[pve-devel] [PATCH manager/qemu-server v4 0/9] fix #5657: allow configuring RNG device as non-root user

[pve-devel] [PATCH manager/qemu-server v4 0/9] fix #5657: allow configuring RNG device as non-root user

[Filip Schauer]

Allow users with the VM.Config.HWType privilege to configure VirtIO RNG
devices on VMs with either /dev/urandom or /dev/random as the entropy
source. Users with the Mapping.Use privilege on the /mapping/hwrng ACL
path may also configure /dev/hwrng as an entropy source.

Changes since v3:
* Remove hardware RNG resource mapping and introduce /mapping/hwrng ACL
  path instead
* Split some changes into separate commits

Changes since v2:
* Restrict RNG device format to enum of
* Add descriptive commit message
* Code style fixes
* Remove outdated remarks about entropy stravation of /dev/random
* Split helpers for VirtIO RNG command line arguments into its own
  commit
* Add explicit "use PVE::QemuServer::RNG;" statement to PVE/API2/Qemu.pm
* Fix "map: type check ('array') failed" error when adding a mapping in
  the UI
* ui: split resource mapping types into tabbed views

Changes since v1:
* Restrict use of /dev/hwrng to the root user
* introduce hardware RNG mapping

qemu-server:

Filip Schauer (6):
  remove outdated /dev/random entropy-starvation warnings
  refactor: move rng related code into its own module
  add helpers for VirtIO RNG command line arguments
  refactor: check_mapping_access: move root user check to the top
  allow non-root users to set /dev/u?random as an RNG source
  allow non-root users to set /dev/hwrng as an RNG source

 PVE/API2/Qemu.pm        |  29 ++++++++++
 PVE/QemuServer.pm       |  95 +++++++-------------------------
 PVE/QemuServer/Makefile |   1 +
 PVE/QemuServer/RNG.pm   | 116 ++++++++++++++++++++++++++++++++++++++++
 4 files changed, 164 insertions(+), 77 deletions(-)
 create mode 100644 PVE/QemuServer/RNG.pm


pve-manager:

Filip Schauer (3):
  ui: remove warning about entropy starvation of /dev/random
  ui: permissions: add ACL path for hardware RNG
  ui: let non-root users configure VirtIO RNG devices

 www/manager6/data/PermPathStore.js |  1 +
 www/manager6/qemu/HardwareView.js  |  9 ++++-----
 www/manager6/qemu/RNGEdit.js       | 13 -------------
 3 files changed, 5 insertions(+), 18 deletions(-)


Summary over all repositories:
  7 files changed, 169 insertions(+), 95 deletions(-)

-- 
Generated by git-murpp 0.6.0


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH qemu-server v4 1/9] remove outdated /dev/random entropy-starvation warnings

[Filip Schauer]

Remove mentions about entropy-starvation, when using /dev/random as the
entropy source, from the descriptions of the rng parameters. This
concern no longer applies since the removal of the blocking entropy pool
in kernel version 5.6. [1] [2]

[1] https://git.kernel.org/torvalds/c/acd77500aa8a337baa6d853568c4b55aca48e20f
[2] https://lwn.net/Articles/808575/

Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
---
 PVE/QemuServer.pm | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index 808c0e1c..a1237c05 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -253,18 +253,15 @@ my $rng_fmt = {
 	type => 'string',
 	enum => ['/dev/urandom', '/dev/random', '/dev/hwrng'],
 	default_key => 1,
-	description => "The file on the host to gather entropy from. In most cases '/dev/urandom'"
-	    ." should be preferred over '/dev/random' to avoid entropy-starvation issues on the"
-	    ." host. Using urandom does *not* decrease security in any meaningful way, as it's"
-	    ." still seeded from real entropy, and the bytes provided will most likely be mixed"
-	    ." with real entropy on the guest as well. '/dev/hwrng' can be used to pass through"
-	    ." a hardware RNG from the host.",
+	description => "The file on the host to gather entropy from. Using urandom does *not*"
+	    ." decrease security in any meaningful way, as it's still seeded from real entropy, and"
+	    ." the bytes provided will most likely be mixed with real entropy on the guest as well."
+	    ."'/dev/hwrng' can be used to pass through a hardware RNG from the host.",
     },
     max_bytes => {
 	type => 'integer',
 	description => "Maximum bytes of entropy allowed to get injected into the guest every"
-	    ." 'period' milliseconds. Prefer a lower value when using '/dev/random' as source. Use"
-	    ." `0` to disable limiting (potentially dangerous!).",
+	    ." 'period' milliseconds. Use `0` to disable limiting (potentially dangerous!).",
 	optional => 1,
 
