Re: nothing contributing entropy in Xen domUs? (causing python3.7 rebuild to get stuck in kernel in "entropy" during an "import" statement)

[Havard Eidnes <he%NetBSD.org@localhost>]

> On Wed, Mar 31, 2021 at 12:12:31AM +0000, Taylor R Campbell wrote:
>> This is false.  If the VM host provided a viornd(4) device then NetBSD
>> would automatically collect, and count, entropy from the host, with no
>> manual intervention.
>
> I would love to see instructions how to do this - I have not seen a working
> virond(4) in any of my Xen domU (but that is a very limited sample).

While this isn't with Xen, and isn't on -current, but this is
what I do for my emulated arm64 system, where the emulator runs on
NetBSD/amd64 8.0:

#!/bin/sh
SMP=4
MEM=8g
qemu-system-aarch64 -M virt -cpu cortex-a57 -smp $SMP -m $MEM \
  -drive if=none,file=disk.img,id=hd0 -device virtio-blk-device,drive=hd0 \
  -netdev type=user,id=net0,hostfwd=tcp::2222-:22,ipv6=off \
  -nographic \
  -device virtio-net-device,netdev=net0,mac=00:11:66:33:44:55 \
  -device virtio-rng-device \
  -kernel netbsd.img -append root=ld4a

and the booted system is NetBSD/aarch64 9.0 with the unmodified
GENERIC64 kernel:

arm64# rndctl -l
Source                 Bits Type      Flags
cpu3                   7824 vm   estimate, collect, v, t, dv
cpu2                   8983 vm   estimate, collect, v, t, dv
cpu1                   8351 vm   estimate, collect, v, t, dv
cpu0                  12436 vm   estimate, collect, v, t, dv
ld4                 8440476 disk estimate, collect, v, t, dt
viornd0                4096 rng  estimate, collect, v
system-power              0 power estimate, collect, v, t, dt
autoconf                 72 ???  estimate, collect, t, dt
printf                    0 ???  collect
callout                 116 skew estimate, collect, v, dv
arm64#
arm64# dmesg | grep rnd
[     1.000010] viornd0 at virtio29: Features: 0x10000000<INDIRECT_DESC>
arm64# 
arm64# dmesg | grep virtio29
[     1.000010] virtio29 at simplebus0
[     1.000010] viornd0 at virtio29: Features: 0x10000000<INDIRECT_DESC>
[     1.000010] virtio29: allocated 32768 byte for virtqueue 0 for Entropy request, size 1024
[     1.000010] virtio29: interrupting on GIC irq 77
arm64# 

When I get to booting a past-rng-rework kernel, I'm fairly
certain that only the input from viornd0 will remain as a source
with "estimate" in the flags field.  Of course, any saved and
restored entropy will also count towards the estimate.


That said, it doesn't look like the amd64 XEN3_DOMU kernel has either
of virtio* or viornd* configured, they're only in the GENERIC and ALL
kernel configs.  Also, I don't know what has to happen on the XEN
"host side" to provide those devices; virtio* is apparently supposed
to be made visible via the pci bus (looking at amd64's GENERIC), but
by the looks of it, XEN only does "pci passthrough" to physical
devices (looking at the comments near the commented-out "pci" config
statements in XEN3_DOMU), so no "emulated" PCI bus where the host can
provide the host-side of the randomness virtual device?

Regards,

- Håvard