something.
 
 > > But being connected to a switch is *not* being on a shared network, because
 > > it hides traffic from other machines in the same logical (sub) network.
 > not really, as another host on the same switch can affect jitter for
 > a given host (even if they are on different vlans).
 
 Oh, sure they can affect that.  It isn't sufficient to affect it in any
 random way, though.  You have to affect it so that the stream of random
 bits being output becomes predictable to some degree.
 
 > Why don't you find one that back yours ? 
 
 I already took steps in that direction.  I invited Steven Bellovin and
 Perry Metzger to give their opinion on the matter.
 
 Would these two be acceptable to you?
 
 > I don't have authority; but until I find someone which can show that
 > an attack is not possible though xen block devices, I'll be conservative.
 
 If you are that concerned about a possible attack, you should rip out the
 calls to rnd_add_uint32() from the network drivers.
 
 --chris