 	# default is 1 KiB/s, provides enough entropy to the guest to avoid boot-starvation issues
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH qemu-server v4 2/9] refactor: move rng related code into its own module

[Filip Schauer]

Move code related to VirtIO RNG configuration for a VM to its own
module.

Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
---
 PVE/QemuServer.pm       | 60 +---------------------------
 PVE/QemuServer/Makefile |  1 +
 PVE/QemuServer/RNG.pm   | 86 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 89 insertions(+), 58 deletions(-)
 create mode 100644 PVE/QemuServer/RNG.pm

diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index a1237c05..09d2b3a8 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -60,6 +60,7 @@ use PVE::QemuServer::MetaInfo;
 use PVE::QemuServer::Monitor qw(mon_cmd);
 use PVE::QemuServer::PCI qw(print_pci_addr print_pcie_addr print_pcie_root_port parse_hostpci);
 use PVE::QemuServer::QMPHelpers qw(qemu_deviceadd qemu_devicedel qemu_objectadd qemu_objectdel);
+use PVE::QemuServer::RNG qw(check_rng_source parse_rng);
 use PVE::QemuServer::USB;
 
 my $have_sdn;
@@ -248,36 +249,6 @@ my $spice_enhancements_fmt = {
     },
 };
 
-my $rng_fmt = {
-    source => {
-	type => 'string',
-	enum => ['/dev/urandom', '/dev/random', '/dev/hwrng'],
-	default_key => 1,
-	description => "The file on the host to gather entropy from. Using urandom does *not*"
-	    ." decrease security in any meaningful way, as it's still seeded from real entropy, and"
-	    ." the bytes provided will most likely be mixed with real entropy on the guest as well."
-	    ."'/dev/hwrng' can be used to pass through a hardware RNG from the host.",
-    },
-    max_bytes => {
-	type => 'integer',
-	description => "Maximum bytes of entropy allowed to get injected into the guest every"
-	    ." 'period' milliseconds. Use `0` to disable limiting (potentially dangerous!).",
-	optional => 1,
-
-	# default is 1 KiB/s, provides enough entropy to the guest to avoid boot-starvation issues
-	# (e.g. systemd etc...) while allowing no chance of overwhelming the host, provided we're
-	# reading from /dev/urandom
-	default => 1024,
-    },
-    period => {
-	type => 'integer',
-	description => "Every 'period' milliseconds the entropy-injection quota is reset, allowing"
-	    ." the guest to retrieve another 'max_bytes' of entropy.",
-	optional => 1,
-	default => 1000,
-    },
-};
-
 my $confdesc = {
     onboot => {
 	optional => 1,
@@ -705,7 +676,7 @@ EODESCR
     },
     rng0 => {
 	type => 'string',
-	format => $rng_fmt,
+	format => 'pve-qm-rng',
 	description => "Configure a VirtIO-based Random Number Generator.",
 	optional => 1,
     },
@@ -1968,16 +1939,6 @@ sub parse_vga {
     return $res;
 }
 
-sub parse_rng {
-    my ($value) = @_;
-
-    return if !$value;
-
-    my $res = eval { parse_property_string($rng_fmt, $value) };
-    warn $@ if $@;
-    return $res;
-}
-
 sub qemu_created_version_fixups {
     my ($conf, $forcemachine, $kvmver) = @_;
 
@@ -4017,23 +3978,6 @@ sub config_to_command {
     return wantarray ? ($cmd, $vollist, $spice_port, $pci_devices) : $cmd;
 }
 
