I am in the process of verifying that everything entropy-related is up to par in Qubes, specifically within Debian-based templates.
My understanding is that most entropy within a Qubes VM comes from the “Linus Jitter Dance”, haveged, jitterentropy-rngd and a one-off read from dom0’s getrandom(0) of 512 bytes. This seems to be fine, but I have some questions. I will refer to /dev/[u]random and getrandom as the CSRNG.
-
Because we are only receiving entropy from dom0 once, CPU jitter will be the only source topping up the entropy pool after first boot. Therefore the CSRNG will be continually reseeded from only a single source of entropy. I think I’ve read that the main reason for reseeding is to recover from compromise, and that the initial seed alone is sufficient for all the randomness the system could need when there is no compromise. Is my thinking true, and as such do I not need to worry that we are only reseeding with CPU jitter?
-
I am very confident that it is impossible for entropy to “exit” the system during a reseed, but I would like some confirmation of this. By this I mean, is it possible that new entropy will replace old entropy as the seed for the CSRNG, or is it always used in combination? It’s important to confirm this, because it would be bad if dom0’s bytes were replaced after some time by purely CPU jitter entropy.
-
I think it’s possible that after the system has booted there is a brief period of time (< 1 minute) where the CSRNG could be seeded with CPU jitter only (not dom0’s bytes). This is because
systemd-random-seed service
runs relatively late so the kernel may have already acquired enough entropy to seed the CSRNG through its own jitter mechanism. If this happens, dom0 bytes will not be included in the CSRNG seed for at most 1 minute. Does anyone else agree this could be an issue? It won’t affect many users, but I know I’ve started a VM and immediately generated a key before. -
Where can I find the code responsible for doing LUKS encryption during installation? I don’t like that cryptsetup uses /dev/urandom by default, so I want to verify that Qubes is using /dev/random as the LUKS entropy source, or that /dev/urandom is guaranteed to be initialized at the time cryptsetup is used.
Thanks.