Load virtio_rng early in the game #6665
Conversation
|
Oh, in FIPS mode we have an even bigger problem. In RHEL, we have a patch : libgcrypt does this in the library constructor: So, if systemd is executed and linked against libgcrypt, we have a problem with low entropy 👎 |
|
And unfortunately it is when built with Lorax, so I guess in all of RH-related use cases. It kills VM provisioning completely. |
hmm, did it always do that? how come this only comes up now? |
src/core/kmod-setup.c
Outdated
| int r = detect_vm(); | ||
|
|
||
| return (r == VIRTUALIZATION_KVM || r == VIRTUALIZATION_QEMU); | ||
| } |
There was a problem hiding this comment.
please use IN_SET() for cases like this:
return IN_SET(detect_vm(), VIRTUALIZATION_KVM, VIRTUALIZATION_QEMU);
src/core/kmod-setup.c
Outdated
| @@ -68,6 +75,7 @@ int kmod_setup(void) { | |||
| /* netfilter is needed by networkd, nspawn among others, and cannot be autoloaded */ | |||
| { "ip_tables", "/proc/net/ip_tables_names", false, false, NULL }, | |||
| #endif | |||
| { "virtio_rng", NULL, false, false, vm_is_kvm_or_qemu }, | |||
There was a problem hiding this comment.
please add a comment why we do this
poettering
added
reviewed/needs-rework 🔨
|
hmm, can we tune the detection of this functionality a bit? it appears the availability of this virtio iface is announced to the OS an this can be easily checked via /sys. Can we tweak the detction accordingly, and look for the actual virtio iface rather thank blanket qemu/kvm checks? That way we don#t misdetect qemu invocations without it, and other VM implementations can implement the same iface sooner or later and things will just work. |
|
@poettering for /sys checking, we would have to check every |
If true randomness is needed before udev is triggered, which would load virtio_rng, reading /dev/random takes forever and the boot stalls for a long time.
|
modinfo virtio-rng suggests the the following match instead: "virtio:d00000004v*" btw, not pci matches? but looping through those dirs should be pretty starightforward, no? |
|
is the alternative with sysfs parsing |
|
Closing this one in favour of #6710 |
If libgcrypt is initialized, it needs a entropy for its random pool.
Without virtio_rng loaded initialize_libgcrypt() takes forever and the
boot stalls for a long time.