-sub check_rng_source {
-    my ($source) = @_;
-
-    # mostly relevant for /dev/hwrng, but doesn't hurt to check others too
-    die "cannot create VirtIO RNG device: source file '$source' doesn't exist\n"
-	if ! -e $source;
-
-    my $rng_current = '/sys/devices/virtual/misc/hw_random/rng_current';
-    if ($source eq '/dev/hwrng' && file_read_firstline($rng_current) eq 'none') {
-	# Needs to abort, otherwise QEMU crashes on first rng access. Note that rng_current cannot
-	# be changed to 'none' manually, so once the VM is past this point, it's no longer an issue.
-	die "Cannot start VM with passed-through RNG device: '/dev/hwrng' exists, but"
-	    ." '$rng_current' is set to 'none'. Ensure that a compatible hardware-RNG is attached"
-	    ." to the host.\n";
-    }
-}
-
 sub spice_port {
     my ($vmid) = @_;
 
diff --git a/PVE/QemuServer/Makefile b/PVE/QemuServer/Makefile
index 18fd13ea..83c6af79 100644
--- a/PVE/QemuServer/Makefile
+++ b/PVE/QemuServer/Makefile
@@ -1,4 +1,5 @@
 SOURCES=PCI.pm		\
+	RNG.pm		\
 	USB.pm		\
 	Memory.pm	\
 	ImportDisk.pm	\
diff --git a/PVE/QemuServer/RNG.pm b/PVE/QemuServer/RNG.pm
new file mode 100644
index 00000000..22d1e9cc
--- /dev/null
+++ b/PVE/QemuServer/RNG.pm
@@ -0,0 +1,86 @@
+package PVE::QemuServer::RNG;
+
+use strict;
+use warnings;
+
+use PVE::JSONSchema;
+use PVE::Tools qw(file_read_firstline);
+
+use PVE::QemuServer::PCI qw(print_pci_addr);
+
+use base 'Exporter';
+
+our @EXPORT_OK = qw(
+parse_rng
+check_rng_source
+);
+
+my $rng_fmt = {
+    source => {
+	type => 'string',
+	enum => ['/dev/urandom', '/dev/random', '/dev/hwrng'],
+	default_key => 1,
+	description => "The file on the host to gather entropy from. Using urandom does *not*"
+	    ." decrease security in any meaningful way, as it's still seeded from real entropy, and"
+	    ." the bytes provided will most likely be mixed with real entropy on the guest as well."
+	    ." '/dev/hwrng' can be used to pass through a hardware RNG from the host.",
+    },
+    max_bytes => {
+	type => 'integer',
+	description => "Maximum bytes of entropy allowed to get injected into the guest every"
+	    ." 'period' milliseconds. Use `0` to disable limiting (potentially dangerous!).",
+	optional => 1,
+
+	# default is 1 KiB/s, provides enough entropy to the guest to avoid boot-starvation issues
+	# (e.g. systemd etc...) while allowing no chance of overwhelming the host, provided we're
+	# reading from /dev/urandom
+	default => 1024,
+    },
+    period => {
+	type => 'integer',
+	description => "Every 'period' milliseconds the entropy-injection quota is reset, allowing"
+	    ." the guest to retrieve another 'max_bytes' of entropy.",
+	optional => 1,
+	default => 1000,
+    },
+};
+
+PVE::JSONSchema::register_format('pve-qm-rng', $rng_fmt);
+
+our $rngdesc = {
+    type => 'string',
+    format => $rng_fmt,
+    optional => 1,
+    description => "Configure a VirtIO-based Random Number Generator.",
+};
+PVE::JSONSchema::register_standard_option('pve-qm-rng', $rngdesc);
+
+sub parse_rng {
+    my ($value) = @_;
+
+    return if !$value;
+
+    my $res = eval { PVE::JSONSchema::parse_property_string($rng_fmt, $value) };
+    warn $@ if $@;
+
+    return $res;
+}
+
+sub check_rng_source {
+    my ($source) = @_;
+
+    # mostly relevant for /dev/hwrng, but doesn't hurt to check others too
+    die "cannot create VirtIO RNG device: source file '$source' doesn't exist\n"
+	if ! -e $source;
+
+    my $rng_current = '/sys/devices/virtual/misc/hw_random/rng_current';
+    if ($source eq '/dev/hwrng' && file_read_firstline($rng_current) eq 'none') {
+	# Needs to abort, otherwise QEMU crashes on first rng access. Note that rng_current cannot
+	# be changed to 'none' manually, so once the VM is past this point, it's no longer an issue.
+	die "Cannot start VM with passed-through RNG device: '/dev/hwrng' exists, but"
+	    ." '$rng_current' is set to 'none'. Ensure that a compatible hardware-RNG is attached"
+	    ." to the host.\n";
+    }
+}
+
+1;
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH qemu-server v4 3/9] add helpers for VirtIO RNG command line arguments

