Re: nothing contributing entropy in Xen domUs? (causing python3.7 rebuild to get stuck in kernel in "entropy" during an "import" statement)

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

> Date: Tue, 30 Mar 2021 16:23:43 -0700
> From: "Greg A. Woods" <woods%planix.ca@localhost>
> 
> At Tue, 30 Mar 2021 23:53:43 +0200, Manuel Bouyer <bouyer%antioche.eu.org@localhost> wrote:
> > On Tue, Mar 30, 2021 at 02:40:18PM -0700, Greg A. Woods wrote:
> > > Perhaps the answer is that nothing seems to be contributing anything to
> > > the entropy pool.  No matter what device I exercise, none of the numbers
> > > in the following changes:
> >
> > yes, it's been this way since the rnd rototill. Virtual devices are
> > not trusted.
> >
> > The only way is to manually seed the pool.
> 
> Ah, so that is definitely not what I expected!

This is false.  If the VM host provided a viornd(4) device then NetBSD
would automatically collect, and count, entropy from the host, with no
manual intervention.

> Finally, if the system isn't actually collecting entropy from a device,
> then why the heck does it allow me to think it is (i.e. by allowing me
> to enable it and show it as enabled and collecting via "rndctl -l")?

The system does collect samples from all those devices.  However, they
are not designed to be unpredictable and there is no good reliable
model for just how unpredictable they are, so the system doesn't
_count_ anything from them.  See https://man.NetBSD.org/entropy.4 for
a high-level overview.

In the past we used an essentially meaningless model, designed in a
vacuum without reference to any information about the physics of the
sources of the samples (and the same model with all sources), for
fabricating entropy estimates by examining the sample data.  This
practice no longer happens.