[Filip Schauer]

Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
---
 PVE/QemuServer.pm     | 18 +++++-------------
 PVE/QemuServer/RNG.pm | 30 ++++++++++++++++++++++++++++++
 2 files changed, 35 insertions(+), 13 deletions(-)

diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index 09d2b3a8..70518924 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -60,7 +60,7 @@ use PVE::QemuServer::MetaInfo;
 use PVE::QemuServer::Monitor qw(mon_cmd);
 use PVE::QemuServer::PCI qw(print_pci_addr print_pcie_addr print_pcie_root_port parse_hostpci);
 use PVE::QemuServer::QMPHelpers qw(qemu_deviceadd qemu_devicedel qemu_objectadd qemu_objectdel);
-use PVE::QemuServer::RNG qw(check_rng_source parse_rng);
+use PVE::QemuServer::RNG qw(parse_rng print_rng_device_commandline print_rng_object_commandline);
 use PVE::QemuServer::USB;
 
 my $have_sdn;
@@ -3685,18 +3685,10 @@ sub config_to_command {
 
     my $rng = $conf->{rng0} ? parse_rng($conf->{rng0}) : undef;
     if ($rng && $version_guard->(4, 1, 2)) {
-	check_rng_source($rng->{source});
-
-	my $max_bytes = $rng->{max_bytes} // $rng_fmt->{max_bytes}->{default};
-	my $period = $rng->{period} // $rng_fmt->{period}->{default};
-	my $limiter_str = "";
-	if ($max_bytes) {
-	    $limiter_str = ",max-bytes=$max_bytes,period=$period";
-	}
-
-	my $rng_addr = print_pci_addr("rng0", $bridges, $arch, $machine_type);
-	push @$devices, '-object', "rng-random,filename=$rng->{source},id=rng0";
-	push @$devices, '-device', "virtio-rng-pci,rng=rng0$limiter_str$rng_addr";
+	my $rng_object = print_rng_object_commandline('rng0', $rng);
+	my $rng_device = print_rng_device_commandline('rng0', $rng, $bridges, $arch, $machine_type);
+	push @$devices, '-object', $rng_object;
+	push @$devices, '-device', $rng_device;
     }
 
     my $spice_port;
diff --git a/PVE/QemuServer/RNG.pm b/PVE/QemuServer/RNG.pm
index 22d1e9cc..23b6cd15 100644
--- a/PVE/QemuServer/RNG.pm
+++ b/PVE/QemuServer/RNG.pm
@@ -13,6 +13,8 @@ use base 'Exporter';
 our @EXPORT_OK = qw(
 parse_rng
 check_rng_source
+print_rng_device_commandline
+print_rng_object_commandline
 );
 
 my $rng_fmt = {
@@ -83,4 +85,32 @@ sub check_rng_source {
     }
 }
 
+sub print_rng_device_commandline {
+    my ($id, $rng, $bridges, $arch, $machine) = @_;
+
+    die "no rng device specified\n" if !$rng;
+
+    my $max_bytes = $rng->{max_bytes} // $rng_fmt->{max_bytes}->{default};
+    my $period = $rng->{period} // $rng_fmt->{period}->{default};
+    my $limiter_str = "";
+    if ($max_bytes) {
+	$limiter_str = ",max-bytes=$max_bytes,period=$period";
+    }
+
+    my $rng_addr = print_pci_addr($id, $bridges, $arch, $machine);
+
+    return "virtio-rng-pci,rng=$id$limiter_str$rng_addr";
+}
+
+sub print_rng_object_commandline {
+    my ($id, $rng) = @_;
+
+    die "no rng device specified\n" if !$rng;
+
+    my $source_path = $rng->{source};
+    check_rng_source($source_path);
+
+    return "rng-random,filename=$source_path,id=$id";
+}
+
 1;
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH qemu-server v4 4/9] refactor: check_mapping_access: move root user check to the top

[Filip Schauer]

Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
---
 PVE/QemuServer.pm | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index 70518924..6c842924 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -6378,12 +6378,14 @@ sub check_bridge_access {
 sub check_mapping_access {
     my ($rpcenv, $user, $conf) = @_;
 
+    return 1 if $user eq 'root@pam';
+
     for my $opt (keys $conf->%*) {
 	if ($opt =~ m/^usb\d+$/) {
 	    my $device = PVE::JSONSchema::parse_property_string('pve-qm-usb', $conf->{$opt});
 	    if (my $host = $device->{host}) {
 		die "only root can set '$opt' config for real devices\n"
-		    if $host !~ m/^spice$/i && $user ne 'root@pam';
+		    if $host !~ m/^spice$/i;
 	    } elsif ($device->{mapping}) {
 		$rpcenv->check_full($user, "/mapping/usb/$device->{mapping}", ['Mapping.Use']);
 	    } else {
@@ -6392,7 +6394,7 @@ sub check_mapping_access {
 	} elsif ($opt =~ m/^hostpci\d+$/) {
 	    my $device = PVE::JSONSchema::parse_property_string('pve-qm-hostpci', $conf->{$opt});
 	    if ($device->{host}) {
-		die "only root can set '$opt' config for non-mapped devices\n" if $user ne 'root@pam';
+		die "only root can set '$opt' config for non-mapped devices\n";
 	    } elsif ($device->{mapping}) {
 		$rpcenv->check_full($user, "/mapping/pci/$device->{mapping}", ['Mapping.Use']);
 	    } else {
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH qemu-server v4 5/9] allow non-root users to set /dev/u?random as an RNG source

[Filip Schauer]

Allow non-root users with the VM.Config.HWType privilege to configure
/dev/urandom & /dev/random as an entropy source for a VirtIO RNG device.
/dev/hwrng remains restricted to the root user.

Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
---
 PVE/API2/Qemu.pm  | 29 +++++++++++++++++++++++++++++
 PVE/QemuServer.pm | 10 ++++++++--
 2 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 295260e7..2e99bf05 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -38,6 +38,7 @@ use PVE::QemuServer::Memory qw(get_current_memory);
 use PVE::QemuServer::MetaInfo;
 use PVE::QemuServer::PCI;
 use PVE::QemuServer::QMPHelpers;
+use PVE::QemuServer::RNG;
 use PVE::QemuServer::USB;
 use PVE::QemuMigrate;
 use PVE::RPCEnvironment;
@@ -673,6 +674,7 @@ my $hwtypeoptions = {
     'vga' => 1,
     'watchdog' => 1,
     'audio0' => 1,
+    'rng0' => 1,
 };
 
 my $generaloptions = {
@@ -801,6 +803,21 @@ my sub check_vm_create_hostpci_perm {
     return 1;
 };
 
+my sub check_rng_perm {
+    my ($rpcenv, $authuser, $vmid, $pool, $opt, $value) = @_;
+
+    return 1 if $authuser eq 'root@pam';
+
+    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.HWType']);
+
+    my $device = PVE::JSONSchema::parse_property_string('pve-qm-rng', $value);
+    if ($device->{source} && $device->{source} eq '/dev/hwrng') {
+	die "only root can set '$opt' config for a non-mapped Hardware RNG device\n";
+    }
+
+    return 1;
+}
+
 my $check_vm_modify_config_perm = sub {
     my ($rpcenv, $authuser, $vmid, $pool, $key_list) = @_;
 
@@ -1114,6 +1131,8 @@ __PACKAGE__->register_method({
 	    &$check_vm_create_serial_perm($rpcenv, $authuser, $vmid, $pool, $param);
 	    check_vm_create_usb_perm($rpcenv, $authuser, $vmid, $pool, $param);
 	    check_vm_create_hostpci_perm($rpcenv, $authuser, $vmid, $pool, $param);
+	    check_rng_perm($rpcenv, $authuser, $vmid, $pool, 'rng0', $param->{rng0})
+		if $param->{rng0};
 
 	    PVE::QemuServer::check_bridge_access($rpcenv, $authuser, $param);
 	    &$check_cpu_model_access($rpcenv, $authuser, $param);
@@ -2005,6 +2024,10 @@ my $update_vm_api  = sub {
 		    check_hostpci_perm($rpcenv, $authuser, $vmid, undef, $opt, $val);
 		    PVE::QemuConfig->add_to_pending_delete($conf, $opt, $force);
 		    PVE::QemuConfig->write_config($vmid, $conf);
+		} elsif ($opt =~ m/^rng\d+$/) {
+		    check_rng_perm($rpcenv, $authuser, $vmid, undef, $opt, $val);
+		    PVE::QemuConfig->add_to_pending_delete($conf, $opt, $force);
+		    PVE::QemuConfig->write_config($vmid, $conf);
 		} elsif ($opt eq 'tags') {
 		    assert_tag_permissions($vmid, $val, '', $rpcenv, $authuser);
 		    delete $conf->{$opt};
@@ -2095,6 +2118,12 @@ my $update_vm_api  = sub {
 		    }
 		    check_hostpci_perm($rpcenv, $authuser, $vmid, undef, $opt, $param->{$opt});
 		    $conf->{pending}->{$opt} = $param->{$opt};
+		} elsif ($opt =~ m/^rng\d+$/) {
+		    if (my $oldvalue = $conf->{$opt}) {
+			check_rng_perm($rpcenv, $authuser, $vmid, undef, $opt, $oldvalue);
+		    }
+		    check_rng_perm($rpcenv, $authuser, $vmid, undef, $opt, $param->{$opt});
+		    $conf->{pending}->{$opt} = $param->{$opt};
 		} elsif ($opt eq 'tags') {
 		    assert_tag_permissions($vmid, $conf->{$opt}, $param->{$opt}, $rpcenv, $authuser);
 		    $conf->{pending}->{$opt} = PVE::GuestHelpers::get_unique_tags($param->{$opt});
diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index 6c842924..007ff2fc 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -6400,8 +6400,14 @@ sub check_mapping_access {
 	    } else {
 		die "either 'host' or 'mapping' must be set.\n";
 	    }
-       }
-   }
+	} elsif ($opt =~ m/^rng\d+$/) {
+	    my $device = PVE::JSONSchema::parse_property_string('pve-qm-rng', $conf->{$opt});
+
+	    if ($device->{source} && $device->{source} eq '/dev/hwrng') {
+		die "only root can set '$opt' config for a non-mapped Hardware RNG device\n";
+	    }
+	}
+    }
 };
 
 sub check_restore_permissions {
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH qemu-server v4 6/9] allow non-root users to set /dev/hwrng as an RNG source

[Filip Schauer]

Allow users with the Mapping.Use privilege on the /mapping/hwrng path to
configure /dev/hwrng as an entropy source for VirtIO RNG devices.

Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
---
 PVE/API2/Qemu.pm  | 2 +-
 PVE/QemuServer.pm | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 2e99bf05..4d6a738d 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -812,7 +812,7 @@ my sub check_rng_perm {
 
     my $device = PVE::JSONSchema::parse_property_string('pve-qm-rng', $value);
     if ($device->{source} && $device->{source} eq '/dev/hwrng') {
-	die "only root can set '$opt' config for a non-mapped Hardware RNG device\n";
+	$rpcenv->check_full($authuser, "/mapping/hwrng", ['Mapping.Use']);
     }
 
     return 1;
diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index 007ff2fc..1d495fa8 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -6404,7 +6404,7 @@ sub check_mapping_access {
 	    my $device = PVE::JSONSchema::parse_property_string('pve-qm-rng', $conf->{$opt});
 
 	    if ($device->{source} && $device->{source} eq '/dev/hwrng') {
-		die "only root can set '$opt' config for a non-mapped Hardware RNG device\n";
+		$rpcenv->check_full($user, "/mapping/hwrng", ['Mapping.Use']);
 	    }
 	}
     }
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH manager v4 7/9] ui: remove warning about entropy starvation of /dev/random

[Filip Schauer]

Remove the warning about entropy-starvation when using /dev/random as
the entropy source. This concern no longer applies since the removal of
the blocking entropy pool in kernel version 5.6. [1] [2]

[1] https://git.kernel.org/torvalds/c/acd77500aa8a337baa6d853568c4b55aca48e20f
[2] https://lwn.net/Articles/808575/

Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
---
 www/manager6/qemu/RNGEdit.js | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/www/manager6/qemu/RNGEdit.js b/www/manager6/qemu/RNGEdit.js
index e34e2c08..097e08c3 100644
--- a/www/manager6/qemu/RNGEdit.js
+++ b/www/manager6/qemu/RNGEdit.js
@@ -35,12 +35,6 @@ Ext.define('PVE.qemu.RNGInputPanel', {
 		    limitWarning.setHidden(!!newVal);
 		},
 	    },
-	    '#source': {
-		change: function(el, newVal) {
-		    let limitWarning = this.lookupReference('sourceWarning');
-		    limitWarning.setHidden(newVal !== '/dev/random');
-		},
-	    },
 	},
     },
 
@@ -77,13 +71,6 @@ Ext.define('PVE.qemu.RNGInputPanel', {
 	labelWidth: 130,
 	emptyText: '1000',
     },
-    {
-	xtype: 'displayfield',
-	reference: 'sourceWarning',
-	value: gettext('Using /dev/random as entropy source is discouraged, as it can lead to host entropy starvation. /dev/urandom is preferred, and does not lead to a decrease in security in practice.'),
-	userCls: 'pmx-hint',
-	hidden: true,
-    },
     {
 	xtype: 'displayfield',
 	reference: 'limitWarning',
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH manager v4 8/9] ui: permissions: add ACL path for hardware RNG

[Filip Schauer]

Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
---
 www/manager6/data/PermPathStore.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/manager6/data/PermPathStore.js b/www/manager6/data/PermPathStore.js
index 8785a1d7..8212b17d 100644
--- a/www/manager6/data/PermPathStore.js
+++ b/www/manager6/data/PermPathStore.js
@@ -10,6 +10,7 @@ Ext.define('PVE.data.PermPathStore', {
 	{ 'value': '/access/realm' },
 	{ 'value': '/mapping' },
 	{ 'value': '/mapping/notifications' },
+	{ 'value': '/mapping/hwrng' },
 	{ 'value': '/mapping/pci' },
 	{ 'value': '/mapping/usb' },
 	{ 'value': '/nodes' },
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH manager v4 9/9] ui: let non-root users configure VirtIO RNG devices

[Filip Schauer]

Allow non-root users with the VM.Config.HWType privilege to configure
/dev/urandom & /dev/random as an entropy source for a VirtIO RNG device.
Users with the Mapping.Use privilege on the /mapping/hwrng ACL path may
also configure /dev/hwrng as an entropy source.

Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
---
 www/manager6/qemu/HardwareView.js | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/www/manager6/qemu/HardwareView.js b/www/manager6/qemu/HardwareView.js
index c6d193fc..af6df8cd 100644
--- a/www/manager6/qemu/HardwareView.js
+++ b/www/manager6/qemu/HardwareView.js
@@ -315,8 +315,8 @@ Ext.define('PVE.qemu.HardwareView', {
 	rows.rng0 = {
 	    group: 45,
 	    tdCls: 'pve-itype-icon-die',
-	    editor: caps.nodes['Sys.Console'] ? 'PVE.qemu.RNGEdit' : undefined,
-	    never_delete: !caps.nodes['Sys.Console'],
+	    editor: caps.vms['VM.Config.HWType'] || caps.mapping.hwrng['Mapping.Use'] ? 'PVE.qemu.RNGEdit' : undefined,
+	    never_delete: !caps.vms['VM.Config.HWType'] && !caps.mapping.hwrng['Mapping.Use'],
 	    header: gettext("VirtIO RNG"),
 	};
 
@@ -588,7 +588,6 @@ Ext.define('PVE.qemu.HardwareView', {
 	    });
 
 	    // heuristic only for disabling some stuff, the backend has the final word.
-	    const noSysConsolePerm = !caps.nodes['Sys.Console'];
 	    const noHWPerm = !caps.nodes['Sys.Console'] && !caps.mapping['Mapping.Use'];
 	    const noVMConfigHWTypePerm = !caps.vms['VM.Config.HWType'];
 	    const noVMConfigNetPerm = !caps.vms['VM.Config.Network'];
@@ -601,7 +600,7 @@ Ext.define('PVE.qemu.HardwareView', {
 	    me.down('#addAudio').setDisabled(noVMConfigHWTypePerm || isAtLimit('audio'));
 	    me.down('#addSerial').setDisabled(noVMConfigHWTypePerm || isAtLimit('serial'));
 	    me.down('#addNet').setDisabled(noVMConfigNetPerm || isAtLimit('net'));
-	    me.down('#addRng').setDisabled(noSysConsolePerm || isAtLimit('rng'));
+	    me.down('#addRng').setDisabled(noVMConfigHWTypePerm || isAtLimit('rng'));
 	    efidisk_menuitem.setDisabled(noVMConfigDiskPerm || isAtLimit('efidisk'));
 	    me.down('#addTpmState').setDisabled(noVMConfigDiskPerm || isAtLimit('tpmstate'));
 	    me.down('#addCloudinitDrive').setDisabled(noVMConfigCDROMPerm || noVMConfigCloudinitPerm || hasCloudInit);
@@ -745,7 +744,7 @@ Ext.define('PVE.qemu.HardwareView', {
 				text: gettext("VirtIO RNG"),
 				itemId: 'addRng',
 				iconCls: 'pve-itype-icon-die',
-				disabled: !caps.nodes['Sys.Console'],
+				disabled: !caps.vms['VM.Config.HWType'] && !caps.mapping.hwrng['Mapping.Use'],
 				handler: editorFactory('RNGEdit'),
 			    },
 			],
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied-series: [PATCH manager/qemu-server v4 0/9] fix #5657: allow configuring RNG device as non-root user

[Fabian Grünbichler]

with a small follow-up in pve-manager to correctly sort the ACL paths in the
selector

thanks!

Quoting Filip Schauer (2025-02-18 12:10:53)
> Allow users with the VM.Config.HWType privilege to configure VirtIO RNG
> devices on VMs with either /dev/urandom or /dev/random as the entropy
> source. Users with the Mapping.Use privilege on the /mapping/hwrng ACL
> path may also configure /dev/hwrng as an entropy source.
> 
> Changes since v3:
> * Remove hardware RNG resource mapping and introduce /mapping/hwrng ACL
>   path instead
> * Split some changes into separate commits
> 
> Changes since v2:
> * Restrict RNG device format to enum of
> * Add descriptive commit message
> * Code style fixes
> * Remove outdated remarks about entropy stravation of /dev/random
> * Split helpers for VirtIO RNG command line arguments into its own
>   commit
> * Add explicit "use PVE::QemuServer::RNG;" statement to PVE/API2/Qemu.pm
> * Fix "map: type check ('array') failed" error when adding a mapping in
>   the UI
> * ui: split resource mapping types into tabbed views
> 
> Changes since v1:
> * Restrict use of /dev/hwrng to the root user
> * introduce hardware RNG mapping
> 
> qemu-server:
> 
> Filip Schauer (6):
>   remove outdated /dev/random entropy-starvation warnings
>   refactor: move rng related code into its own module
>   add helpers for VirtIO RNG command line arguments
>   refactor: check_mapping_access: move root user check to the top
>   allow non-root users to set /dev/u?random as an RNG source
>   allow non-root users to set /dev/hwrng as an RNG source
> 
>  PVE/API2/Qemu.pm        |  29 ++++++++++
>  PVE/QemuServer.pm       |  95 +++++++-------------------------
>  PVE/QemuServer/Makefile |   1 +
>  PVE/QemuServer/RNG.pm   | 116 ++++++++++++++++++++++++++++++++++++++++
>  4 files changed, 164 insertions(+), 77 deletions(-)
>  create mode 100644 PVE/QemuServer/RNG.pm
> 
> 
> pve-manager:
> 
> Filip Schauer (3):
>   ui: remove warning about entropy starvation of /dev/random
>   ui: permissions: add ACL path for hardware RNG
>   ui: let non-root users configure VirtIO RNG devices
> 
>  www/manager6/data/PermPathStore.js |  1 +
>  www/manager6/qemu/HardwareView.js  |  9 ++++-----
>  www/manager6/qemu/RNGEdit.js       | 13 -------------
>  3 files changed, 5 insertions(+), 18 deletions(-)
> 
> 
> Summary over all repositories:
>   7 files changed, 169 insertions(+), 95 deletions(-)
> 
> -- 
> Generated by git-murpp 0.6.0
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
>


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel